diff --git a/x-pack/legacy/plugins/apm/public/components/app/ServiceMap/Cytoscape.stories.tsx b/x-pack/legacy/plugins/apm/public/components/app/ServiceMap/Cytoscape.stories.tsx
index 46754c8c7cb6b1..a8d3b843a1f3d3 100644
--- a/x-pack/legacy/plugins/apm/public/components/app/ServiceMap/Cytoscape.stories.tsx
+++ b/x-pack/legacy/plugins/apm/public/components/app/ServiceMap/Cytoscape.stories.tsx
@@ -75,27 +75,17 @@ storiesOf('app/ServiceMap/Cytoscape', module)
const cy = cytoscape();
const elements = [
{ data: { id: 'default' } },
- { data: { id: 'cache', label: 'cache', 'span.type': 'cache' } },
- { data: { id: 'database', label: 'database', 'span.type': 'db' } },
+ { data: { id: 'cache', 'span.type': 'cache' } },
+ { data: { id: 'database', 'span.type': 'db' } },
{
data: {
id: 'elasticsearch',
- label: 'elasticsearch',
'span.type': 'db',
'span.subtype': 'elasticsearch'
}
},
- {
- data: { id: 'external', label: 'external', 'span.type': 'external' }
- },
- {
- data: {
- id: 'messaging',
- label: 'messaging',
- 'span.type': 'messaging'
- }
- },
-
+ { data: { id: 'external', 'span.type': 'external' } },
+ { data: { id: 'messaging', 'span.type': 'messaging' } },
{
data: {
id: 'dotnet',
@@ -119,11 +109,18 @@ storiesOf('app/ServiceMap/Cytoscape', module)
},
{
data: {
- id: 'js-base',
- 'service.name': 'js-base service',
+ id: 'RUM (js-base)',
+ 'service.name': 'RUM service',
'agent.name': 'js-base'
}
},
+ {
+ data: {
+ id: 'RUM (rum-js)',
+ 'service.name': 'RUM service',
+ 'agent.name': 'rum-js'
+ }
+ },
{
data: {
id: 'nodejs',
@@ -163,7 +160,8 @@ storiesOf('app/ServiceMap/Cytoscape', module)
description={
agent.name: {node.data('agent.name') || 'undefined'},
- span.type: {node.data('span.type') || 'undefined'}
+ span.type: {node.data('span.type') || 'undefined'},
+ span.subtype: {node.data('span.subtype') || 'undefined'}
}
icon={
@@ -174,7 +172,7 @@ storiesOf('app/ServiceMap/Cytoscape', module)
width={80}
/>
}
- title={node.data('label')}
+ title={node.data('id')}
/>
))}
diff --git a/x-pack/legacy/plugins/apm/public/components/app/ServiceMap/Cytoscape.tsx b/x-pack/legacy/plugins/apm/public/components/app/ServiceMap/Cytoscape.tsx
index 7bdc6aebbd9a0f..21bedc204f48b7 100644
--- a/x-pack/legacy/plugins/apm/public/components/app/ServiceMap/Cytoscape.tsx
+++ b/x-pack/legacy/plugins/apm/public/components/app/ServiceMap/Cytoscape.tsx
@@ -124,6 +124,12 @@ export function Cytoscape({
// Trigger a custom "data" event when data changes
useEffect(() => {
if (cy && elements.length > 0) {
+ const renderedElements = cy.elements('node,edge');
+ const latestElementIds = elements.map(el => el.data.id);
+ const absentElements = renderedElements.filter(
+ el => !latestElementIds.includes(el.id())
+ );
+ cy.remove(absentElements);
cy.add(elements);
cy.trigger('data');
}
diff --git a/x-pack/legacy/plugins/apm/public/components/app/ServiceMap/cytoscapeOptions.ts b/x-pack/legacy/plugins/apm/public/components/app/ServiceMap/cytoscapeOptions.ts
index 0438842f7af10d..92f66f698f0446 100644
--- a/x-pack/legacy/plugins/apm/public/components/app/ServiceMap/cytoscapeOptions.ts
+++ b/x-pack/legacy/plugins/apm/public/components/app/ServiceMap/cytoscapeOptions.ts
@@ -83,7 +83,7 @@ const style: cytoscape.Stylesheet[] = [
style: {
'curve-style': 'taxi',
// @ts-ignore
- 'taxi-direction': 'rightward',
+ 'taxi-direction': 'auto',
'line-color': lineColor,
'overlay-opacity': 0,
'target-arrow-color': lineColor,
diff --git a/x-pack/legacy/plugins/apm/public/components/app/ServiceMap/icons.ts b/x-pack/legacy/plugins/apm/public/components/app/ServiceMap/icons.ts
index 4925ffba310b57..dd9b48d3127254 100644
--- a/x-pack/legacy/plugins/apm/public/components/app/ServiceMap/icons.ts
+++ b/x-pack/legacy/plugins/apm/public/components/app/ServiceMap/icons.ts
@@ -5,11 +5,12 @@
*/
import cytoscape from 'cytoscape';
+import { isRumAgentName } from '../../../../../../../plugins/apm/common/agent_name';
import {
AGENT_NAME,
SERVICE_NAME,
- SPAN_TYPE,
- SPAN_SUBTYPE
+ SPAN_SUBTYPE,
+ SPAN_TYPE
} from '../../../../../../../plugins/apm/common/elasticsearch_fieldnames';
import databaseIcon from './icons/database.svg';
import defaultIconImport from './icons/default.svg';
@@ -62,7 +63,12 @@ export function iconForNode(node: cytoscape.NodeSingular) {
const type = node.data(SPAN_TYPE);
if (node.data(SERVICE_NAME)) {
- return serviceIcons[node.data(AGENT_NAME) as string];
+ const agentName = node.data(AGENT_NAME);
+ // RUM can have multiple names. Normalize it
+ const normalizedAgentName = isRumAgentName(agentName)
+ ? 'js-base'
+ : agentName;
+ return serviceIcons[normalizedAgentName];
} else if (isIE11) {
return defaultIcon;
} else if (
diff --git a/x-pack/legacy/plugins/apm/public/components/shared/ErrorRateAlertTrigger/index.tsx b/x-pack/legacy/plugins/apm/public/components/shared/ErrorRateAlertTrigger/index.tsx
index 9bfc5936a555ee..b7e23c2979cb89 100644
--- a/x-pack/legacy/plugins/apm/public/components/shared/ErrorRateAlertTrigger/index.tsx
+++ b/x-pack/legacy/plugins/apm/public/components/shared/ErrorRateAlertTrigger/index.tsx
@@ -6,6 +6,7 @@
import React from 'react';
import { EuiFieldNumber } from '@elastic/eui';
import { i18n } from '@kbn/i18n';
+import { isFinite } from 'lodash';
import { ForLastExpression } from '../../../../../../../plugins/triggers_actions_ui/public';
import { ALERT_TYPES_CONFIG } from '../../../../../../../plugins/apm/common/alert_types';
import { ServiceAlertTrigger } from '../ServiceAlertTrigger';
@@ -37,15 +38,17 @@ export function ErrorRateAlertTrigger(props: Props) {
...alertParams
};
+ const threshold = isFinite(params.threshold) ? params.threshold : '';
+
const fields = [
setAlertParams('threshold', parseInt(e.target.value, 10))
diff --git a/x-pack/legacy/plugins/siem/server/lib/index_fields/elasticsearch_adapter.test.ts b/x-pack/legacy/plugins/siem/server/lib/index_fields/elasticsearch_adapter.test.ts
index 93472b8539efd7..20bc1387a3c4e7 100644
--- a/x-pack/legacy/plugins/siem/server/lib/index_fields/elasticsearch_adapter.test.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/index_fields/elasticsearch_adapter.test.ts
@@ -23,77 +23,108 @@ describe('Index Fields', () => {
).toEqual(
sortBy('name', [
{
- aggregatable: true,
- category: 'base',
description:
- 'Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.',
+ 'Date/time when the event originated.\n\nThis is the date/time extracted from the event, typically representing when\nthe event was generated by the source.\n\nIf the event source has no original timestamp, this value is typically populated\nby the first time the event was received by the pipeline.\n\nRequired field for all events.',
example: '2016-05-23T08:05:34.853Z',
- indexes: ['auditbeat', 'filebeat', 'packetbeat'],
name: '@timestamp',
- searchable: true,
type: 'date',
+ searchable: true,
+ aggregatable: true,
+ category: 'base',
+ indexes: ['auditbeat', 'filebeat', 'packetbeat'],
},
{
+ description: 'Each document has an _id that uniquely identifies it',
+ example: 'Y-6TfmcB0WOhS6qyMv3s',
+ footnote: '',
+ group: 1,
+ level: 'core',
+ name: '_id',
+ required: true,
+ type: 'string',
+ searchable: true,
+ aggregatable: false,
+ readFromDocValues: true,
+ category: '_id',
+ indexes: ['auditbeat', 'filebeat', 'packetbeat'],
+ },
+ {
+ description:
+ 'An index is like a ‘database’ in a relational database. It has a mapping which defines multiple types. An index is a logical namespace which maps to one or more primary shards and can have zero or more replica shards.',
+ example: 'auditbeat-8.0.0-2019.02.19-000001',
+ footnote: '',
+ group: 1,
+ level: 'core',
+ name: '_index',
+ required: true,
+ type: 'string',
+ searchable: true,
aggregatable: true,
- category: 'agent',
+ readFromDocValues: true,
+ category: '_index',
+ indexes: ['auditbeat', 'filebeat', 'packetbeat'],
+ },
+ {
description:
- 'Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not.',
+ 'Ephemeral identifier of this agent (if one exists).\n\nThis id normally changes across restarts, but `agent.id` does not.',
example: '8a4f500f',
- indexes: ['auditbeat'],
name: 'agent.ephemeral_id',
- searchable: true,
type: 'string',
- },
- {
+ searchable: true,
aggregatable: true,
category: 'agent',
- indexes: ['filebeat'],
+ indexes: ['auditbeat'],
+ },
+ {
name: 'agent.hostname',
searchable: true,
type: 'string',
- },
- {
aggregatable: true,
category: 'agent',
+ indexes: ['filebeat'],
+ },
+ {
description:
- 'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.',
+ 'Unique identifier of this agent (if one exists).\n\nExample: For Beats this would be beat.id.',
example: '8a4f500d',
- indexes: ['packetbeat'],
name: 'agent.id',
- searchable: true,
type: 'string',
- },
- {
+ searchable: true,
aggregatable: true,
category: 'agent',
+ indexes: ['packetbeat'],
+ },
+ {
description:
- 'Name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.',
+ 'Custom name of the agent.\n\nThis is a name that can be given to an agent. This can be helpful if for example\ntwo Filebeat instances are running on the same host but a human readable separation\nis needed on which Filebeat instance data is coming from.\n\nIf no name is given, the name is often left empty.',
example: 'foo',
- indexes: ['auditbeat', 'filebeat'],
name: 'agent.name',
- searchable: true,
type: 'string',
- },
- {
+ searchable: true,
aggregatable: true,
category: 'agent',
+ indexes: ['auditbeat', 'filebeat'],
+ },
+ {
description:
- 'Type of the agent. The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.',
+ 'Type of the agent.\n\nThe agent type stays always the same and should be given by the agent used.\nIn case of Filebeat the agent would always be Filebeat also if two Filebeat\ninstances are run on the same machine.',
example: 'filebeat',
- indexes: ['auditbeat', 'packetbeat'],
name: 'agent.type',
- searchable: true,
type: 'string',
- },
- {
+ searchable: true,
aggregatable: true,
category: 'agent',
+ indexes: ['auditbeat', 'packetbeat'],
+ },
+ {
description: 'Version of the agent.',
example: '6.0.0-rc2',
- indexes: ['auditbeat', 'filebeat'],
name: 'agent.version',
- searchable: true,
type: 'string',
+ searchable: true,
+ aggregatable: true,
+ category: 'agent',
+ indexes: ['auditbeat', 'filebeat'],
},
])
);
diff --git a/x-pack/legacy/plugins/siem/server/lib/index_fields/elasticsearch_adapter.ts b/x-pack/legacy/plugins/siem/server/lib/index_fields/elasticsearch_adapter.ts
index 48b9750ddd9499..7cfb5ad3911496 100644
--- a/x-pack/legacy/plugins/siem/server/lib/index_fields/elasticsearch_adapter.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/index_fields/elasticsearch_adapter.ts
@@ -4,7 +4,7 @@
* you may not use this file except in compliance with the Elastic License.
*/
-import { get } from 'lodash/fp';
+import { isEmpty, get } from 'lodash/fp';
import { IndexField } from '../../graphql/types';
import {
@@ -51,6 +51,23 @@ export class ElasticsearchIndexFieldAdapter implements FieldsAdapter {
}
}
+const missingFields = [
+ {
+ name: '_id',
+ type: 'string',
+ searchable: true,
+ aggregatable: false,
+ readFromDocValues: true,
+ },
+ {
+ name: '_index',
+ type: 'string',
+ searchable: true,
+ aggregatable: true,
+ readFromDocValues: true,
+ },
+];
+
export const formatIndexFields = (
responsesIndexFields: IndexFieldDescriptor[][],
indexesAlias: IndexAlias[]
@@ -59,20 +76,23 @@ export const formatIndexFields = (
.reduce(
(accumulator: IndexField[], indexFields: IndexFieldDescriptor[], indexesAliasIdx: number) => [
...accumulator,
- ...indexFields.reduce((itemAccumulator: IndexField[], index: IndexFieldDescriptor) => {
- const alias: IndexAlias = indexesAlias[indexesAliasIdx];
- const splitName = index.name.split('.');
- const category = baseCategoryFields.includes(splitName[0]) ? 'base' : splitName[0];
- return [
- ...itemAccumulator,
- {
- ...(hasDocumentation(alias, index.name) ? getDocumentation(alias, index.name) : {}),
- ...index,
- category,
- indexes: [alias],
- } as IndexField,
- ];
- }, []),
+ ...[...missingFields, ...indexFields].reduce(
+ (itemAccumulator: IndexField[], index: IndexFieldDescriptor) => {
+ const alias: IndexAlias = indexesAlias[indexesAliasIdx];
+ const splitName = index.name.split('.');
+ const category = baseCategoryFields.includes(splitName[0]) ? 'base' : splitName[0];
+ return [
+ ...itemAccumulator,
+ {
+ ...(hasDocumentation(alias, index.name) ? getDocumentation(alias, index.name) : {}),
+ ...index,
+ category,
+ indexes: [alias],
+ } as IndexField,
+ ];
+ },
+ []
+ ),
],
[]
)
@@ -84,7 +104,10 @@ export const formatIndexFields = (
...accumulator.slice(0, alreadyExistingIndexField),
{
...existingIndexField,
- indexes: [...existingIndexField.indexes, ...indexfield.indexes],
+ description: isEmpty(existingIndexField.description)
+ ? indexfield.description
+ : existingIndexField.description,
+ indexes: Array.from(new Set([...existingIndexField.indexes, ...indexfield.indexes])),
},
...accumulator.slice(alreadyExistingIndexField + 1),
];
diff --git a/x-pack/legacy/plugins/siem/server/utils/beat_schema/8.0.0/auditbeat.ts b/x-pack/legacy/plugins/siem/server/utils/beat_schema/8.0.0/auditbeat.ts
index 773d4ed6a7e953..76c865679dd058 100644
--- a/x-pack/legacy/plugins/siem/server/utils/beat_schema/8.0.0/auditbeat.ts
+++ b/x-pack/legacy/plugins/siem/server/utils/beat_schema/8.0.0/auditbeat.ts
@@ -15,91 +15,129 @@ export const auditbeatSchema: Schema = [
{
key: 'ecs',
title: 'ECS',
- description: 'ECS fields.',
+ description: 'ECS Fields.',
fields: [
{
name: '@timestamp',
- type: 'date',
level: 'core',
required: true,
- example: '2016-05-23T08:05:34.853Z',
+ type: 'date',
description:
- 'Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.',
- },
- {
- name: 'tags',
- level: 'core',
- type: 'keyword',
- example: '["production", "env2"]',
- description: 'List of keywords used to tag each event.',
+ 'Date/time when the event originated.\n\nThis is the date/time extracted from the event, typically representing when\nthe event was generated by the source.\n\nIf the event source has no original timestamp, this value is typically populated\nby the first time the event was received by the pipeline.\n\nRequired field for all events.',
+ example: '2016-05-23T08:05:34.853Z',
},
{
name: 'labels',
level: 'core',
type: 'object',
- example: {
- env: 'production',
- application: 'foo-bar',
- },
+ object_type: 'keyword',
description:
- 'Key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels.',
+ 'Custom key/value pairs.\n\nCan be used to add meta information to events. Should not contain nested objects.\nAll values are stored as keyword.\n\nExample: `docker` and `k8s` labels.',
+ example: '{"application": "foo-bar", "env": "production"}',
},
{
name: 'message',
level: 'core',
type: 'text',
- example: 'Hello World',
description:
- 'For log events the message field contains the log message. In other use cases the message field can be used to concatenate different values which are then freely searchable. If multiple messages exist, they can be combined into one message.',
+ 'For log events the message field contains the log message, optimized\nfor viewing in a log viewer.\n\nFor structured logs without an original message field, other fields can be concatenated\nto form a human-readable summary of the event.\n\nIf multiple messages exist, they can be combined into one message.',
+ example: 'Hello World',
+ },
+ {
+ name: 'tags',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'List of keywords used to tag each event.',
+ example: '["production", "env2"]',
},
{
name: 'agent',
title: 'Agent',
group: 2,
description:
- 'The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.',
+ 'The agent fields contain the data about the software entity, if\nany, that collects, detects, or observes events on a host, or takes measurements\non a host.\n\nExamples include Beats. Agents may also run on observers. ECS agent.* fields\nshall be populated with details of the agent running on the host or observer\nwhere the event happened or the measurement was taken.',
footnote:
- 'Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it is the agent running in the app/service. The agent information does not change if data is sent through queuing systems like Kafka, Redis, or processing systems such as Logstash or APM Server.',
+ 'Examples: In the case of Beats for logs, the agent.name is filebeat.\nFor APM, it is the agent running in the app/service. The agent information does\nnot change if data is sent through queuing systems like Kafka, Redis, or processing\nsystems such as Logstash or APM Server.',
type: 'group',
fields: [
{
- name: 'version',
+ name: 'ephemeral_id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Ephemeral identifier of this agent (if one exists).\n\nThis id normally changes across restarts, but `agent.id` does not.',
+ example: '8a4f500f',
+ },
+ {
+ name: 'id',
level: 'core',
type: 'keyword',
- description: 'Version of the agent.',
- example: '6.0.0-rc2',
+ ignore_above: 1024,
+ description:
+ 'Unique identifier of this agent (if one exists).\n\nExample: For Beats this would be beat.id.',
+ example: '8a4f500d',
},
{
name: 'name',
level: 'core',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.',
+ 'Custom name of the agent.\n\nThis is a name that can be given to an agent. This can be helpful if for example\ntwo Filebeat instances are running on the same host but a human readable separation\nis needed on which Filebeat instance data is coming from.\n\nIf no name is given, the name is often left empty.',
example: 'foo',
},
{
name: 'type',
level: 'core',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Type of the agent. The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.',
+ 'Type of the agent.\n\nThe agent type stays always the same and should be given by the agent used.\nIn case of Filebeat the agent would always be Filebeat also if two Filebeat\ninstances are run on the same machine.',
example: 'filebeat',
},
{
- name: 'id',
+ name: 'version',
level: 'core',
type: 'keyword',
+ ignore_above: 1024,
+ description: 'Version of the agent.',
+ example: '6.0.0-rc2',
+ },
+ ],
+ },
+ {
+ name: 'as',
+ title: 'Autonomous System',
+ group: 2,
+ description:
+ 'An autonomous system (AS) is a collection of connected Internet Protocol\n(IP) routing prefixes under the control of one or more network operators on\nbehalf of a single administrative entity or domain that presents a common, clearly\ndefined routing policy to the internet.',
+ type: 'group',
+ fields: [
+ {
+ name: 'number',
+ level: 'extended',
+ type: 'long',
description:
- 'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.',
- example: '8a4f500d',
+ 'Unique number allocated to the autonomous system. The autonomous\nsystem number (ASN) uniquely identifies each network on the Internet.',
+ example: 15169,
},
{
- name: 'ephemeral_id',
+ name: 'organization.name',
level: 'extended',
type: 'keyword',
- description:
- 'Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not.',
- example: '8a4f500f',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Organization name.',
+ example: 'Google LLC',
},
],
},
@@ -108,4693 +146,7750 @@ export const auditbeatSchema: Schema = [
title: 'Client',
group: 2,
description:
- 'A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.',
+ 'A client is defined as the initiator of a network connection for\nevents regarding sessions, connections, or bidirectional flow records.\n\nFor TCP events, the client is the initiator of the TCP connection that sends\nthe SYN packet(s). For other protocols, the client is generally the initiator\nor requestor in the network transaction. Some systems use the term "originator"\nto refer the client in TCP connections. The client fields describe details about\nthe system acting as the client in the network event. Client fields are usually\npopulated in conjunction with server fields. Client fields are generally not\npopulated for packet-level events.\n\nClient / server representations can add semantic context to an exchange, which\nis helpful to visualize the data in certain situations. If your context falls\nin that category, you should still ensure that source and destination are filled\nappropriately.',
type: 'group',
fields: [
{
name: 'address',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.',
+ 'Some event client addresses are defined ambiguously. The event\nwill sometimes list an IP, a domain or a unix socket. You should always store\nthe raw address in the `.address` field.\n\nThen it should be duplicated to `.ip` or `.domain`, depending on which one\nit is.',
},
{
- name: 'ip',
- level: 'core',
- type: 'ip',
- description: 'IP address of the client. Can be one or multiple IPv4 or IPv6 addresses.',
+ name: 'as.number',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'Unique number allocated to the autonomous system. The autonomous\nsystem number (ASN) uniquely identifies each network on the Internet.',
+ example: 15169,
},
{
- name: 'port',
+ name: 'as.organization.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Organization name.',
+ example: 'Google LLC',
+ },
+ {
+ name: 'bytes',
level: 'core',
type: 'long',
- description: 'Port of the client.',
+ format: 'bytes',
+ description: 'Bytes sent from the client to the server.',
+ example: 184,
},
{
- name: 'mac',
+ name: 'domain',
level: 'core',
type: 'keyword',
- description: 'MAC address of the client.',
+ ignore_above: 1024,
+ description: 'Client domain.',
},
{
- name: 'domain',
+ name: 'geo.city_name',
level: 'core',
type: 'keyword',
- description: 'Client domain.',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
},
{
- name: 'bytes',
+ name: 'geo.continent_name',
level: 'core',
- type: 'long',
- format: 'bytes',
- example: 184,
- description: 'Bytes sent from the client to the server.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
},
{
- name: 'packets',
+ name: 'geo.country_iso_code',
level: 'core',
- type: 'long',
- example: 12,
- description: 'Packets sent from the client to the server.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
},
{
- name: 'geo',
- title: 'Geo',
- group: 2,
- description:
- 'Geo fields can carry data about a specific location related to an event or geo information derived from an IP field.',
- type: 'group',
- fields: [
- {
- name: 'location',
- level: 'core',
- type: 'geo_point',
- description: 'Longitude and latitude.',
- example: '{ "lon": -73.614830, "lat": 45.505918 }',
- },
- {
- name: 'continent_name',
- level: 'core',
- type: 'keyword',
- description: 'Name of the continent.',
- example: 'North America',
- },
- {
- name: 'country_name',
- level: 'core',
- type: 'keyword',
- description: 'Country name.',
- example: 'Canada',
- },
- {
- name: 'region_name',
- level: 'core',
- type: 'keyword',
- description: 'Region name.',
- example: 'Quebec',
- },
- {
- name: 'city_name',
- level: 'core',
- type: 'keyword',
- description: 'City name.',
- example: 'Montreal',
- },
- {
- name: 'country_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Country ISO code.',
- example: 'CA',
- },
- {
- name: 'region_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Region ISO code.',
- example: 'CA-QC',
- },
- {
- name: 'name',
- level: 'extended',
- type: 'keyword',
- description:
- 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.',
- example: 'boston-dc',
- },
- ],
+ name: 'geo.country_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
},
- ],
- },
- {
- name: 'cloud',
- title: 'Cloud',
- group: 2,
- description: 'Fields related to the cloud or infrastructure the events are coming from.',
- footnote:
- 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.',
- type: 'group',
- fields: [
{
- name: 'provider',
+ name: 'geo.location',
+ level: 'core',
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
+ },
+ {
+ name: 'geo.name',
level: 'extended',
- example: 'ec2',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Name of the cloud provider. Example values are ec2, gce, or digitalocean.',
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
},
{
- name: 'availability_zone',
- level: 'extended',
- example: 'us-east-1c',
+ name: 'geo.region_iso_code',
+ level: 'core',
type: 'keyword',
- description: 'Availability zone in which this host is running.',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
},
{
- name: 'region',
- level: 'extended',
+ name: 'geo.region_name',
+ level: 'core',
type: 'keyword',
- example: 'us-east-1',
- description: 'Region in which this host is running.',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
},
{
- name: 'instance.id',
- level: 'extended',
- type: 'keyword',
- example: 'i-1234567890abcdef0',
- description: 'Instance ID of the host machine.',
+ name: 'ip',
+ level: 'core',
+ type: 'ip',
+ description:
+ 'IP address of the client.\n\nCan be one or multiple IPv4 or IPv6 addresses.',
},
{
- name: 'instance.name',
- level: 'extended',
+ name: 'mac',
+ level: 'core',
type: 'keyword',
- description: 'Instance name of the host machine.',
+ ignore_above: 1024,
+ description: 'MAC address of the client.',
},
{
- name: 'machine.type',
+ name: 'nat.ip',
level: 'extended',
- type: 'keyword',
- example: 't2.medium',
- description: 'Machine type of the host machine.',
+ type: 'ip',
+ description:
+ 'Translated IP of source based NAT sessions (e.g. internal client\nto internet).\n\nTypically connections traversing load balancers, firewalls, or routers.',
},
{
- name: 'account.id',
+ name: 'nat.port',
level: 'extended',
- type: 'keyword',
- example: 666777888999,
+ type: 'long',
+ format: 'string',
description:
- 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.',
+ 'Translated port of source based NAT sessions (e.g. internal client\nto internet).\n\nTypically connections traversing load balancers, firewalls, or routers.',
},
- ],
- },
- {
- name: 'container',
- title: 'Container',
- group: 2,
- description:
- 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.',
- type: 'group',
- fields: [
{
- name: 'runtime',
- level: 'extended',
- type: 'keyword',
- description: 'Runtime managing this container.',
- example: 'docker',
+ name: 'packets',
+ level: 'core',
+ type: 'long',
+ description: 'Packets sent from the client to the server.',
+ example: 12,
},
{
- name: 'id',
+ name: 'port',
level: 'core',
+ type: 'long',
+ format: 'string',
+ description: 'Port of the client.',
+ },
+ {
+ name: 'registered_domain',
+ level: 'extended',
type: 'keyword',
- description: 'Unique container id.',
+ ignore_above: 1024,
+ description:
+ 'The highest registered client domain, stripped of the subdomain.\n\nFor example, the registered domain for "foo.google.com" is "google.com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last two labels will not work well for TLDs such as "co.uk".',
+ example: 'google.com',
},
{
- name: 'image.name',
+ name: 'top_level_domain',
level: 'extended',
type: 'keyword',
- description: 'Name of the image the container was built on.',
+ ignore_above: 1024,
+ description:
+ 'The effective top level domain (eTLD), also known as the domain\nsuffix, is the last part of the domain name. For example, the top level domain\nfor google.com is "com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last label will not work well for effective TLDs such as "co.uk".',
+ example: 'co.uk',
},
{
- name: 'image.tag',
+ name: 'user.domain',
level: 'extended',
type: 'keyword',
- description: 'Container image tag.',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the user is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
},
{
- name: 'name',
+ name: 'user.email',
level: 'extended',
type: 'keyword',
- description: 'Container name.',
+ ignore_above: 1024,
+ description: 'User email address.',
},
{
- name: 'labels',
+ name: 'user.full_name',
level: 'extended',
- type: 'object',
- object_type: 'keyword',
- description: 'Image labels.',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: "User's full name, if available.",
+ example: 'Albert Einstein',
},
- ],
- },
- {
- name: 'destination',
- title: 'Destination',
- group: 2,
- description:
- 'Destination fields describe details about the destination of a packet/event. Destination fields are usually populated in conjunction with source fields.',
- type: 'group',
- fields: [
{
- name: 'address',
+ name: 'user.group.domain',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.',
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
},
{
- name: 'ip',
- level: 'core',
- type: 'ip',
- description:
- 'IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.',
+ name: 'user.group.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
},
{
- name: 'port',
- level: 'core',
- type: 'long',
- description: 'Port of the destination.',
+ name: 'user.group.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the group.',
},
{
- name: 'mac',
- level: 'core',
+ name: 'user.hash',
+ level: 'extended',
type: 'keyword',
- description: 'MAC address of the destination.',
+ ignore_above: 1024,
+ description:
+ 'Unique user hash to correlate information for a user in anonymized\nform.\n\nUseful if `user.id` or `user.name` contain confidential information and cannot\nbe used.',
},
{
- name: 'domain',
+ name: 'user.id',
level: 'core',
type: 'keyword',
- description: 'Destination domain.',
+ ignore_above: 1024,
+ description: 'Unique identifiers of the user.',
},
{
- name: 'bytes',
+ name: 'user.name',
level: 'core',
- type: 'long',
- format: 'bytes',
- example: 184,
- description: 'Bytes sent from the destination to the source.',
- },
- {
- name: 'packets',
- level: 'core',
- type: 'long',
- example: 12,
- description: 'Packets sent from the destination to the source.',
- },
- {
- name: 'geo',
- title: 'Geo',
- group: 2,
- description:
- 'Geo fields can carry data about a specific location related to an event or geo information derived from an IP field.',
- type: 'group',
- fields: [
- {
- name: 'location',
- level: 'core',
- type: 'geo_point',
- description: 'Longitude and latitude.',
- example: '{ "lon": -73.614830, "lat": 45.505918 }',
- },
- {
- name: 'continent_name',
- level: 'core',
- type: 'keyword',
- description: 'Name of the continent.',
- example: 'North America',
- },
- {
- name: 'country_name',
- level: 'core',
- type: 'keyword',
- description: 'Country name.',
- example: 'Canada',
- },
- {
- name: 'region_name',
- level: 'core',
- type: 'keyword',
- description: 'Region name.',
- example: 'Quebec',
- },
- {
- name: 'city_name',
- level: 'core',
- type: 'keyword',
- description: 'City name.',
- example: 'Montreal',
- },
- {
- name: 'country_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Country ISO code.',
- example: 'CA',
- },
- {
- name: 'region_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Region ISO code.',
- example: 'CA-QC',
- },
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'name',
- level: 'extended',
- type: 'keyword',
- description:
- 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.',
- example: 'boston-dc',
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
},
],
+ description: 'Short name or login of the user.',
+ example: 'albert',
},
],
},
{
- name: 'ecs',
- title: 'ECS',
+ name: 'cloud',
+ title: 'Cloud',
group: 2,
- description: 'Meta-information specific to ECS.',
+ description: 'Fields related to the cloud or infrastructure the events are coming\nfrom.',
+ footnote:
+ 'Examples: If Metricbeat is running on an EC2 host and fetches data\nfrom its host, the cloud info contains the data about this machine. If Metricbeat\nruns on a remote machine outside the cloud and fetches data from a service running\nin the cloud, the field contains cloud data from the machine the service is\nrunning on.',
type: 'group',
fields: [
{
- name: 'version',
- level: 'core',
+ name: 'account.id',
+ level: 'extended',
type: 'keyword',
- required: true,
+ ignore_above: 1024,
description:
- 'ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. The current version is 1.0.0-beta2 .',
- example: '1.0.0-beta2',
+ 'The cloud account or organization id used to identify different\nentities in a multi-tenant environment.\n\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier.',
+ example: 666777888999,
},
- ],
- },
- {
- name: 'error',
- title: 'Error',
- group: 2,
- description:
- 'These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error.',
- type: 'group',
- fields: [
{
- name: 'id',
- level: 'core',
+ name: 'availability_zone',
+ level: 'extended',
type: 'keyword',
- description: 'Unique identifier for the error.',
+ ignore_above: 1024,
+ description: 'Availability zone in which this host is running.',
+ example: 'us-east-1c',
},
{
- name: 'message',
- level: 'core',
- type: 'text',
- description: 'Error message.',
+ name: 'instance.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Instance ID of the host machine.',
+ example: 'i-1234567890abcdef0',
},
{
- name: 'code',
- level: 'core',
+ name: 'instance.name',
+ level: 'extended',
type: 'keyword',
- description: 'Error code describing the error.',
+ ignore_above: 1024,
+ description: 'Instance name of the host machine.',
},
- ],
- },
- {
- name: 'event',
- title: 'Event',
- group: 2,
- description:
- 'The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host.',
- type: 'group',
- fields: [
{
- name: 'id',
- level: 'core',
+ name: 'machine.type',
+ level: 'extended',
type: 'keyword',
- description: 'Unique ID to describe the event.',
- example: '8a4f500d',
+ ignore_above: 1024,
+ description: 'Machine type of the host machine.',
+ example: 't2.medium',
},
{
- name: 'kind',
+ name: 'provider',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'The kind of the event. This gives information about what type of information the event contains, without being specific to the contents of the event. Examples are `event`, `state`, `alarm`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution.',
- example: 'state',
+ 'Name of the cloud provider. Example values are aws, azure, gcp,\nor digitalocean.',
+ example: 'aws',
},
{
- name: 'category',
- level: 'core',
+ name: 'region',
+ level: 'extended',
type: 'keyword',
- description:
- 'Event category. This contains high-level information about the contents of the event. It is more generic than `event.action`, in the sense that typically a category contains multiple actions. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution.',
- example: 'user-management',
+ ignore_above: 1024,
+ description: 'Region in which this host is running.',
+ example: 'us-east-1',
},
+ ],
+ },
+ {
+ name: 'code_signature',
+ title: 'Code Signature',
+ group: 2,
+ description: 'These fields contain information about binary code signatures.',
+ type: 'group',
+ fields: [
{
- name: 'action',
+ name: 'exists',
level: 'core',
- type: 'keyword',
- description:
- 'The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.',
- example: 'user-password-change',
+ type: 'boolean',
+ description: 'Boolean to capture if a signature is present.',
+ example: 'true',
+ default_field: false,
},
{
- name: 'outcome',
+ name: 'status',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'The outcome of the event. If the event describes an action, this fields contains the outcome of that action. Examples outcomes are `success` and `failure`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution.',
- example: 'success',
- },
- {
- name: 'type',
- level: 'core',
- type: 'keyword',
- description: 'Reserved for future usage. Please avoid using this field for user data.',
+ 'Additional information about the certificate status.\n\nThis is useful for logging cryptographic errors with the certificate validity\nor trust status. Leave unpopulated if the validity or trust of the certificate\nwas unchecked.',
+ example: 'ERROR_UNTRUSTED_ROOT',
+ default_field: false,
},
{
- name: 'module',
+ name: 'subject_name',
level: 'core',
type: 'keyword',
- description:
- 'Name of the module this data is coming from. This information is coming from the modules used in Beats or Logstash.',
- example: 'mysql',
+ ignore_above: 1024,
+ description: 'Subject name of the code signer',
+ example: 'Microsoft Corporation',
+ default_field: false,
},
{
- name: 'dataset',
- level: 'core',
- type: 'keyword',
+ name: 'trusted',
+ level: 'extended',
+ type: 'boolean',
description:
- 'Name of the dataset. The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name.',
- example: 'stats',
+ 'Stores the trust status of the certificate chain.\n\nValidating the trust of the certificate chain may be complicated, and this\nfield should only be populated by tools that actively check the status.',
+ example: 'true',
+ default_field: false,
},
{
- name: 'severity',
- level: 'core',
- type: 'long',
- example: '7',
+ name: 'valid',
+ level: 'extended',
+ type: 'boolean',
description:
- "Severity describes the severity of the event. What the different severity values mean can very different between use cases. It's up to the implementer to make sure severities are consistent across events. ",
+ 'Boolean to capture if the digital signature is verified against\nthe binary content.\n\nLeave unpopulated if a certificate was unchecked.',
+ example: 'true',
+ default_field: false,
},
+ ],
+ },
+ {
+ name: 'container',
+ title: 'Container',
+ group: 2,
+ description:
+ 'Container fields are used for meta information about the specific\ncontainer that is the source of information.\n\nThese fields help correlate data based containers from any runtime.',
+ type: 'group',
+ fields: [
{
- name: 'original',
+ name: 'id',
level: 'core',
type: 'keyword',
- example:
- 'Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232',
- description:
- 'Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`.',
- index: false,
- doc_values: false,
+ ignore_above: 1024,
+ description: 'Unique container id.',
},
{
- name: 'hash',
+ name: 'image.name',
level: 'extended',
type: 'keyword',
- example: '123456789012345678901234567890ABCD',
- description:
- 'Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.',
- },
- {
- name: 'duration',
- level: 'core',
- type: 'long',
- format: 'duration',
- input_format: 'nanoseconds',
- description:
- 'Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time.',
+ ignore_above: 1024,
+ description: 'Name of the image the container was built on.',
},
{
- name: 'timezone',
+ name: 'image.tag',
level: 'extended',
type: 'keyword',
- description:
- 'This field should be populated when the event\'s timestamp does not include timezone information already (e.g. default Syslog timestamps). It\'s optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").',
- },
- {
- name: 'created',
- level: 'core',
- type: 'date',
- description:
- 'event.created contains the date when the event was created. This timestamp is distinct from @timestamp in that @timestamp contains the processed timestamp. For logs these two timestamps can be different as the timestamp in the log line and when the event is read for example by Filebeat are not identical. `@timestamp` must contain the timestamp extracted from the log line, event.created when the log line is read. The same could apply to package capturing where @timestamp contains the timestamp extracted from the network package and event.created when the event was created. In case the two timestamps are identical, @timestamp should be used.',
+ ignore_above: 1024,
+ description: 'Container image tags.',
},
{
- name: 'start',
+ name: 'labels',
level: 'extended',
- type: 'date',
- description:
- 'event.start contains the date when the event started or when the activity was first observed.',
+ type: 'object',
+ object_type: 'keyword',
+ description: 'Image labels.',
},
{
- name: 'end',
+ name: 'name',
level: 'extended',
- type: 'date',
- description:
- 'event.end contains the date when the event ended or when the activity was last observed.',
- },
- {
- name: 'risk_score',
- level: 'core',
- type: 'float',
- description:
- "Risk score or priority of the event (e.g. security solutions). Use your system's original value here. ",
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Container name.',
},
{
- name: 'risk_score_norm',
+ name: 'runtime',
level: 'extended',
- type: 'float',
- description:
- 'Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Runtime managing this container.',
+ example: 'docker',
},
],
},
{
- name: 'file',
+ name: 'destination',
+ title: 'Destination',
group: 2,
- title: 'File',
description:
- 'A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.',
+ 'Destination fields describe details about the destination of a packet/event.\n\nDestination fields are usually populated in conjunction with source fields.',
type: 'group',
fields: [
{
- name: 'path',
+ name: 'address',
level: 'extended',
type: 'keyword',
- description: 'Path to the file.',
+ ignore_above: 1024,
+ description:
+ 'Some event destination addresses are defined ambiguously. The\nevent will sometimes list an IP, a domain or a unix socket. You should always\nstore the raw address in the `.address` field.\n\nThen it should be duplicated to `.ip` or `.domain`, depending on which one\nit is.',
},
{
- name: 'target_path',
+ name: 'as.number',
level: 'extended',
- type: 'keyword',
- description: 'Target path for symlinks.',
+ type: 'long',
+ description:
+ 'Unique number allocated to the autonomous system. The autonomous\nsystem number (ASN) uniquely identifies each network on the Internet.',
+ example: 15169,
},
{
- name: 'extension',
+ name: 'as.organization.name',
level: 'extended',
type: 'keyword',
- description: 'File extension. This should allow easy filtering by file extensions.',
- example: 'png',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Organization name.',
+ example: 'Google LLC',
},
{
- name: 'type',
- level: 'extended',
- type: 'keyword',
- description: 'File type (file, dir, or symlink).',
+ name: 'bytes',
+ level: 'core',
+ type: 'long',
+ format: 'bytes',
+ description: 'Bytes sent from the destination to the source.',
+ example: 184,
},
{
- name: 'device',
- level: 'extended',
+ name: 'domain',
+ level: 'core',
type: 'keyword',
- description: 'Device that is the source of the file.',
+ ignore_above: 1024,
+ description: 'Destination domain.',
},
{
- name: 'inode',
- level: 'extended',
+ name: 'geo.city_name',
+ level: 'core',
type: 'keyword',
- description: 'Inode representing the file in the filesystem.',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
},
{
- name: 'uid',
- level: 'extended',
+ name: 'geo.continent_name',
+ level: 'core',
type: 'keyword',
- description: 'The user ID (UID) or security identifier (SID) of the file owner.',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
},
{
- name: 'owner',
- level: 'extended',
+ name: 'geo.country_iso_code',
+ level: 'core',
type: 'keyword',
- description: "File owner's username.",
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
},
{
- name: 'gid',
- level: 'extended',
+ name: 'geo.country_name',
+ level: 'core',
type: 'keyword',
- description: 'Primary group ID (GID) of the file.',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
},
{
- name: 'group',
- level: 'extended',
- type: 'keyword',
- description: 'Primary group name of the file.',
- },
- {
- name: 'mode',
- level: 'extended',
- type: 'keyword',
- example: 416,
- description: 'Mode of the file in octal representation.',
- },
- {
- name: 'size',
- level: 'extended',
- type: 'long',
- format: 'bytes',
- description: 'File size in bytes (field is only added when `type` is `file`).',
- },
- {
- name: 'mtime',
- level: 'extended',
- type: 'date',
- description: 'Last time file content was modified.',
- },
- {
- name: 'ctime',
- level: 'extended',
- type: 'date',
- description: 'Last time file metadata changed.',
- },
- ],
- },
- {
- name: 'group',
- title: 'Group',
- group: 2,
- description:
- 'The group fields are meant to represent groups that are relevant to the event.',
- type: 'group',
- fields: [
- {
- name: 'id',
- level: 'extended',
- type: 'keyword',
- description: 'Unique identifier for the group on the system/platform.',
+ name: 'geo.location',
+ level: 'core',
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
},
{
- name: 'name',
+ name: 'geo.name',
level: 'extended',
type: 'keyword',
- description: 'Name of the group.',
- },
- ],
- },
- {
- name: 'host',
- title: 'Host',
- group: 2,
- description:
- 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or on which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.',
- type: 'group',
- fields: [
- {
- name: 'hostname',
- level: 'core',
- type: 'keyword',
+ ignore_above: 1024,
description:
- 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.',
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
},
{
- name: 'name',
+ name: 'geo.region_iso_code',
level: 'core',
type: 'keyword',
- description:
- 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
},
{
- name: 'id',
+ name: 'geo.region_name',
level: 'core',
type: 'keyword',
- description:
- 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
},
{
name: 'ip',
level: 'core',
type: 'ip',
- description: 'Host ip address.',
+ description:
+ 'IP address of the destination.\n\nCan be one or multiple IPv4 or IPv6 addresses.',
},
{
name: 'mac',
level: 'core',
type: 'keyword',
- description: 'Host mac address.',
+ ignore_above: 1024,
+ description: 'MAC address of the destination.',
},
{
- name: 'type',
- level: 'core',
- type: 'keyword',
+ name: 'nat.ip',
+ level: 'extended',
+ type: 'ip',
description:
- 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.',
+ 'Translated ip of destination based NAT sessions (e.g. internet\nto private DMZ)\n\nTypically used with load balancers, firewalls, or routers.',
},
{
- name: 'architecture',
- level: 'core',
- type: 'keyword',
- example: 'x86_64',
- description: 'Operating system architecture.',
+ name: 'nat.port',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description:
+ 'Port the source session is translated to by NAT Device.\n\nTypically used with load balancers, firewalls, or routers.',
},
{
- name: 'os',
- title: 'Operating System',
- group: 2,
- description: 'The OS fields contain information about the operating system.',
- reusable: {
- top_level: false,
- expected: ['observer', 'host', 'user_agent'],
- },
- type: 'group',
- fields: [
- {
- name: 'platform',
- level: 'extended',
- type: 'keyword',
- description: 'Operating system platform (such centos, ubuntu, windows).',
- example: 'darwin',
- },
- {
- name: 'name',
- level: 'extended',
- type: 'keyword',
- example: 'Mac OS X',
- description: 'Operating system name, without the version.',
- },
- {
- name: 'full',
- level: 'extended',
- type: 'keyword',
- example: 'Mac OS Mojave',
- description: 'Operating system name, including the version or code name.',
- },
- {
- name: 'family',
- level: 'extended',
- type: 'keyword',
- example: 'debian',
- description: 'OS family (such as redhat, debian, freebsd, windows).',
- },
- {
- name: 'version',
- level: 'extended',
- type: 'keyword',
- example: '10.14.1',
- description: 'Operating system version as a raw string.',
- },
- {
- name: 'kernel',
- level: 'extended',
- type: 'keyword',
- example: '4.4.0-112-generic',
- description: 'Operating system kernel version as a raw string.',
- },
- ],
+ name: 'packets',
+ level: 'core',
+ type: 'long',
+ description: 'Packets sent from the destination to the source.',
+ example: 12,
},
{
- name: 'geo',
- title: 'Geo',
- group: 2,
- description:
- 'Geo fields can carry data about a specific location related to an event or geo information derived from an IP field.',
- type: 'group',
- fields: [
- {
- name: 'location',
- level: 'core',
- type: 'geo_point',
- description: 'Longitude and latitude.',
- example: '{ "lon": -73.614830, "lat": 45.505918 }',
- },
- {
- name: 'continent_name',
- level: 'core',
- type: 'keyword',
- description: 'Name of the continent.',
- example: 'North America',
- },
- {
- name: 'country_name',
- level: 'core',
- type: 'keyword',
- description: 'Country name.',
- example: 'Canada',
- },
- {
- name: 'region_name',
- level: 'core',
- type: 'keyword',
- description: 'Region name.',
- example: 'Quebec',
- },
- {
- name: 'city_name',
- level: 'core',
- type: 'keyword',
- description: 'City name.',
- example: 'Montreal',
- },
- {
- name: 'country_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Country ISO code.',
- example: 'CA',
- },
- {
- name: 'region_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Region ISO code.',
- example: 'CA-QC',
- },
- {
- name: 'name',
- level: 'extended',
- type: 'keyword',
- description:
- 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.',
- example: 'boston-dc',
- },
- ],
+ name: 'port',
+ level: 'core',
+ type: 'long',
+ format: 'string',
+ description: 'Port of the destination.',
},
- ],
- },
- {
- name: 'http',
- title: 'HTTP',
- group: 2,
- description: 'Fields related to HTTP activity.',
- type: 'group',
- fields: [
{
- name: 'request.method',
+ name: 'registered_domain',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Http request method. The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.',
- example: 'get, post, put',
+ 'The highest registered destination domain, stripped of the subdomain.\n\nFor example, the registered domain for "foo.google.com" is "google.com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last two labels will not work well for TLDs such as "co.uk".',
+ example: 'google.com',
},
{
- name: 'request.body.content',
+ name: 'top_level_domain',
level: 'extended',
type: 'keyword',
- description: 'The full http request body.',
- example: 'Hello world',
+ ignore_above: 1024,
+ description:
+ 'The effective top level domain (eTLD), also known as the domain\nsuffix, is the last part of the domain name. For example, the top level domain\nfor google.com is "com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last label will not work well for effective TLDs such as "co.uk".',
+ example: 'co.uk',
},
{
- name: 'request.referrer',
+ name: 'user.domain',
level: 'extended',
type: 'keyword',
- description: 'Referrer for this HTTP request.',
- example: 'https://blog.example.com/',
- },
- {
- name: 'response.status_code',
- level: 'extended',
- type: 'long',
- description: 'Http response status code.',
- example: 404,
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the user is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
},
{
- name: 'response.body.content',
+ name: 'user.email',
level: 'extended',
type: 'keyword',
- description: 'The full http response body.',
- example: 'Hello world',
+ ignore_above: 1024,
+ description: 'User email address.',
},
{
- name: 'version',
+ name: 'user.full_name',
level: 'extended',
type: 'keyword',
- description: 'Http version.',
- example: 1.1,
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: "User's full name, if available.",
+ example: 'Albert Einstein',
},
{
- name: 'request.bytes',
+ name: 'user.group.domain',
level: 'extended',
- type: 'long',
- format: 'bytes',
- description: 'Total size in bytes of the request (body and headers).',
- example: 1437,
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
},
{
- name: 'request.body.bytes',
+ name: 'user.group.id',
level: 'extended',
- type: 'long',
- format: 'bytes',
- description: 'Size in bytes of the request body.',
- example: 887,
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
},
{
- name: 'response.bytes',
+ name: 'user.group.name',
level: 'extended',
- type: 'long',
- format: 'bytes',
- description: 'Total size in bytes of the response (body and headers).',
- example: 1437,
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the group.',
},
{
- name: 'response.body.bytes',
+ name: 'user.hash',
level: 'extended',
- type: 'long',
- format: 'bytes',
- description: 'Size in bytes of the response body.',
- example: 887,
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique user hash to correlate information for a user in anonymized\nform.\n\nUseful if `user.id` or `user.name` contain confidential information and cannot\nbe used.',
},
- ],
- },
- {
- name: 'log',
- title: 'Log',
- description: 'Fields which are specific to log events.',
- type: 'group',
- fields: [
{
- name: 'level',
+ name: 'user.id',
level: 'core',
type: 'keyword',
- description: 'Log level of the log event. Some examples are `WARN`, `ERR`, `INFO`.',
- example: 'ERR',
+ ignore_above: 1024,
+ description: 'Unique identifiers of the user.',
},
{
- name: 'original',
+ name: 'user.name',
level: 'core',
type: 'keyword',
- example: 'Sep 19 08:26:10 localhost My log',
- index: false,
- doc_values: false,
- description:
- " This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. ",
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Short name or login of the user.',
+ example: 'albert',
},
],
},
{
- name: 'network',
- title: 'Network',
+ name: 'dll',
+ title: 'DLL',
group: 2,
description:
- 'The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event.',
+ 'These fields contain information about code libraries dynamically\nloaded into processes.\n\n\nMany operating systems refer to "shared code libraries" with different names,\nbut this field set refers to all of the following:\n\n* Dynamic-link library (`.dll`) commonly used on Windows\n\n* Shared Object (`.so`) commonly used on Unix-like operating systems\n\n* Dynamic library (`.dylib`) commonly used on macOS',
type: 'group',
fields: [
{
- name: 'name',
+ name: 'code_signature.exists',
+ level: 'core',
+ type: 'boolean',
+ description: 'Boolean to capture if a signature is present.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.status',
level: 'extended',
type: 'keyword',
- description: 'Name given by operators to sections of their network.',
- example: 'Guest Wifi',
+ ignore_above: 1024,
+ description:
+ 'Additional information about the certificate status.\n\nThis is useful for logging cryptographic errors with the certificate validity\nor trust status. Leave unpopulated if the validity or trust of the certificate\nwas unchecked.',
+ example: 'ERROR_UNTRUSTED_ROOT',
+ default_field: false,
},
{
- name: 'type',
+ name: 'code_signature.subject_name',
level: 'core',
type: 'keyword',
+ ignore_above: 1024,
+ description: 'Subject name of the code signer',
+ example: 'Microsoft Corporation',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.trusted',
+ level: 'extended',
+ type: 'boolean',
description:
- 'In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.',
- example: 'ipv4',
+ 'Stores the trust status of the certificate chain.\n\nValidating the trust of the certificate chain may be complicated, and this\nfield should only be populated by tools that actively check the status.',
+ example: 'true',
+ default_field: false,
},
{
- name: 'iana_number',
+ name: 'code_signature.valid',
level: 'extended',
- type: 'keyword',
+ type: 'boolean',
description:
- 'IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.',
- example: 6,
+ 'Boolean to capture if the digital signature is verified against\nthe binary content.\n\nLeave unpopulated if a certificate was unchecked.',
+ example: 'true',
+ default_field: false,
},
{
- name: 'transport',
- level: 'core',
+ name: 'hash.md5',
+ level: 'extended',
type: 'keyword',
- description:
- 'Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.',
- example: 'tcp',
+ ignore_above: 1024,
+ description: 'MD5 hash.',
+ default_field: false,
},
{
- name: 'application',
+ name: 'hash.sha1',
level: 'extended',
type: 'keyword',
- description:
- 'A name given to an application. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.',
- example: 'aim',
+ ignore_above: 1024,
+ description: 'SHA1 hash.',
+ default_field: false,
},
{
- name: 'protocol',
- level: 'core',
+ name: 'hash.sha256',
+ level: 'extended',
type: 'keyword',
- description:
- 'L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.',
- example: 'http',
+ ignore_above: 1024,
+ description: 'SHA256 hash.',
+ default_field: false,
},
{
- name: 'direction',
+ name: 'hash.sha512',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA512 hash.',
+ default_field: false,
+ },
+ {
+ name: 'name',
level: 'core',
type: 'keyword',
+ ignore_above: 1024,
description:
- "Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. ",
- example: 'inbound',
+ 'Name of the library.\n\nThis generally maps to the name of the file on disk.',
+ example: 'kernel32.dll',
+ default_field: false,
},
{
- name: 'forwarded_ip',
- level: 'core',
- type: 'ip',
- description: 'Host IP address when the source IP address is the proxy.',
- example: '192.1.1.2',
- },
- {
- name: 'community_id',
+ name: 'path',
level: 'extended',
type: 'keyword',
- description:
- 'A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec.',
- example: '1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=',
- },
- {
- name: 'bytes',
- level: 'core',
- type: 'long',
- format: 'bytes',
- description:
- 'Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.',
- example: 368,
- },
- {
- name: 'packets',
- level: 'core',
- type: 'long',
- description:
- 'Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum.',
- example: 24,
- },
- ],
- },
- {
- name: 'observer',
- title: 'Observer',
- group: 2,
- description:
- 'An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS.',
- type: 'group',
- fields: [
- {
- name: 'mac',
- level: 'core',
- type: 'keyword',
- description: 'MAC address of the observer',
- },
- {
- name: 'ip',
- level: 'core',
- type: 'ip',
- description: 'IP address of the observer.',
+ ignore_above: 1024,
+ description: 'Full file path of the library.',
+ example: 'C:\\Windows\\System32\\kernel32.dll',
+ default_field: false,
},
{
- name: 'hostname',
- level: 'core',
+ name: 'pe.company',
+ level: 'extended',
type: 'keyword',
- description: 'Hostname of the observer.',
+ ignore_above: 1024,
+ description: 'Internal company name of the file, provided at compile-time.',
+ example: 'Microsoft Corporation',
+ default_field: false,
},
{
- name: 'vendor',
- level: 'core',
+ name: 'pe.description',
+ level: 'extended',
type: 'keyword',
- description: 'observer vendor information.',
+ ignore_above: 1024,
+ description: 'Internal description of the file, provided at compile-time.',
+ example: 'Paint',
+ default_field: false,
},
{
- name: 'version',
- level: 'core',
+ name: 'pe.file_version',
+ level: 'extended',
type: 'keyword',
- description: 'Observer version.',
+ ignore_above: 1024,
+ description: 'Internal version of the file, provided at compile-time.',
+ example: '6.3.9600.17415',
+ default_field: false,
},
{
- name: 'serial_number',
+ name: 'pe.original_file_name',
level: 'extended',
type: 'keyword',
- description: 'Observer serial number.',
+ ignore_above: 1024,
+ description: 'Internal name of the file, provided at compile-time.',
+ example: 'MSPAINT.EXE',
+ default_field: false,
},
{
- name: 'type',
- level: 'core',
+ name: 'pe.product',
+ level: 'extended',
type: 'keyword',
- description:
- 'The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.',
- example: 'firewall',
- },
- {
- name: 'os',
- title: 'Operating System',
- group: 2,
- description: 'The OS fields contain information about the operating system.',
- reusable: {
- top_level: false,
- expected: ['observer', 'host', 'user_agent'],
- },
- type: 'group',
- fields: [
- {
- name: 'platform',
- level: 'extended',
- type: 'keyword',
- description: 'Operating system platform (such centos, ubuntu, windows).',
- example: 'darwin',
- },
- {
- name: 'name',
- level: 'extended',
- type: 'keyword',
- example: 'Mac OS X',
- description: 'Operating system name, without the version.',
- },
- {
- name: 'full',
- level: 'extended',
- type: 'keyword',
- example: 'Mac OS Mojave',
- description: 'Operating system name, including the version or code name.',
- },
- {
- name: 'family',
- level: 'extended',
- type: 'keyword',
- example: 'debian',
- description: 'OS family (such as redhat, debian, freebsd, windows).',
- },
- {
- name: 'version',
- level: 'extended',
- type: 'keyword',
- example: '10.14.1',
- description: 'Operating system version as a raw string.',
- },
- {
- name: 'kernel',
- level: 'extended',
- type: 'keyword',
- example: '4.4.0-112-generic',
- description: 'Operating system kernel version as a raw string.',
- },
- ],
- },
- {
- name: 'geo',
- title: 'Geo',
- group: 2,
- description:
- 'Geo fields can carry data about a specific location related to an event or geo information derived from an IP field.',
- type: 'group',
- fields: [
- {
- name: 'location',
- level: 'core',
- type: 'geo_point',
- description: 'Longitude and latitude.',
- example: '{ "lon": -73.614830, "lat": 45.505918 }',
- },
- {
- name: 'continent_name',
- level: 'core',
- type: 'keyword',
- description: 'Name of the continent.',
- example: 'North America',
- },
- {
- name: 'country_name',
- level: 'core',
- type: 'keyword',
- description: 'Country name.',
- example: 'Canada',
- },
- {
- name: 'region_name',
- level: 'core',
- type: 'keyword',
- description: 'Region name.',
- example: 'Quebec',
- },
- {
- name: 'city_name',
- level: 'core',
- type: 'keyword',
- description: 'City name.',
- example: 'Montreal',
- },
- {
- name: 'country_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Country ISO code.',
- example: 'CA',
- },
- {
- name: 'region_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Region ISO code.',
- example: 'CA-QC',
- },
- {
- name: 'name',
- level: 'extended',
- type: 'keyword',
- description:
- 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.',
- example: 'boston-dc',
- },
- ],
+ ignore_above: 1024,
+ description: 'Internal product name of the file, provided at compile-time.',
+ example: 'Microsoft® Windows® Operating System',
+ default_field: false,
},
],
},
{
- name: 'organization',
- title: 'Organization',
+ name: 'dns',
+ title: 'DNS',
group: 2,
description:
- 'The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations.',
+ 'Fields describing DNS queries and answers.\n\nDNS events should either represent a single DNS query prior to getting answers\n(`dns.type:query`) or they should represent a full exchange and contain the\nquery details as well as all of the answers that were provided for this query\n(`dns.type:answer`).',
type: 'group',
fields: [
{
- name: 'name',
+ name: 'answers',
level: 'extended',
- type: 'keyword',
- description: 'Organization name.',
+ type: 'object',
+ object_type: 'keyword',
+ description:
+ 'An array containing an object for each answer section returned\nby the server.\n\nThe main keys that should be present in these objects are defined by ECS.\nRecords that have more information may contain more keys than what ECS defines.\n\nNot all DNS data sources give all details about DNS answers. At minimum, answer\nobjects must contain the `data` key. If more information is available, map\nas much of it to ECS as possible, and add any additional fields to the answer\nobjects as custom fields.',
},
{
- name: 'id',
+ name: 'answers.class',
level: 'extended',
type: 'keyword',
- description: 'Unique identifier for the organization.',
+ ignore_above: 1024,
+ description: 'The class of DNS data contained in this resource record.',
+ example: 'IN',
},
- ],
- },
- {
- name: 'os',
- title: 'Operating System',
- group: 2,
- description: 'The OS fields contain information about the operating system.',
- reusable: {
- top_level: false,
- expected: ['observer', 'host', 'user_agent'],
- },
- type: 'group',
- fields: [
{
- name: 'platform',
+ name: 'answers.data',
level: 'extended',
type: 'keyword',
- description: 'Operating system platform (such centos, ubuntu, windows).',
- example: 'darwin',
+ ignore_above: 1024,
+ description:
+ 'The data describing the resource.\n\nThe meaning of this data depends on the type and class of the resource record.',
+ example: '10.10.10.10',
},
{
- name: 'name',
+ name: 'answers.name',
level: 'extended',
type: 'keyword',
- example: 'Mac OS X',
- description: 'Operating system name, without the version.',
+ ignore_above: 1024,
+ description:
+ 'The domain name to which this resource record pertains.\n\nIf a chain of CNAME is being resolved, each answer `name` should be the\none that corresponds with the answer `data`. It should not simply be the\noriginal `question.name` repeated.',
+ example: 'www.google.com',
},
{
- name: 'full',
+ name: 'answers.ttl',
level: 'extended',
- type: 'keyword',
- example: 'Mac OS Mojave',
- description: 'Operating system name, including the version or code name.',
+ type: 'long',
+ description:
+ 'The time interval in seconds that this resource record may be cached\nbefore it should be discarded. Zero values mean that the data should not be\ncached.',
+ example: 180,
},
{
- name: 'family',
+ name: 'answers.type',
level: 'extended',
type: 'keyword',
- example: 'debian',
- description: 'OS family (such as redhat, debian, freebsd, windows).',
+ ignore_above: 1024,
+ description: 'The type of data contained in this resource record.',
+ example: 'CNAME',
},
{
- name: 'version',
+ name: 'header_flags',
level: 'extended',
type: 'keyword',
- example: '10.14.1',
- description: 'Operating system version as a raw string.',
+ ignore_above: 1024,
+ description:
+ 'Array of 2 letter DNS header flags.\n\nExpected values are: AA, TC, RD, RA, AD, CD, DO.',
+ example: ['RD', 'RA'],
},
{
- name: 'kernel',
+ name: 'id',
level: 'extended',
type: 'keyword',
- example: '4.4.0-112-generic',
- description: 'Operating system kernel version as a raw string.',
+ ignore_above: 1024,
+ description:
+ 'The DNS packet identifier assigned by the program that generated\nthe query. The identifier is copied to the response.',
+ example: 62111,
},
- ],
- },
- {
- name: 'process',
- title: 'Process',
- group: 2,
- description:
- 'These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation.',
- type: 'group',
- fields: [
{
- name: 'pid',
- level: 'core',
- type: 'long',
- description: 'Process id.',
- example: 'ssh',
+ name: 'op_code',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The DNS operation code that specifies the kind of query in the\nmessage. This value is set by the originator of a query and copied into the\nresponse.',
+ example: 'QUERY',
},
{
- name: 'name',
+ name: 'question.class',
level: 'extended',
type: 'keyword',
- description: 'Process name. Sometimes called program name or similar.',
- example: 'ssh',
+ ignore_above: 1024,
+ description: 'The class of records being queried.',
+ example: 'IN',
},
{
- name: 'ppid',
+ name: 'question.name',
level: 'extended',
- type: 'long',
- description: 'Process parent id.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The name being queried.\n\nIf the name field contains non-printable characters (below 32 or above 126),\nthose characters should be represented as escaped base 10 integers (\\DDD).\nBack slashes and quotes should be escaped. Tabs, carriage returns, and line\nfeeds should be converted to \\t, \\r, and \\n respectively.',
+ example: 'www.google.com',
},
{
- name: 'args',
+ name: 'question.registered_domain',
level: 'extended',
type: 'keyword',
- description: 'Process arguments. May be filtered to protect sensitive information.',
- example: ['ssh', '-l', 'user', '10.0.0.16'],
+ ignore_above: 1024,
+ description:
+ 'The highest registered domain, stripped of the subdomain.\n\nFor example, the registered domain for "foo.google.com" is "google.com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last two labels will not work well for TLDs such as "co.uk".',
+ example: 'google.com',
},
{
- name: 'executable',
+ name: 'question.subdomain',
level: 'extended',
type: 'keyword',
- description: 'Absolute path to the process executable.',
- example: '/usr/bin/ssh',
+ ignore_above: 1024,
+ description:
+ 'The subdomain is all of the labels under the registered_domain.\n\nIf the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",\nthe subdomain field should contain "sub2.sub1", with no trailing period.',
+ example: 'www',
},
{
- name: 'title',
+ name: 'question.top_level_domain',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.',
+ 'The effective top level domain (eTLD), also known as the domain\nsuffix, is the last part of the domain name. For example, the top level domain\nfor google.com is "com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last label will not work well for effective TLDs such as "co.uk".',
+ example: 'co.uk',
},
{
- name: 'thread.id',
+ name: 'question.type',
level: 'extended',
- type: 'long',
- example: 4242,
- description: 'Thread ID.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The type of record being queried.',
+ example: 'AAAA',
},
{
- name: 'start',
+ name: 'resolved_ip',
level: 'extended',
- type: 'date',
- example: '2016-05-23T08:05:34.853Z',
- description: 'The time the process started.',
+ type: 'ip',
+ description:
+ 'Array containing all IPs seen in `answers.data`.\n\nThe `answers` array can be difficult to use, because of the variety of data\nformats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip`\nmakes it possible to index them as IP addresses, and makes them easier to\nvisualize and query for.',
+ example: ['10.10.10.10', '10.10.10.11'],
},
{
- name: 'working_directory',
+ name: 'response_code',
level: 'extended',
type: 'keyword',
- example: '/home/alice',
- description: 'The working directory of the process.',
+ ignore_above: 1024,
+ description: 'The DNS response code.',
+ example: 'NOERROR',
+ },
+ {
+ name: 'type',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The type of DNS event captured, query or answer.\n\nIf your source of DNS events only gives you DNS queries, you should only create\ndns events of type `dns.type:query`.\n\nIf your source of DNS events gives you answers as well, you should create\none event per query (optionally as soon as the query is seen). And a second\nevent containing all query details as well as an array of answers.',
+ example: 'answer',
},
],
},
{
- name: 'related',
- title: 'Related',
+ name: 'ecs',
+ title: 'ECS',
group: 2,
- description:
- 'This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in ECS. To facilitate searching for them, append values to their corresponding field in `related.`. A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:a.b.c.d`.',
+ description: 'Meta-information specific to ECS.',
type: 'group',
fields: [
{
- name: 'ip',
- level: 'extended',
- type: 'ip',
- description: 'All of the IPs seen on your event.',
+ name: 'version',
+ level: 'core',
+ required: true,
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'ECS version this event conforms to. `ecs.version` is a required\nfield and must exist in all events.\n\nWhen querying across multiple indices -- which may conform to slightly different\nECS versions -- this field lets integrations adjust to the schema version\nof the events.',
+ example: '1.0.0',
},
],
},
{
- name: 'server',
- title: 'Server',
+ name: 'error',
+ title: 'Error',
group: 2,
description:
- 'A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.',
+ 'These fields can represent errors of any kind.\n\nUse them for errors that happen while fetching events or in cases where the\nevent itself contains an error.',
type: 'group',
fields: [
{
- name: 'address',
- level: 'extended',
- type: 'keyword',
- description:
- 'Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.',
- },
- {
- name: 'ip',
- level: 'core',
- type: 'ip',
- description: 'IP address of the server. Can be one or multiple IPv4 or IPv6 addresses.',
- },
- {
- name: 'port',
- level: 'core',
- type: 'long',
- description: 'Port of the server.',
- },
- {
- name: 'mac',
+ name: 'code',
level: 'core',
type: 'keyword',
- description: 'MAC address of the server.',
+ ignore_above: 1024,
+ description: 'Error code describing the error.',
},
{
- name: 'domain',
+ name: 'id',
level: 'core',
type: 'keyword',
- description: 'Server domain.',
- },
- {
- name: 'bytes',
- level: 'core',
- type: 'long',
- format: 'bytes',
- example: 184,
- description: 'Bytes sent from the server to the client.',
+ ignore_above: 1024,
+ description: 'Unique identifier for the error.',
},
{
- name: 'packets',
+ name: 'message',
level: 'core',
- type: 'long',
- example: 12,
- description: 'Packets sent from the server to the client.',
+ type: 'text',
+ description: 'Error message.',
},
{
- name: 'geo',
- title: 'Geo',
- group: 2,
- description:
- 'Geo fields can carry data about a specific location related to an event or geo information derived from an IP field.',
- type: 'group',
- fields: [
- {
- name: 'location',
- level: 'core',
- type: 'geo_point',
- description: 'Longitude and latitude.',
- example: '{ "lon": -73.614830, "lat": 45.505918 }',
- },
- {
- name: 'continent_name',
- level: 'core',
- type: 'keyword',
- description: 'Name of the continent.',
- example: 'North America',
- },
- {
- name: 'country_name',
- level: 'core',
- type: 'keyword',
- description: 'Country name.',
- example: 'Canada',
- },
- {
- name: 'region_name',
- level: 'core',
- type: 'keyword',
- description: 'Region name.',
- example: 'Quebec',
- },
- {
- name: 'city_name',
- level: 'core',
- type: 'keyword',
- description: 'City name.',
- example: 'Montreal',
- },
- {
- name: 'country_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Country ISO code.',
- example: 'CA',
- },
- {
- name: 'region_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Region ISO code.',
- example: 'CA-QC',
- },
+ name: 'stack_trace',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'name',
- level: 'extended',
- type: 'keyword',
- description:
- 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.',
- example: 'boston-dc',
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
},
],
+ description: 'The stack trace of this error in plain text.',
+ },
+ {
+ name: 'type',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The type of the error, for example the class name of the exception.',
+ example: 'java.lang.NullPointerException',
},
],
},
{
- name: 'service',
- title: 'Service',
+ name: 'event',
+ title: 'Event',
group: 2,
description:
- 'The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version.',
+ 'The event fields are used for context information about the log\nor metric event itself.\n\nA log is defined as an event containing details of something that happened.\nLog events must include the time at which the thing happened. Examples of log\nevents include a process starting on a host, a network packet being sent from\na source to a destination, or a network connection between a client and a server\nbeing initiated or closed. A metric is defined as an event containing one or\nmore numerical measurements and the time at which the measurement was taken.\nExamples of metric events include memory pressure measured on a host and device\ntemperature. See the `event.kind` definition in this section for additional\ndetails about metric and state events.',
type: 'group',
fields: [
{
- name: 'id',
+ name: 'action',
level: 'core',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Unique identifier of the running service. This id should uniquely identify this service. This makes it possible to correlate logs and metrics for one specific service. Example: If you are experiencing issues with one redis instance, you can filter on that id to see metrics and logs for that single instance.',
- example: 'd37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6',
+ 'The action captured by the event.\n\nThis describes the information in the event. It is more specific than `event.category`.\nExamples are `group-add`, `process-started`, `file-created`. The value is\nnormally defined by the implementer.',
+ example: 'user-password-change',
},
{
- name: 'name',
+ name: 'category',
level: 'core',
type: 'keyword',
- example: 'elasticsearch-metrics',
+ ignore_above: 1024,
description:
- 'Name of the service data is collected from. The name of the service is normally user given. This allows if two instances of the same service are running on the same machine they can be differentiated by the `service.name`. Also it allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the service.name could contain the cluster name. For Beats the service.name is by default a copy of the `service.type` field if no name is specified.',
+ 'This is one of four ECS Categorization Fields, and indicates the\nsecond level in the ECS category hierarchy.\n\n`event.category` represents the "big buckets" of ECS categories. For example,\nfiltering on `event.category:process` yields all events relating to process\nactivity. This field is closely related to `event.type`, which is used as\na subcategory.\n\nThis field is an array. This will allow proper categorization of some events\nthat fall in multiple categories.',
+ example: 'authentication',
},
{
- name: 'type',
- level: 'core',
+ name: 'code',
+ level: 'extended',
type: 'keyword',
- example: 'elasticsearch',
+ ignore_above: 1024,
description:
- 'The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.',
+ 'Identification code for this event, if one exists.\n\nSome event sources use event codes to identify messages unambiguously, regardless\nof message language or wording adjustments over time. An example of this is\nthe Windows Event ID.',
+ example: 4648,
},
{
- name: 'state',
+ name: 'created',
level: 'core',
- type: 'keyword',
- description: 'Current state of the service.',
+ type: 'date',
+ description:
+ 'event.created contains the date/time when the event was first\nread by an agent, or by your pipeline.\n\nThis field is distinct from @timestamp in that @timestamp typically contain\nthe time extracted from the original event.\n\nIn most situations, these two timestamps will be slightly different. The difference\ncan be used to calculate the delay between your source generating an event,\nand the time when your agent first processed it. This can be used to monitor\nyour agent or pipeline ability to keep up with your event source.\n\nIn case the two timestamps are identical, @timestamp should be used.',
+ example: '2016-05-23T08:05:34.857Z',
},
{
- name: 'version',
+ name: 'dataset',
level: 'core',
type: 'keyword',
- example: '3.2.4',
+ ignore_above: 1024,
description:
- 'Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.',
+ 'Name of the dataset.\n\nIf an event source publishes more than one type of log or events (e.g. access\nlog, error log), the dataset is used to specify which one the event comes\nfrom.\n\nIt is recommended but not required to start the dataset name with the module\nname, followed by a dot, then the dataset name.',
+ example: 'apache.access',
},
{
- name: 'ephemeral_id',
+ name: 'duration',
+ level: 'core',
+ type: 'long',
+ format: 'duration',
+ input_format: 'nanoseconds',
+ output_format: 'asMilliseconds',
+ output_precision: 1,
+ description:
+ 'Duration of the event in nanoseconds.\n\nIf event.start and event.end are known this value should be the difference\nbetween the end and start time.',
+ },
+ {
+ name: 'end',
level: 'extended',
- type: 'keyword',
+ type: 'date',
description:
- 'Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not.',
- example: '8a4f500f',
+ 'event.end contains the date when the event ended or when the activity\nwas last observed.',
},
- ],
- },
- {
- name: 'source',
- title: 'Source',
- group: 2,
- description:
- 'Source fields describe details about the source of a packet/event. Source fields are usually populated in conjunction with destination fields.',
- type: 'group',
- fields: [
{
- name: 'address',
+ name: 'hash',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.',
+ 'Hash (perhaps logstash fingerprint) of raw field to be able to\ndemonstrate log integrity.',
+ example: '123456789012345678901234567890ABCD',
},
{
- name: 'ip',
+ name: 'id',
level: 'core',
- type: 'ip',
- description: 'IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique ID to describe the event.',
+ example: '8a4f500d',
},
{
- name: 'port',
+ name: 'ingested',
level: 'core',
- type: 'long',
- description: 'Port of the source.',
+ type: 'date',
+ description:
+ 'Timestamp when an event arrived in the central data store.\n\nThis is different from `@timestamp`, which is when the event originally occurred. It is\nalso different from `event.created`, which is meant to capture the first time\nan agent saw the event.\n\nIn normal conditions, assuming no tampering, the timestamps should chronologically\nlook like this: `@timestamp` < `event.created` < `event.ingested`.',
+ example: '2016-05-23T08:05:35.101Z',
+ default_field: false,
},
{
- name: 'mac',
+ name: 'kind',
level: 'core',
type: 'keyword',
- description: 'MAC address of the source.',
+ ignore_above: 1024,
+ description:
+ 'This is one of four ECS Categorization Fields, and indicates the\nhighest level in the ECS category hierarchy.\n\n`event.kind` gives high-level information about what type of information the\nevent contains, without being specific to the contents of the event. For example,\nvalues of this field distinguish alert events from metric events.\n\nThe value of this field can be used to inform how these kinds of events should\nbe handled. They may warrant different retention, different access control,\nit may also help understand whether the data coming in at a regular interval\nor not.',
+ example: 'alert',
},
{
- name: 'domain',
+ name: 'module',
level: 'core',
type: 'keyword',
- description: 'Source domain.',
+ ignore_above: 1024,
+ description:
+ 'Name of the module this data is coming from.\n\nIf your monitoring agent supports the concept of modules or plugins to process\nevents of a given source (e.g. Apache logs), `event.module` should contain\nthe name of this module.',
+ example: 'apache',
},
{
- name: 'bytes',
+ name: 'original',
level: 'core',
- type: 'long',
- format: 'bytes',
- example: 184,
- description: 'Bytes sent from the source to the destination.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Raw text message of entire event. Used to demonstrate log integrity.\n\nThis field is not indexed and doc_values are disabled. It cannot be searched,\nbut it can be retrieved from `_source`.',
+ example:
+ 'Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100|\nworm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232',
},
{
- name: 'packets',
+ name: 'outcome',
level: 'core',
- type: 'long',
- example: 12,
- description: 'Packets sent from the source to the destination.',
- },
- {
- name: 'geo',
- title: 'Geo',
- group: 2,
+ type: 'keyword',
+ ignore_above: 1024,
description:
- 'Geo fields can carry data about a specific location related to an event or geo information derived from an IP field.',
- type: 'group',
- fields: [
- {
- name: 'location',
- level: 'core',
- type: 'geo_point',
- description: 'Longitude and latitude.',
- example: '{ "lon": -73.614830, "lat": 45.505918 }',
- },
- {
- name: 'continent_name',
- level: 'core',
- type: 'keyword',
- description: 'Name of the continent.',
- example: 'North America',
- },
- {
- name: 'country_name',
- level: 'core',
- type: 'keyword',
- description: 'Country name.',
- example: 'Canada',
- },
- {
- name: 'region_name',
- level: 'core',
- type: 'keyword',
- description: 'Region name.',
- example: 'Quebec',
- },
- {
- name: 'city_name',
- level: 'core',
- type: 'keyword',
- description: 'City name.',
- example: 'Montreal',
- },
- {
- name: 'country_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Country ISO code.',
- example: 'CA',
- },
- {
- name: 'region_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Region ISO code.',
- example: 'CA-QC',
- },
- {
- name: 'name',
- level: 'extended',
- type: 'keyword',
- description:
- 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.',
- example: 'boston-dc',
- },
- ],
+ 'This is one of four ECS Categorization Fields, and indicates the\nlowest level in the ECS category hierarchy.\n\n`event.outcome` simply denotes whether the event represents a success or a\nfailure from the perspective of the entity that produced the event.\n\nNote that when a single transaction is described in multiple events, each\nevent may populate different values of `event.outcome`, according to their\nperspective.\n\nAlso note that in the case of a compound event (a single event that contains\nmultiple logical events), this field should be populated with the value that\nbest captures the overall success or failure from the perspective of the event\nproducer.\n\nFurther note that not all events will have an associated outcome. For example,\nthis field is generally not populated for metric events, events with `event.type:info`,\nor any events for which an outcome does not make logical sense.',
+ example: 'success',
},
- ],
- },
- {
- name: 'url',
- title: 'URL',
- description: 'URL fields provide a complete URL, with scheme, host, and path.',
- type: 'group',
- fields: [
{
- name: 'original',
+ name: 'provider',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.',
- example:
- 'https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch',
+ 'Source of the event.\n\nEvent transports such as Syslog or the Windows Event Log typically mention\nthe source of an event. It can be the name of the software that generated\nthe event (e.g. Sysmon, httpd), or of a subsystem of the operating system\n(kernel, Microsoft-Windows-Security-Auditing).',
+ example: 'kernel',
},
{
- name: 'full',
+ name: 'reference',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.',
- example: 'https://www.elastic.co:443/search?q=elasticsearch#top',
+ 'Reference URL linking to additional information about this event.\n\nThis URL links to a static definition of the this event. Alert events, indicated\nby `event.kind:alert`, are a common use case for this field.',
+ example: 'https://system.vendor.com/event/#0001234',
+ default_field: false,
},
{
- name: 'scheme',
- level: 'extended',
- type: 'keyword',
+ name: 'risk_score',
+ level: 'core',
+ type: 'float',
description:
- 'Scheme of the request, such as "https". Note: The `:` is not part of the scheme.',
- example: 'https',
+ "Risk score or priority of the event (e.g. security solutions).\nUse your system's original value here.",
},
{
- name: 'domain',
+ name: 'risk_score_norm',
level: 'extended',
- type: 'keyword',
+ type: 'float',
description:
- 'Domain of the request, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.',
- example: 'www.elastic.co',
+ 'Normalized risk score or priority of the event, on a scale of\n0 to 100.\n\nThis is mainly useful if you use more than one system that assigns risk scores,\nand you want to see a normalized value across all systems.',
},
{
- name: 'port',
+ name: 'sequence',
level: 'extended',
- type: 'integer',
- description: 'Port of the request, such as 443.',
- example: 443,
+ type: 'long',
+ format: 'string',
+ description:
+ 'Sequence number of the event.\n\nThe sequence number is a value published by some event sources, to make the\nexact ordering of events unambiguous, regardless of the timestamp precision.',
},
{
- name: 'path',
- level: 'extended',
- type: 'keyword',
- description: 'Path of the request, such as "/search".',
+ name: 'severity',
+ level: 'core',
+ type: 'long',
+ format: 'string',
+ description:
+ 'The numeric severity of the event according to your event source.\n\nWhat the different severity values mean can be different between sources and\nuse cases. It is up to the implementer to make sure severities are consistent\nacross events from the same source.\n\nThe Syslog severity belongs in `log.syslog.severity.code`. `event.severity`\nis meant to represent the severity according to the event source (e.g. firewall,\nIDS). If the event source does not publish its own severity, you may optionally\ncopy the `log.syslog.severity.code` to `event.severity`.',
+ example: 7,
},
{
- name: 'query',
+ name: 'start',
level: 'extended',
- type: 'keyword',
+ type: 'date',
description:
- 'The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.',
+ 'event.start contains the date when the event started or when the\nactivity was first observed.',
},
{
- name: 'fragment',
+ name: 'timezone',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.',
+ 'This field should be populated when the event timestamp does\nnot include timezone information already (e.g. default Syslog timestamps).\nIt is optional otherwise.\n\nAcceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"),\nabbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").',
},
{
- name: 'username',
- level: 'extended',
+ name: 'type',
+ level: 'core',
type: 'keyword',
- description: 'Username of the request.',
+ ignore_above: 1024,
+ description:
+ 'This is one of four ECS Categorization Fields, and indicates the\nthird level in the ECS category hierarchy.\n\n`event.type` represents a categorization "sub-bucket" that, when used along\nwith the `event.category` field values, enables filtering events down to a\nlevel appropriate for single visualization.\n\nThis field is an array. This will allow proper categorization of some events\nthat fall in multiple event types.',
},
{
- name: 'password',
+ name: 'url',
level: 'extended',
type: 'keyword',
- description: 'Password of the request.',
+ ignore_above: 1024,
+ description:
+ 'URL linking to an external system to continue investigation of\nthis event.\n\nThis URL links to another system where in-depth investigation of the specific\noccurence of this event can take place. Alert events, indicated by `event.kind:alert`,\nare a common use case for this field.',
+ example: 'https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe',
+ default_field: false,
},
],
},
{
- name: 'user',
- title: 'User',
+ name: 'file',
+ title: 'File',
group: 2,
description:
- 'The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.',
- reusable: {
- top_level: true,
- expected: ['client', 'destination', 'host', 'server', 'source'],
- },
+ 'A file is defined as a set of information that has been created\non, or has existed on a filesystem.\n\nFile objects can be associated with host events, network events, and/or file\nevents (e.g., those produced by File Integrity Monitoring [FIM] products or\nservices). File fields provide details about the affected file associated with\nthe event or metric.',
type: 'group',
fields: [
{
- name: 'id',
- level: 'core',
+ name: 'accessed',
+ level: 'extended',
+ type: 'date',
+ description:
+ 'Last time the file was accessed.\n\nNote that not all filesystems keep track of access time.',
+ },
+ {
+ name: 'attributes',
+ level: 'extended',
type: 'keyword',
- description: 'One or multiple unique identifiers of the user.',
+ ignore_above: 1024,
+ description:
+ 'Array of file attributes.\n\nAttributes names will vary by platform. Here is a non-exhaustive list of values\nthat are expected in this field: archive, compressed, directory, encrypted,\nexecute, hidden, read, readonly, system, write.',
+ example: '["readonly", "system"]',
+ default_field: false,
},
{
- name: 'name',
+ name: 'code_signature.exists',
level: 'core',
- type: 'keyword',
- example: 'albert',
- description: 'Short name or login of the user.',
+ type: 'boolean',
+ description: 'Boolean to capture if a signature is present.',
+ example: 'true',
+ default_field: false,
},
{
- name: 'full_name',
+ name: 'code_signature.status',
level: 'extended',
type: 'keyword',
- example: 'Albert Einstein',
- description: "User's full name, if available. ",
+ ignore_above: 1024,
+ description:
+ 'Additional information about the certificate status.\n\nThis is useful for logging cryptographic errors with the certificate validity\nor trust status. Leave unpopulated if the validity or trust of the certificate\nwas unchecked.',
+ example: 'ERROR_UNTRUSTED_ROOT',
+ default_field: false,
},
{
- name: 'email',
- level: 'extended',
+ name: 'code_signature.subject_name',
+ level: 'core',
type: 'keyword',
- description: 'User email address.',
+ ignore_above: 1024,
+ description: 'Subject name of the code signer',
+ example: 'Microsoft Corporation',
+ default_field: false,
},
{
- name: 'hash',
+ name: 'code_signature.trusted',
level: 'extended',
- type: 'keyword',
+ type: 'boolean',
description:
- 'Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.',
+ 'Stores the trust status of the certificate chain.\n\nValidating the trust of the certificate chain may be complicated, and this\nfield should only be populated by tools that actively check the status.',
+ example: 'true',
+ default_field: false,
},
{
- name: 'group',
- title: 'Group',
- group: 2,
+ name: 'code_signature.valid',
+ level: 'extended',
+ type: 'boolean',
description:
- 'The group fields are meant to represent groups that are relevant to the event.',
- type: 'group',
- fields: [
- {
- name: 'id',
- level: 'extended',
- type: 'keyword',
- description: 'Unique identifier for the group on the system/platform.',
- },
- {
- name: 'name',
- level: 'extended',
- type: 'keyword',
- description: 'Name of the group.',
- },
- ],
+ 'Boolean to capture if the digital signature is verified against\nthe binary content.\n\nLeave unpopulated if a certificate was unchecked.',
+ example: 'true',
+ default_field: false,
},
- ],
- },
- {
- name: 'user_agent',
- title: 'User agent',
- group: 2,
- description:
- 'The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.',
- type: 'group',
- fields: [
{
- name: 'original',
+ name: 'created',
level: 'extended',
- type: 'keyword',
- description: 'Unparsed version of the user_agent.',
- example:
- 'Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1',
+ type: 'date',
+ description:
+ 'File creation time.\n\nNote that not all filesystems store the creation time.',
},
{
- name: 'name',
+ name: 'ctime',
level: 'extended',
- type: 'keyword',
- example: 'Safari',
- description: 'Name of the user agent.',
+ type: 'date',
+ description:
+ 'Last time the file attributes or metadata changed.\n\nNote that changes to the file content will update `mtime`. This implies `ctime`\nwill be adjusted at the same time, since `mtime` is an attribute of the file.',
},
{
- name: 'version',
+ name: 'device',
level: 'extended',
type: 'keyword',
- description: 'Version of the user agent.',
- example: 12,
+ ignore_above: 1024,
+ description: 'Device that is the source of the file.',
+ example: 'sda',
},
{
- name: 'device.name',
+ name: 'directory',
level: 'extended',
type: 'keyword',
- example: 'iPhone',
- description: 'Name of the device.',
+ ignore_above: 1024,
+ description:
+ 'Directory where the file is located. It should include the drive\nletter, when appropriate.',
+ example: '/home/alice',
},
{
- name: 'os',
- title: 'Operating System',
- group: 2,
- description: 'The OS fields contain information about the operating system.',
- reusable: {
- top_level: false,
- expected: ['observer', 'host', 'user_agent'],
- },
- type: 'group',
- fields: [
- {
- name: 'platform',
- level: 'extended',
- type: 'keyword',
- description: 'Operating system platform (such centos, ubuntu, windows).',
- example: 'darwin',
- },
- {
- name: 'name',
- level: 'extended',
- type: 'keyword',
- example: 'Mac OS X',
- description: 'Operating system name, without the version.',
- },
- {
- name: 'full',
- level: 'extended',
- type: 'keyword',
- example: 'Mac OS Mojave',
- description: 'Operating system name, including the version or code name.',
- },
- {
- name: 'family',
- level: 'extended',
- type: 'keyword',
- example: 'debian',
- description: 'OS family (such as redhat, debian, freebsd, windows).',
- },
- {
- name: 'version',
- level: 'extended',
- type: 'keyword',
- example: '10.14.1',
- description: 'Operating system version as a raw string.',
- },
- {
- name: 'kernel',
- level: 'extended',
- type: 'keyword',
- example: '4.4.0-112-generic',
- description: 'Operating system kernel version as a raw string.',
- },
- ],
+ name: 'drive_letter',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1,
+ description:
+ 'Drive letter where the file is located. This field is only relevant\non Windows.\n\nThe value should be uppercase, and not include the colon.',
+ example: 'C',
+ default_field: false,
},
- ],
- },
- {
- name: 'agent.hostname',
- type: 'keyword',
- description: 'Hostname of the agent.',
- },
- ],
- },
- {
- key: 'beat',
- title: 'Beat',
- description: 'Contains common beat fields available in all event types.',
- fields: [
- {
- name: 'beat.timezone',
- type: 'alias',
- path: 'event.timezone',
- migration: true,
- },
- {
- name: 'fields',
- type: 'object',
- object_type: 'keyword',
- description: 'Contains user configurable fields.',
- },
- {
- name: 'error',
- type: 'group',
- description: 'Error fields containing additional info in case of errors.',
- fields: [
{
- name: 'type',
+ name: 'extension',
+ level: 'extended',
type: 'keyword',
- description: 'Error type.',
+ ignore_above: 1024,
+ description: 'File extension.',
+ example: 'png',
},
- ],
- },
- {
- name: 'beat.name',
- type: 'alias',
- path: 'host.name',
- migration: true,
- },
- {
- name: 'beat.hostname',
- type: 'alias',
- path: 'agent.hostname',
- migration: true,
- },
- ],
- },
- {
- key: 'cloud',
- title: 'Cloud provider metadata',
- description: 'Metadata from cloud providers added by the add_cloud_metadata processor.',
- fields: [
- {
- name: 'cloud.project.id',
- example: 'project-x',
- description: 'Name of the project in Google Cloud.',
- },
- {
- name: 'meta.cloud.provider',
- type: 'alias',
- path: 'cloud.provider',
- migration: true,
- },
- {
- name: 'meta.cloud.instance_id',
- type: 'alias',
- path: 'cloud.instance.id',
- migration: true,
- },
- {
- name: 'meta.cloud.instance_name',
- type: 'alias',
- path: 'cloud.instance.name',
- migration: true,
- },
- {
- name: 'meta.cloud.machine_type',
- type: 'alias',
- path: 'cloud.machine.type',
- migration: true,
- },
- {
- name: 'meta.cloud.availability_zone',
- type: 'alias',
- path: 'cloud.availability_zone',
- migration: true,
- },
- {
- name: 'meta.cloud.project_id',
- type: 'alias',
- path: 'cloud.project.id',
- migration: true,
- },
- {
- name: 'meta.cloud.region',
- type: 'alias',
- path: 'cloud.region',
- migration: true,
- },
- ],
- },
- {
- key: 'docker',
- title: 'Docker',
- description: 'Docker stats collected from Docker.',
- short_config: false,
- anchor: 'docker-processor',
- fields: [
- {
- name: 'docker',
- type: 'group',
- fields: [
{
- name: 'container.id',
- type: 'alias',
- path: 'container.id',
- migration: true,
+ name: 'gid',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Primary group ID (GID) of the file.',
+ example: '1001',
},
{
- name: 'container.image',
- type: 'alias',
- path: 'container.image.name',
- migration: true,
+ name: 'group',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Primary group name of the file.',
+ example: 'alice',
},
{
- name: 'container.name',
- type: 'alias',
- path: 'container.name',
- migration: true,
+ name: 'hash.md5',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'MD5 hash.',
},
{
- name: 'container.labels',
- type: 'object',
- object_type: 'keyword',
- description: 'Image labels.',
+ name: 'hash.sha1',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA1 hash.',
},
- ],
- },
- ],
- },
- {
- key: 'host',
- title: 'Host',
- description: 'Info collected for the host machine.',
- anchor: 'host-processor',
- },
- {
- key: 'kubernetes',
- title: 'Kubernetes',
- description: 'Kubernetes metadata added by the kubernetes processor',
- short_config: false,
- anchor: 'kubernetes-processor',
- fields: [
- {
- name: 'kubernetes',
- type: 'group',
- fields: [
{
- name: 'pod.name',
+ name: 'hash.sha256',
+ level: 'extended',
type: 'keyword',
- description: 'Kubernetes pod name',
+ ignore_above: 1024,
+ description: 'SHA256 hash.',
},
{
- name: 'pod.uid',
+ name: 'hash.sha512',
+ level: 'extended',
type: 'keyword',
- description: 'Kubernetes Pod UID',
+ ignore_above: 1024,
+ description: 'SHA512 hash.',
},
{
- name: 'namespace',
+ name: 'inode',
+ level: 'extended',
type: 'keyword',
- description: 'Kubernetes namespace',
+ ignore_above: 1024,
+ description: 'Inode representing the file in the filesystem.',
+ example: '256383',
},
{
- name: 'node.name',
+ name: 'mime_type',
+ level: 'extended',
type: 'keyword',
- description: 'Kubernetes node name',
+ ignore_above: 1024,
+ description:
+ 'MIME type should identify the format of the file or stream of bytes\nusing https://www.iana.org/assignments/media-types/media-types.xhtml[IANA\nofficial types], where possible. When more than one type is applicable, the\nmost specific type should be used.',
+ default_field: false,
},
{
- name: 'labels',
- type: 'object',
- description: 'Kubernetes labels map',
+ name: 'mode',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Mode of the file in octal representation.',
+ example: '0640',
},
{
- name: 'annotations',
- type: 'object',
- description: 'Kubernetes annotations map',
+ name: 'mtime',
+ level: 'extended',
+ type: 'date',
+ description: 'Last time the file content was modified.',
},
{
- name: 'container.name',
+ name: 'name',
+ level: 'extended',
type: 'keyword',
- description: 'Kubernetes container name',
+ ignore_above: 1024,
+ description: 'Name of the file including the extension, without the directory.',
+ example: 'example.png',
},
{
- name: 'container.image',
+ name: 'owner',
+ level: 'extended',
type: 'keyword',
- description: 'Kubernetes container image',
- },
- ],
- },
- ],
- },
- {
- key: 'process',
- title: 'Process',
- description: 'Process metadata fields',
- fields: [
- {
- name: 'process',
- type: 'group',
- fields: [
- {
- name: 'exe',
- type: 'alias',
- path: 'process.executable',
- migration: true,
- },
- ],
- },
- ],
- },
- {
- key: 'common',
- title: 'Common',
- description:
- 'These fields contain data about the environment in which the transaction or flow was captured.',
- fields: [
- {
- name: 'type',
- description:
- 'The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows.',
- required: true,
- },
- {
- name: 'server.process.name',
- description: 'The name of the process that served the transaction.',
- },
- {
- name: 'server.process.args',
- description: 'The command-line of the process that served the transaction.',
- },
- {
- name: 'server.process.executable',
- description: 'Absolute path to the server process executable.',
- },
- {
- name: 'server.process.working_directory',
- description: 'The working directory of the server process.',
- },
- {
- name: 'server.process.start',
- description: 'The time the server process started.',
- },
- {
- name: 'client.process.name',
- description: 'The name of the process that initiated the transaction.',
- },
- {
- name: 'client.process.args',
- description: 'The command-line of the process that initiated the transaction.',
- },
- {
- name: 'client.process.executable',
- description: 'Absolute path to the client process executable.',
- },
- {
- name: 'client.process.working_directory',
- description: 'The working directory of the client process.',
- },
- {
- name: 'client.process.start',
- description: 'The time the client process started.',
- },
- {
- name: 'real_ip',
- type: 'alias',
- path: 'network.forwarded_ip',
- migration: true,
- description:
- 'If the server initiating the transaction is a proxy, this field contains the original client IP address. For HTTP, for example, the IP address extracted from a configurable HTTP header, by default `X-Forwarded-For`. Unless this field is disabled, it always has a value, and it matches the `client_ip` for non proxy clients.',
- },
- {
- name: 'transport',
- type: 'alias',
- path: 'network.transport',
- migration: true,
- description:
- 'The transport protocol used for the transaction. If not specified, then tcp is assumed.',
- },
- ],
- },
- {
- key: 'flows_event',
- title: 'Flow Event',
- description: 'These fields contain data about the flow itself.',
- fields: [
- {
- name: 'flow.final',
- type: 'boolean',
- description:
- 'Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only.',
- },
- {
- name: 'flow.id',
- description: 'Internal flow ID based on connection meta data and address.',
- },
- {
- name: 'flow.vlan',
- type: 'long',
- description:
- "VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. ",
- },
- {
- name: 'flow_id',
- type: 'alias',
- path: 'flow.id',
- migration: true,
- },
- {
- name: 'final',
- type: 'alias',
- path: 'flow.final',
- migration: true,
- },
- {
- name: 'vlan',
- type: 'alias',
- path: 'flow.vlan',
- migration: true,
- },
- {
- name: 'source.stats.net_bytes_total',
- type: 'alias',
- path: 'source.bytes',
- migration: true,
- },
- {
- name: 'source.stats.net_packets_total',
- type: 'alias',
- path: 'source.packets',
- migration: true,
- },
- {
- name: 'dest.stats.net_bytes_total',
- type: 'alias',
- path: 'destination.bytes',
- migration: true,
- },
- {
- name: 'dest.stats.net_packets_total',
- type: 'alias',
- path: 'destination.packets',
- migration: true,
- },
- ],
- },
- {
- key: 'trans_event',
- title: 'Transaction Event',
- description: 'These fields contain data about the transaction itself.',
- fields: [
- {
- name: 'status',
- description:
- 'The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol.',
- required: true,
- possible_values: ['OK', 'Error', 'Server Error', 'Client Error'],
- },
- {
- name: 'method',
- description:
- 'The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on).',
- },
- {
- name: 'resource',
- description:
- 'The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types.',
- },
- {
- name: 'path',
- required: true,
- description:
- 'The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key.',
- },
- {
- name: 'query',
- type: 'keyword',
- description:
- 'The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`.',
- },
- {
- name: 'params',
- type: 'text',
- description:
- 'The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request.',
- },
- {
- name: 'notes',
- type: 'alias',
- path: 'error.message',
- description:
- 'Messages from Packetbeat itself. This field usually contains error messages for interpreting the raw data. This information can be helpful for troubleshooting.',
- },
- ],
- },
- {
- key: 'raw',
- title: 'Raw',
- description: 'These fields contain the raw transaction data.',
- fields: [
- {
- name: 'request',
- type: 'text',
- description:
- 'For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request.',
- },
- {
- name: 'response',
- type: 'text',
- description:
- 'For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request.',
- },
- ],
- },
- {
- key: 'trans_measurements',
- title: 'Measurements (Transactions)',
- description: 'These fields contain measurements related to the transaction.',
- fields: [
- {
- name: 'bytes_in',
- type: 'alias',
- path: 'source.bytes',
- description:
- 'The number of bytes of the request. Note that this size is the application layer message length, without the length of the IP or TCP headers.',
- },
- {
- name: 'bytes_out',
- type: 'alias',
- path: 'destination.bytes',
- description:
- 'The number of bytes of the response. Note that this size is the application layer message length, without the length of the IP or TCP headers.',
- },
- ],
- },
- {
- key: 'amqp',
- title: 'AMQP',
- description: 'AMQP specific event fields.',
- fields: [
- {
- name: 'amqp',
- type: 'group',
- fields: [
- {
- name: 'reply-code',
- type: 'long',
- description: 'AMQP reply code to an error, similar to http reply-code',
- example: 404,
+ ignore_above: 1024,
+ description: "File owner's username.",
+ example: 'alice',
},
{
- name: 'reply-text',
+ name: 'path',
+ level: 'extended',
type: 'keyword',
- description: 'Text explaining the error.',
- },
- {
- name: 'class-id',
- type: 'long',
- description: 'Failing method class.',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description:
+ 'Full path to the file, including the file name. It should include\nthe drive letter, when appropriate.',
+ example: '/home/alice/example.png',
},
{
- name: 'method-id',
- type: 'long',
- description: 'Failing method ID.',
+ name: 'pe.company',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal company name of the file, provided at compile-time.',
+ example: 'Microsoft Corporation',
+ default_field: false,
},
{
- name: 'exchange',
+ name: 'pe.description',
+ level: 'extended',
type: 'keyword',
- description: 'Name of the exchange.',
+ ignore_above: 1024,
+ description: 'Internal description of the file, provided at compile-time.',
+ example: 'Paint',
+ default_field: false,
},
{
- name: 'exchange-type',
+ name: 'pe.file_version',
+ level: 'extended',
type: 'keyword',
- description: 'Exchange type.',
- example: 'fanout',
+ ignore_above: 1024,
+ description: 'Internal version of the file, provided at compile-time.',
+ example: '6.3.9600.17415',
+ default_field: false,
},
{
- name: 'passive',
- type: 'boolean',
- description: 'If set, do not create exchange/queue.',
+ name: 'pe.original_file_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal name of the file, provided at compile-time.',
+ example: 'MSPAINT.EXE',
+ default_field: false,
},
{
- name: 'durable',
- type: 'boolean',
- description: 'If set, request a durable exchange/queue.',
+ name: 'pe.product',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal product name of the file, provided at compile-time.',
+ example: 'Microsoft® Windows® Operating System',
+ default_field: false,
},
{
- name: 'exclusive',
- type: 'boolean',
- description: 'If set, request an exclusive queue.',
+ name: 'size',
+ level: 'extended',
+ type: 'long',
+ description: 'File size in bytes.\n\nOnly relevant when `file.type` is "file".',
+ example: 16384,
},
{
- name: 'auto-delete',
- type: 'boolean',
- description: 'If set, auto-delete queue when unused.',
+ name: 'target_path',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Target path for symlinks.',
},
{
- name: 'no-wait',
- type: 'boolean',
- description: 'If set, the server will not respond to the method.',
+ name: 'type',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'File type (file, dir, or symlink).',
+ example: 'file',
},
{
- name: 'consumer-tag',
- description: 'Identifier for the consumer, valid within the current channel.',
+ name: 'uid',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The user ID (UID) or security identifier (SID) of the file owner.',
+ example: '1001',
},
+ ],
+ },
+ {
+ name: 'geo',
+ title: 'Geo',
+ group: 2,
+ description:
+ 'Geo fields can carry data about a specific location related to an\nevent.\n\nThis geolocation information can be derived from techniques such as Geo IP,\nor be user-supplied.',
+ type: 'group',
+ fields: [
{
- name: 'delivery-tag',
- type: 'long',
- description: 'The server-assigned and channel-specific delivery tag.',
+ name: 'city_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
},
{
- name: 'message-count',
- type: 'long',
- description:
- 'The number of messages in the queue, which will be zero for newly-declared queues.',
+ name: 'continent_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
},
{
- name: 'consumer-count',
- type: 'long',
- description: 'The number of consumers of a queue.',
+ name: 'country_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
},
{
- name: 'routing-key',
+ name: 'country_name',
+ level: 'core',
type: 'keyword',
- description: 'Message routing key.',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
},
{
- name: 'no-ack',
- type: 'boolean',
- description: 'If set, the server does not expect acknowledgements for messages.',
+ name: 'location',
+ level: 'core',
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
},
{
- name: 'no-local',
- type: 'boolean',
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
description:
- 'If set, the server will not send messages to the connection that published them.',
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
},
{
- name: 'if-unused',
- type: 'boolean',
- description: 'Delete only if unused.',
+ name: 'region_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
},
{
- name: 'if-empty',
- type: 'boolean',
- description: 'Delete only if empty.',
+ name: 'region_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
},
+ ],
+ },
+ {
+ name: 'group',
+ title: 'Group',
+ group: 2,
+ description:
+ 'The group fields are meant to represent groups that are relevant\nto the event.',
+ type: 'group',
+ fields: [
{
- name: 'queue',
+ name: 'domain',
+ level: 'extended',
type: 'keyword',
- description: 'The queue name identifies the queue within the vhost.',
- },
- {
- name: 'redelivered',
- type: 'boolean',
- description:
- 'Indicates that the message has been previously delivered to this or another client.',
- },
- {
- name: 'multiple',
- type: 'boolean',
- description: 'Acknowledge multiple messages.',
- },
- {
- name: 'arguments',
- type: 'object',
+ ignore_above: 1024,
description:
- 'Optional additional arguments passed to some methods. Can be of various types.',
- },
- {
- name: 'mandatory',
- type: 'boolean',
- description: 'Indicates mandatory routing.',
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
},
{
- name: 'immediate',
- type: 'boolean',
- description: 'Request immediate delivery.',
- },
- {
- name: 'content-type',
+ name: 'id',
+ level: 'extended',
type: 'keyword',
- description: 'MIME content type.',
- example: 'text/plain',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
},
{
- name: 'content-encoding',
+ name: 'name',
+ level: 'extended',
type: 'keyword',
- description: 'MIME content encoding.',
- },
- {
- name: 'headers',
- type: 'object',
- object_type: 'keyword',
- description: 'Message header field table.',
+ ignore_above: 1024,
+ description: 'Name of the group.',
},
+ ],
+ },
+ {
+ name: 'hash',
+ title: 'Hash',
+ group: 2,
+ description:
+ 'The hash fields represent different hash algorithms and their values.\n\nField names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for\nother hashes by lowercasing the hash algorithm name and using underscore separators\nas appropriate (snake case, e.g. sha3_512).',
+ type: 'group',
+ fields: [
{
- name: 'delivery-mode',
+ name: 'md5',
+ level: 'extended',
type: 'keyword',
- description: 'Non-persistent (1) or persistent (2).',
- },
- {
- name: 'priority',
- type: 'long',
- description: 'Message priority, 0 to 9.',
+ ignore_above: 1024,
+ description: 'MD5 hash.',
},
{
- name: 'correlation-id',
+ name: 'sha1',
+ level: 'extended',
type: 'keyword',
- description: 'Application correlation identifier.',
+ ignore_above: 1024,
+ description: 'SHA1 hash.',
},
{
- name: 'reply-to',
+ name: 'sha256',
+ level: 'extended',
type: 'keyword',
- description: 'Address to reply to.',
+ ignore_above: 1024,
+ description: 'SHA256 hash.',
},
{
- name: 'expiration',
+ name: 'sha512',
+ level: 'extended',
type: 'keyword',
- description: 'Message expiration specification.',
+ ignore_above: 1024,
+ description: 'SHA512 hash.',
},
+ ],
+ },
+ {
+ name: 'host',
+ title: 'Host',
+ group: 2,
+ description:
+ 'A host is defined as a general computing instance.\n\nECS host.* fields should be populated with details about the host on which the\nevent happened, or from which the measurement was taken. Host types include\nhardware, virtual machines, Docker containers, and Kubernetes nodes.',
+ type: 'group',
+ fields: [
{
- name: 'message-id',
+ name: 'architecture',
+ level: 'core',
type: 'keyword',
- description: 'Application message identifier.',
+ ignore_above: 1024,
+ description: 'Operating system architecture.',
+ example: 'x86_64',
},
{
- name: 'timestamp',
+ name: 'domain',
+ level: 'extended',
type: 'keyword',
- description: 'Message timestamp.',
+ ignore_above: 1024,
+ description:
+ 'Name of the domain of which the host is a member.\n\nFor example, on Windows this could be the host Active Directory domain\nor NetBIOS domain name. For Linux this could be the domain of the host\nLDAP provider.',
+ example: 'CONTOSO',
+ default_field: false,
},
{
- name: 'type',
+ name: 'geo.city_name',
+ level: 'core',
type: 'keyword',
- description: 'Message type name.',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
},
{
- name: 'user-id',
+ name: 'geo.continent_name',
+ level: 'core',
type: 'keyword',
- description: 'Creating user id.',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
},
{
- name: 'app-id',
+ name: 'geo.country_iso_code',
+ level: 'core',
type: 'keyword',
- description: 'Creating application id.',
- },
- ],
- },
- ],
- },
- {
- key: 'cassandra',
- title: 'Cassandra',
- description: 'Cassandra v4/3 specific event fields.',
- fields: [
- {
- name: 'no_request',
- type: 'alias',
- path: 'cassandra.no_request',
- migration: true,
- },
- {
- name: 'cassandra',
- type: 'group',
- description: 'Information about the Cassandra request and response.',
- fields: [
- {
- name: 'no_request',
- type: 'boolean',
- description: 'Indicates that there is no request because this is a PUSH message.',
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
},
{
- name: 'request',
- type: 'group',
- description: 'Cassandra request.',
- fields: [
- {
- name: 'headers',
- type: 'group',
- description: 'Cassandra request headers.',
- fields: [
- {
- name: 'version',
- type: 'long',
- description: 'The version of the protocol.',
- },
- {
- name: 'flags',
- type: 'keyword',
- description: 'Flags applying to this frame.',
- },
- {
- name: 'stream',
- type: 'keyword',
- description:
- 'A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X.',
- },
- {
- name: 'op',
- type: 'keyword',
- description: 'An operation type that distinguishes the actual message.',
- },
- {
- name: 'length',
- type: 'long',
- description:
- 'A integer representing the length of the body of the frame (a frame is limited to 256MB in length).',
- },
- ],
- },
- {
- name: 'query',
- type: 'keyword',
- description: 'The CQL query which client send to cassandra.',
- },
- ],
+ name: 'geo.country_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
},
{
- name: 'response',
- type: 'group',
- description: 'Cassandra response.',
- fields: [
- {
- name: 'headers',
- type: 'group',
- description:
- "Cassandra response headers, the structure is as same as request's header.",
- fields: [
- {
- name: 'version',
- type: 'long',
- description: 'The version of the protocol.',
- },
- {
- name: 'flags',
- type: 'keyword',
- description: 'Flags applying to this frame.',
- },
- {
- name: 'stream',
- type: 'keyword',
- description:
- 'A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X.',
- },
- {
- name: 'op',
- type: 'keyword',
- description: 'An operation type that distinguishes the actual message.',
- },
- {
- name: 'length',
- type: 'long',
- description:
- 'A integer representing the length of the body of the frame (a frame is limited to 256MB in length).',
- },
- ],
- },
- {
- name: 'result',
- type: 'group',
- description: 'Details about the returned result.',
- fields: [
- {
- name: 'type',
- type: 'keyword',
- description: 'Cassandra result type.',
- },
- {
- name: 'rows',
- type: 'group',
- description: 'Details about the rows.',
- fields: [
- {
- name: 'num_rows',
- type: 'long',
- description: 'Representing the number of rows present in this result.',
- },
- {
- name: 'meta',
- type: 'group',
- description: 'Composed of result metadata.',
- fields: [
- {
- name: 'keyspace',
- type: 'keyword',
- description:
- 'Only present after set Global_tables_spec, the keyspace name.',
- },
- {
- name: 'table',
- type: 'keyword',
- description:
- 'Only present after set Global_tables_spec, the table name.',
- },
- {
- name: 'flags',
- type: 'keyword',
- description:
- 'Provides information on the formatting of the remaining information.',
- },
- {
- name: 'col_count',
- type: 'long',
- description:
- 'Representing the number of columns selected by the query that produced this result.',
- },
- {
- name: 'pkey_columns',
- type: 'long',
- description: 'Representing the PK columns index and counts.',
- },
- {
- name: 'paging_state',
- type: 'keyword',
- description:
- 'The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query.',
- },
- ],
- },
- ],
- },
- {
- name: 'keyspace',
- type: 'keyword',
- description: 'Indicating the name of the keyspace that has been set.',
- },
- {
- name: 'schema_change',
- type: 'group',
- description: 'The result to a schema_change message.',
- fields: [
- {
- name: 'change',
- type: 'keyword',
- description: 'Representing the type of changed involved.',
- },
- {
- name: 'keyspace',
- type: 'keyword',
- description: 'This describes which keyspace has changed.',
- },
- {
- name: 'table',
- type: 'keyword',
- description: 'This describes which table has changed.',
- },
- {
- name: 'object',
- type: 'keyword',
- description:
- 'This describes the name of said affected object (either the table, user type, function, or aggregate name).',
- },
- {
- name: 'target',
- type: 'keyword',
- description:
- 'Target could be "FUNCTION" or "AGGREGATE", multiple arguments.',
- },
- {
- name: 'name',
- type: 'keyword',
- description: 'The function/aggregate name.',
- },
- {
- name: 'args',
- type: 'keyword',
- description: 'One string for each argument type (as CQL type).',
- },
- ],
- },
- {
- name: 'prepared',
- type: 'group',
- description: 'The result to a PREPARE message.',
- fields: [
- {
- name: 'prepared_id',
- type: 'keyword',
- description: 'Representing the prepared query ID.',
- },
- {
- name: 'req_meta',
- type: 'group',
- description: 'This describes the request metadata.',
- fields: [
- {
- name: 'keyspace',
- type: 'keyword',
- description:
- 'Only present after set Global_tables_spec, the keyspace name.',
- },
- {
- name: 'table',
- type: 'keyword',
- description:
- 'Only present after set Global_tables_spec, the table name.',
- },
- {
- name: 'flags',
- type: 'keyword',
- description:
- 'Provides information on the formatting of the remaining information.',
- },
- {
- name: 'col_count',
- type: 'long',
- description:
- 'Representing the number of columns selected by the query that produced this result.',
- },
- {
- name: 'pkey_columns',
- type: 'long',
- description: 'Representing the PK columns index and counts.',
- },
- {
- name: 'paging_state',
- type: 'keyword',
- description:
- 'The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query.',
- },
- ],
- },
- {
- name: 'resp_meta',
- type: 'group',
- description: 'This describes the metadata for the result set.',
- fields: [
- {
- name: 'keyspace',
- type: 'keyword',
- description:
- 'Only present after set Global_tables_spec, the keyspace name.',
- },
- {
- name: 'table',
- type: 'keyword',
- description:
- 'Only present after set Global_tables_spec, the table name.',
- },
- {
- name: 'flags',
- type: 'keyword',
- description:
- 'Provides information on the formatting of the remaining information.',
- },
- {
- name: 'col_count',
- type: 'long',
- description:
- 'Representing the number of columns selected by the query that produced this result.',
- },
- {
- name: 'pkey_columns',
- type: 'long',
- description: 'Representing the PK columns index and counts.',
- },
- {
- name: 'paging_state',
- type: 'keyword',
- description:
- 'The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query.',
- },
- ],
- },
- ],
- },
- ],
- },
- {
- name: 'supported',
- type: 'object',
- object_type: 'keyword',
- description:
- 'Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message.',
- },
- {
- name: 'authentication',
- type: 'group',
- description:
- 'Indicates that the server requires authentication, and which authentication mechanism to use.',
- fields: [
- {
- name: 'class',
- type: 'keyword',
- description: 'Indicates the full class name of the IAuthenticator in use',
- },
- ],
- },
- {
- name: 'warnings',
- type: 'keyword',
- description: 'The text of the warnings, only occur when Warning flag was set.',
- },
- {
- name: 'event',
- type: 'group',
- description:
- 'Event pushed by the server. A client will only receive events for the types it has REGISTERed to.',
- fields: [
- {
- name: 'type',
- type: 'keyword',
- description: 'Representing the event type.',
- },
- {
- name: 'change',
- type: 'keyword',
- description:
- 'The message corresponding respectively to the type of change followed by the address of the new/removed node.',
- },
- {
- name: 'host',
- type: 'keyword',
- description: 'Representing the node ip.',
- },
- {
- name: 'port',
- type: 'long',
- description: 'Representing the node port.',
- },
- {
- name: 'schema_change',
- type: 'group',
- description: 'The events details related to schema change.',
- fields: [
- {
- name: 'change',
- type: 'keyword',
- description: 'Representing the type of changed involved.',
- },
- {
- name: 'keyspace',
- type: 'keyword',
- description: 'This describes which keyspace has changed.',
- },
- {
- name: 'table',
- type: 'keyword',
- description: 'This describes which table has changed.',
- },
- {
- name: 'object',
- type: 'keyword',
- description:
- 'This describes the name of said affected object (either the table, user type, function, or aggregate name).',
- },
- {
- name: 'target',
- type: 'keyword',
- description:
- 'Target could be "FUNCTION" or "AGGREGATE", multiple arguments.',
- },
- {
- name: 'name',
- type: 'keyword',
- description: 'The function/aggregate name.',
- },
- {
- name: 'args',
- type: 'keyword',
- description: 'One string for each argument type (as CQL type).',
- },
- ],
- },
- ],
- },
- {
- name: 'error',
- type: 'group',
- description:
- 'Indicates an error processing a request. The body of the message will be an error code followed by a error message. Then, depending on the exception, more content may follow.',
- fields: [
- {
- name: 'code',
- type: 'long',
- description: 'The error code of the Cassandra response.',
- },
- {
- name: 'msg',
- type: 'keyword',
- description: 'The error message of the Cassandra response.',
- },
- {
- name: 'type',
- type: 'keyword',
- description: 'The error type of the Cassandra response.',
- },
- {
- name: 'details',
- type: 'group',
- description: 'The details of the error.',
- fields: [
- {
- name: 'read_consistency',
- type: 'keyword',
- description:
- 'Representing the consistency level of the query that triggered the exception.',
- },
- {
- name: 'required',
- type: 'long',
- description:
- 'Representing the number of nodes that should be alive to respect consistency level.',
- },
- {
- name: 'alive',
- type: 'long',
- description:
- 'Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered).',
- },
- {
- name: 'received',
- type: 'long',
- description:
- 'Representing the number of nodes having acknowledged the request.',
- },
- {
- name: 'blockfor',
- type: 'long',
- description:
- 'Representing the number of replicas whose acknowledgement is required to achieve consistency level.',
- },
- {
- name: 'write_type',
- type: 'keyword',
- description: 'Describe the type of the write that timed out.',
- },
- {
- name: 'data_present',
- type: 'boolean',
- description: 'It means the replica that was asked for data had responded.',
- },
- {
- name: 'keyspace',
- type: 'keyword',
- description: 'The keyspace of the failed function.',
- },
- {
- name: 'table',
- type: 'keyword',
- description: 'The keyspace of the failed function.',
- },
- {
- name: 'stmt_id',
- type: 'keyword',
- description: 'Representing the unknown ID.',
- },
- {
- name: 'num_failures',
- type: 'keyword',
- description:
- 'Representing the number of nodes that experience a failure while executing the request.',
- },
- {
- name: 'function',
- type: 'keyword',
- description: 'The name of the failed function.',
- },
- {
- name: 'arg_types',
- type: 'keyword',
- description:
- 'One string for each argument type (as CQL type) of the failed function.',
- },
- ],
- },
- ],
- },
- ],
+ name: 'geo.location',
+ level: 'core',
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
},
- ],
- },
- ],
- },
- {
- key: 'dhcpv4',
- title: 'DHCPv4',
- description: 'DHCPv4 event fields',
- fields: [
- {
- name: 'dhcpv4',
- type: 'group',
- fields: [
{
- name: 'transaction_id',
+ name: 'geo.name',
+ level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Transaction ID, a random number chosen by the client, used by the client and server to associate messages and responses between a client and a server.',
- },
- {
- name: 'seconds',
- type: 'long',
- description:
- 'Number of seconds elapsed since client began address acquisition or renewal process.',
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
},
{
- name: 'flags',
+ name: 'geo.region_iso_code',
+ level: 'core',
type: 'keyword',
- description:
- 'Flags are set by the client to indicate how the DHCP server should its reply -- either unicast or broadcast.',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
},
{
- name: 'client_ip',
- type: 'ip',
- description: 'The current IP address of the client.',
+ name: 'geo.region_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
},
{
- name: 'assigned_ip',
- type: 'ip',
+ name: 'hostname',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
description:
- 'The IP address that the DHCP server is assigning to the client. This field is also known as "your" IP address.',
+ 'Hostname of the host.\n\nIt normally contains what the `hostname` command returns on the host machine.',
},
{
- name: 'server_ip',
- type: 'ip',
+ name: 'id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
description:
- 'The IP address of the DHCP server that the client should use for the next step in the bootstrap process.',
+ 'Unique host id.\n\nAs hostname is not always unique, use values that are meaningful in your environment.\n\nExample: The current usage of `beat.name`.',
},
{
- name: 'relay_ip',
+ name: 'ip',
+ level: 'core',
type: 'ip',
- description:
- 'The relay IP address used by the client to contact the server (i.e. a DHCP relay server).',
+ description: 'Host ip addresses.',
},
{
- name: 'client_mac',
+ name: 'mac',
+ level: 'core',
type: 'keyword',
- description: "The client's MAC address (layer two).",
+ ignore_above: 1024,
+ description: 'Host mac addresses.',
},
{
- name: 'server_name',
+ name: 'name',
+ level: 'core',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'The name of the server sending the message. Optional. Used in DHCPOFFER or DHCPACK messages.',
+ 'Name of the host.\n\nIt can contain what `hostname` returns on Unix systems, the fully qualified\ndomain name, or a name specified by the user. The sender decides which value\nto use.',
},
{
- name: 'op_code',
+ name: 'os.family',
+ level: 'extended',
type: 'keyword',
- example: 'bootreply',
- description: 'The message op code (bootrequest or bootreply).',
- },
- {
- name: 'hops',
- type: 'long',
- description: 'The number of hops the DHCP message went through.',
+ ignore_above: 1024,
+ description: 'OS family (such as redhat, debian, freebsd, windows).',
+ example: 'debian',
},
{
- name: 'hardware_type',
+ name: 'os.full',
+ level: 'extended',
type: 'keyword',
- description:
- 'The type of hardware used for the local network (Ethernet, LocalTalk, etc).',
- },
- {
- name: 'option',
- type: 'group',
- fields: [
- {
- name: 'message_type',
- type: 'keyword',
- example: 'ack',
- description:
- 'The specific type of DHCP message being sent (e.g. discover, offer, request, decline, ack, nak, release, inform).',
- },
- {
- name: 'parameter_request_list',
- type: 'keyword',
- description:
- 'This option is used by a DHCP client to request values for specified configuration parameters.',
- },
- {
- name: 'requested_ip_address',
- type: 'ip',
- description:
- 'This option is used in a client request (DHCPDISCOVER) to allow the client to request that a particular IP address be assigned.',
- },
- {
- name: 'server_identifier',
- type: 'ip',
- description: 'IP address of the individual DHCP server which handled this message.',
- },
- {
- name: 'broadcast_address',
- type: 'ip',
- description:
- "This option specifies the broadcast address in use on the client's subnet. ",
- },
- {
- name: 'max_dhcp_message_size',
- type: 'long',
- description:
- 'This option specifies the maximum length DHCP message that the client is willing to accept.',
- },
- {
- name: 'class_identifier',
- type: 'keyword',
- description:
- "This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. Vendors may choose to define specific vendor class identifiers to convey particular configuration or other identification information about a client. For example, the identifier may encode the client's hardware configuration. ",
- },
- {
- name: 'domain_name',
- type: 'keyword',
- description:
- 'This option specifies the domain name that client should use when resolving hostnames via the Domain Name System.',
- },
- {
- name: 'dns_servers',
- type: 'ip',
- description:
- 'The domain name server option specifies a list of Domain Name System servers available to the client.',
- },
- {
- name: 'vendor_identifying_options',
- type: 'object',
- description:
- 'A DHCP client may use this option to unambiguously identify the vendor that manufactured the hardware on which the client is running, the software in use, or an industry consortium to which the vendor belongs. This field is described in RFC 3925.',
- },
- {
- name: 'subnet_mask',
- type: 'ip',
- description: 'The subnet mask that the client should use on the currnet network.',
- },
- {
- name: 'utc_time_offset_sec',
- type: 'long',
- description:
- "The time offset field specifies the offset of the client's subnet in seconds from Coordinated Universal Time (UTC). ",
- },
- {
- name: 'router',
- type: 'ip',
- description:
- "The router option specifies a list of IP addresses for routers on the client's subnet. ",
- },
- {
- name: 'time_servers',
- type: 'ip',
- description:
- 'The time server option specifies a list of RFC 868 time servers available to the client.',
- },
- {
- name: 'ntp_servers',
- type: 'ip',
- description:
- 'This option specifies a list of IP addresses indicating NTP servers available to the client.',
- },
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'hostname',
- type: 'keyword',
- description: 'This option specifies the name of the client.',
- },
- {
- name: 'ip_address_lease_time_sec',
- type: 'long',
- description:
- 'This option is used in a client request (DHCPDISCOVER or DHCPREQUEST) to allow the client to request a lease time for the IP address. In a server reply (DHCPOFFER), a DHCP server uses this option to specify the lease time it is willing to offer.',
- },
- {
- name: 'message',
+ name: 'text',
type: 'text',
- description:
- 'This option is used by a DHCP server to provide an error message to a DHCP client in a DHCPNAK message in the event of a failure. A client may use this option in a DHCPDECLINE message to indicate the why the client declined the offered parameters.',
- },
- {
- name: 'renewal_time_sec',
- type: 'long',
- description:
- 'This option specifies the time interval from address assignment until the client transitions to the RENEWING state.',
- },
- {
- name: 'rebinding_time_sec',
- type: 'long',
- description:
- 'This option specifies the time interval from address assignment until the client transitions to the REBINDING state.',
- },
- {
- name: 'boot_file_name',
- type: 'keyword',
- description:
- "This option is used to identify a bootfile when the 'file' field in the DHCP header has been used for DHCP options. ",
+ norms: false,
+ default_field: false,
},
],
+ description: 'Operating system name, including the version or code name.',
+ example: 'Mac OS Mojave',
},
- ],
- },
- ],
- },
- {
- key: 'dns',
- title: 'DNS',
- description: 'DNS-specific event fields.',
- fields: [
- {
- name: 'dns',
- type: 'group',
- fields: [
{
- name: 'id',
- type: 'long',
- description:
- 'The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.',
+ name: 'os.kernel',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system kernel version as a raw string.',
+ example: '4.4.0-112-generic',
},
{
- name: 'op_code',
- description:
- 'The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response.',
- example: 'QUERY',
+ name: 'os.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Operating system name, without the version.',
+ example: 'Mac OS X',
},
{
- name: 'flags.authoritative',
- type: 'boolean',
- description:
- 'A DNS flag specifying that the responding server is an authority for the domain name used in the question.',
+ name: 'os.platform',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system platform (such centos, ubuntu, windows).',
+ example: 'darwin',
},
{
- name: 'flags.recursion_available',
- type: 'boolean',
- description:
- 'A DNS flag specifying whether recursive query support is available in the name server.',
+ name: 'os.version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system version as a raw string.',
+ example: '10.14.1',
},
{
- name: 'flags.recursion_desired',
- type: 'boolean',
+ name: 'type',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
description:
- 'A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional.',
+ 'Type of host.\n\nFor Cloud providers this can be the machine type like `t2.medium`. If vm,\nthis could be the container, for example, or other information meaningful\nin your environment.',
},
{
- name: 'flags.authentic_data',
- type: 'boolean',
- description:
- 'A DNS flag specifying that the recursive server considers the response authentic.',
+ name: 'uptime',
+ level: 'extended',
+ type: 'long',
+ description: 'Seconds the host has been up.',
+ example: 1325,
},
{
- name: 'flags.checking_disabled',
- type: 'boolean',
+ name: 'user.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
description:
- 'A DNS flag specifying that the client disables the server signature validation of the query.',
+ 'Name of the directory the user is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
},
{
- name: 'flags.truncated_response',
- type: 'boolean',
- description:
- 'A DNS flag specifying that only the first 512 bytes of the reply were returned.',
+ name: 'user.email',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'User email address.',
},
{
- name: 'response_code',
- description: 'The DNS status code.',
- example: 'NOERROR',
+ name: 'user.full_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: "User's full name, if available.",
+ example: 'Albert Einstein',
},
{
- name: 'question.name',
+ name: 'user.group.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
description:
- 'The domain name being queried. If the name field contains non-printable characters (below 32 or above 126), then those characters are represented as escaped base 10 integers (\\DDD). Back slashes and quotes are escaped. Tabs, carriage returns, and line feeds are converted to \\t, \\r, and respectively.',
- example: 'www.google.com.',
- },
- {
- name: 'question.type',
- description: 'The type of records being queried.',
- example: 'AAAA',
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
},
{
- name: 'question.class',
- description: 'The class of of records being queried.',
- example: 'IN',
+ name: 'user.group.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
},
{
- name: 'question.etld_plus_one',
- description:
- 'The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org.',
- example: 'amazon.co.uk.',
+ name: 'user.group.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the group.',
},
{
- name: 'answers',
- type: 'object',
+ name: 'user.hash',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
description:
- 'An array containing a dictionary about each answer section returned by the server.',
+ 'Unique user hash to correlate information for a user in anonymized\nform.\n\nUseful if `user.id` or `user.name` contain confidential information and cannot\nbe used.',
},
{
- name: 'answers_count',
- type: 'long',
- description: 'The number of resource records contained in the `dns.answers` field.',
+ name: 'user.id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifiers of the user.',
},
{
- name: 'answers.name',
- description: 'The domain name to which this resource record pertains.',
- example: 'example.com.',
+ name: 'user.name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Short name or login of the user.',
+ example: 'albert',
},
+ ],
+ },
+ {
+ name: 'http',
+ title: 'HTTP',
+ group: 2,
+ description:
+ 'Fields related to HTTP activity. Use the `url` field set to store\nthe url of the request.',
+ type: 'group',
+ fields: [
{
- name: 'answers.type',
- description: 'The type of data contained in this resource record.',
- example: 'MX',
+ name: 'request.body.bytes',
+ level: 'extended',
+ type: 'long',
+ format: 'bytes',
+ description: 'Size in bytes of the request body.',
+ example: 887,
},
{
- name: 'answers.class',
- description: 'The class of DNS data contained in this resource record.',
- example: 'IN',
+ name: 'request.body.content',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'The full HTTP request body.',
+ example: 'Hello world',
},
{
- name: 'answers.ttl',
- description:
- 'The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.',
+ name: 'request.bytes',
+ level: 'extended',
type: 'long',
+ format: 'bytes',
+ description: 'Total size in bytes of the request (body and headers).',
+ example: 1437,
},
{
- name: 'answers.data',
+ name: 'request.method',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
description:
- 'The data describing the resource. The meaning of this data depends on the type and class of the resource record.',
+ 'HTTP request method.\n\nThe field value must be normalized to lowercase for querying. See the documentation\nsection "Implementing ECS".',
+ example: 'get, post, put',
},
{
- name: 'authorities',
- type: 'object',
- description:
- 'An array containing a dictionary for each authority section from the answer.',
+ name: 'request.referrer',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Referrer for this HTTP request.',
+ example: 'https://blog.example.com/',
},
{
- name: 'authorities_count',
+ name: 'response.body.bytes',
+ level: 'extended',
type: 'long',
- description:
- 'The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat.',
- },
- {
- name: 'authorities.name',
- description: 'The domain name to which this resource record pertains.',
- example: 'example.com.',
+ format: 'bytes',
+ description: 'Size in bytes of the response body.',
+ example: 887,
},
{
- name: 'authorities.type',
- description: 'The type of data contained in this resource record.',
- example: 'NS',
+ name: 'response.body.content',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'The full HTTP response body.',
+ example: 'Hello world',
},
{
- name: 'authorities.class',
- description: 'The class of DNS data contained in this resource record.',
- example: 'IN',
+ name: 'response.bytes',
+ level: 'extended',
+ type: 'long',
+ format: 'bytes',
+ description: 'Total size in bytes of the response (body and headers).',
+ example: 1437,
},
{
- name: 'additionals',
- type: 'object',
- description:
- 'An array containing a dictionary for each additional section from the answer.',
- },
- {
- name: 'additionals_count',
+ name: 'response.status_code',
+ level: 'extended',
type: 'long',
- description:
- 'The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat.',
- },
- {
- name: 'additionals.name',
- description: 'The domain name to which this resource record pertains.',
- example: 'example.com.',
- },
- {
- name: 'additionals.type',
- description: 'The type of data contained in this resource record.',
- example: 'NS',
- },
- {
- name: 'additionals.class',
- description: 'The class of DNS data contained in this resource record.',
- example: 'IN',
+ format: 'string',
+ description: 'HTTP response status code.',
+ example: 404,
},
{
- name: 'additionals.ttl',
- description:
- 'The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.',
- type: 'long',
+ name: 'version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'HTTP version.',
+ example: 1.1,
},
+ ],
+ },
+ {
+ name: 'interface',
+ title: 'Interface',
+ group: 2,
+ description:
+ 'The interface fields are used to record ingress and egress interface\ninformation when reported by an observer (e.g. firewall, router, load balancer)\nin the context of the observer handling a network connection. In the case of\na single observer interface (e.g. network sensor on a span port) only the observer.ingress\ninformation should be populated.',
+ type: 'group',
+ fields: [
{
- name: 'additionals.data',
+ name: 'alias',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
description:
- 'The data describing the resource. The meaning of this data depends on the type and class of the resource record.',
+ 'Interface alias as reported by the system, typically used in firewall\nimplementations for e.g. inside, outside, or dmz logical interface naming.',
+ example: 'outside',
+ default_field: false,
},
{
- name: 'opt.version',
- description: 'The EDNS version.',
- example: '0',
- },
- {
- name: 'opt.do',
- type: 'boolean',
- description: 'If set, the transaction uses DNSSEC.',
- },
- {
- name: 'opt.ext_rcode',
- description: 'Extended response code field.',
- example: 'BADVERS',
+ name: 'id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Interface ID as reported by an observer (typically SNMP interface\nID).',
+ example: 10,
+ default_field: false,
},
{
- name: 'opt.udp_size',
- type: 'long',
- description: "Requestor's UDP payload size (in bytes).",
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Interface name as reported by the system.',
+ example: 'eth0',
+ default_field: false,
},
],
},
- ],
- },
- {
- key: 'http',
- title: 'HTTP',
- description: 'HTTP-specific event fields.',
- fields: [
{
- name: 'http',
+ name: 'log',
+ title: 'Log',
+ group: 2,
+ description:
+ 'Details about the event logging mechanism or logging transport.\n\nThe log.* fields are typically populated with details about the logging mechanism\nused to create and/or transport the event. For example, syslog details belong\nunder `log.syslog.*`.\n\nThe details specific to your event source are typically not logged under `log.*`,\nbut rather in `event.*` or in other ECS fields.',
type: 'group',
- description: 'Information about the HTTP request and response.',
fields: [
{
- name: 'request',
- description: 'HTTP request',
- type: 'group',
- fields: [
- {
- name: 'headers',
- type: 'object',
- object_type: 'keyword',
- description:
- 'A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas.',
- },
- {
- name: 'params',
- type: 'alias',
- migration: true,
- path: 'url.query',
- },
- ],
+ name: 'level',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Original log level of the log event.\n\nIf the source of the event provides a log level or textual severity, this\nis the one that goes in `log.level`. If your source does not specify one,\nyou may put your event transport severity here (e.g. Syslog severity).\n\nSome examples are `warn`, `err`, `i`, `informational`.',
+ example: 'error',
},
{
- name: 'response',
- description: 'HTTP response',
- type: 'group',
- fields: [
- {
- name: 'status_phrase',
- description: 'The HTTP status phrase.',
- example: 'Not Found',
- },
- {
- name: 'headers',
- type: 'object',
- object_type: 'keyword',
- description:
- 'A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas.',
- },
- {
- name: 'code',
- type: 'alias',
- migration: true,
- path: 'http.response.status_code',
- },
- {
- name: 'phrase',
- type: 'alias',
- migration: true,
- path: 'http.response.status_phrase',
- },
- ],
+ name: 'logger',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The name of the logger inside an application. This is usually the\nname of the class which initialized the logger, or can be a custom name.',
+ example: 'org.elasticsearch.bootstrap.Bootstrap',
},
- ],
- },
- ],
- },
- {
- key: 'icmp',
- title: 'ICMP',
- description: 'ICMP specific event fields.',
- fields: [
- {
- name: 'icmp',
- type: 'group',
- fields: [
{
- name: 'version',
- description: 'The version of the ICMP protocol.',
- possible_values: [4, 6],
+ name: 'origin.file.line',
+ level: 'extended',
+ type: 'integer',
+ description:
+ 'The line number of the file containing the source code which originated\nthe log event.',
+ example: 42,
+ },
+ {
+ name: 'origin.file.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The name of the file containing the source code which originated\nthe log event. Note that this is not the name of the log file.',
+ example: 'Bootstrap.java',
},
{
- name: 'request.message',
+ name: 'origin.function',
+ level: 'extended',
type: 'keyword',
- description: 'A human readable form of the request.',
+ ignore_above: 1024,
+ description: 'The name of the function or method which originated the log event.',
+ example: 'init',
},
{
- name: 'request.type',
- type: 'long',
- description: 'The request type.',
+ name: 'original',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'This is the original log message and contains the full log message\nbefore splitting it up in multiple parts.\n\nIn contrast to the `message` field which can contain an extracted part of\nthe log message, this field contains the original, full log message. It can\nhave already some modifications applied like encoding or new lines removed\nto clean up the log message.\n\nThis field is not indexed and doc_values are disabled so it cannot be queried\nbut the value can be retrieved from `_source`.',
+ example: 'Sep 19 08:26:10 localhost My log',
+ },
+ {
+ name: 'syslog',
+ level: 'extended',
+ type: 'object',
+ object_type: 'keyword',
+ description:
+ 'The Syslog metadata of the event, if the event was transmitted\nvia Syslog. Please see RFCs 5424 or 3164.',
},
{
- name: 'request.code',
+ name: 'syslog.facility.code',
+ level: 'extended',
type: 'long',
- description: 'The request code.',
+ format: 'string',
+ description:
+ 'The Syslog numeric facility of the log event, if available.\n\nAccording to RFCs 5424 and 3164, this value should be an integer between 0\nand 23.',
+ example: 23,
},
{
- name: 'response.message',
+ name: 'syslog.facility.name',
+ level: 'extended',
type: 'keyword',
- description: 'A human readable form of the response.',
+ ignore_above: 1024,
+ description: 'The Syslog text-based facility of the log event, if available.',
+ example: 'local7',
},
{
- name: 'response.type',
+ name: 'syslog.priority',
+ level: 'extended',
type: 'long',
- description: 'The response type.',
+ format: 'string',
+ description:
+ 'Syslog numeric priority of the event, if available.\n\nAccording to RFCs 5424 and 3164, the priority is 8 * facility + severity.\nThis number is therefore expected to contain a value between 0 and 191.',
+ example: 135,
},
{
- name: 'response.code',
+ name: 'syslog.severity.code',
+ level: 'extended',
type: 'long',
- description: 'The response code.',
+ description:
+ 'The Syslog numeric severity of the log event, if available.\n\nIf the event source publishing via Syslog provides a different numeric severity\nvalue (e.g. firewall, IDS), your source numeric severity should go to `event.severity`.\nIf the event source does not specify a distinct severity, you can optionally\ncopy the Syslog severity to `event.severity`.',
+ example: 3,
+ },
+ {
+ name: 'syslog.severity.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The Syslog numeric severity of the log event, if available.\n\nIf the event source publishing via Syslog provides a different severity value\n(e.g. firewall, IDS), your source text severity should go to `log.level`.\nIf the event source does not specify a distinct severity, you can optionally\ncopy the Syslog severity to `log.level`.',
+ example: 'Error',
},
],
},
- ],
- },
- {
- key: 'memcache',
- title: 'Memcache',
- description: 'Memcached-specific event fields',
- fields: [
{
- name: 'memcache',
+ name: 'network',
+ title: 'Network',
+ group: 2,
+ description:
+ 'The network is defined as the communication path over which a host\nor network event happens.\n\nThe network.* fields should be populated with details about the network activity\nassociated with an event.',
type: 'group',
fields: [
{
- name: 'protocol_type',
+ name: 'application',
+ level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type.',
+ 'A name given to an application level protocol. This can be arbitrarily\nassigned for things like microservices, but also apply to things like skype,\nicq, facebook, twitter. This would be used in situations where the vendor\nor service can be decoded such as from the source/dest IP owners, ports, or\nwire format.\n\nThe field value must be normalized to lowercase for querying. See the documentation\nsection "Implementing ECS".',
+ example: 'aim',
},
{
- name: 'request.line',
- type: 'keyword',
- description: 'The raw command line for unknown commands ONLY.',
+ name: 'bytes',
+ level: 'core',
+ type: 'long',
+ format: 'bytes',
+ description:
+ 'Total bytes transferred in both directions.\n\nIf `source.bytes` and `destination.bytes` are known, `network.bytes` is their\nsum.',
+ example: 368,
},
{
- name: 'request.command',
+ name: 'community_id',
+ level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands.',
+ 'A hash of source and destination IPs and ports, as well as the\nprotocol used in a communication. This is a tool-agnostic standard to identify\nflows.\n\nLearn more at https://github.com/corelight/community-id-spec.',
+ example: '1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=',
},
{
- name: 'response.command',
+ name: 'direction',
+ level: 'core',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Either the text based protocol response message type or the name of the originating request if binary protocol is used.',
+ "Direction of the network traffic.\nRecommended values are:\n * inbound\n * outbound\n * internal\n * external\n * unknown\n\nWhen mapping events from a host-based monitoring context, populate this field from the host's point of view.\nWhen mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter.",
+ example: 'inbound',
},
{
- name: 'request.type',
- type: 'keyword',
- description:
- 'The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth".',
+ name: 'forwarded_ip',
+ level: 'core',
+ type: 'ip',
+ description: 'Host IP address when the source IP address is the proxy.',
+ example: '192.1.1.2',
},
{
- name: 'response.type',
+ name: 'iana_number',
+ level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol).',
+ 'IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml).\nStandardized list of protocols. This aligns well with NetFlow and sFlow related\nlogs which use the IANA Protocol Number.',
+ example: 6,
},
{
- name: 'response.error_msg',
- type: 'keyword',
+ name: 'inner',
+ level: 'extended',
+ type: 'object',
+ object_type: 'keyword',
description:
- 'The optional error message in the memcache response (text based protocol only).',
+ 'Network.inner fields are added in addition to network.vlan fields\nto describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed\nfields include vlan.id and vlan.name. Inner vlan fields are typically used\nwhen sending traffic with multiple 802.1q encapsulations to a network sensor\n(e.g. Zeek, Wireshark.)',
+ default_field: false,
},
{
- name: 'request.opcode',
+ name: 'inner.vlan.id',
+ level: 'extended',
type: 'keyword',
- description: 'The binary protocol message opcode name.',
+ ignore_above: 1024,
+ description: 'VLAN ID as reported by the observer.',
+ example: 10,
+ default_field: false,
},
{
- name: 'response.opcode',
+ name: 'inner.vlan.name',
+ level: 'extended',
type: 'keyword',
- description: 'The binary protocol message opcode name.',
+ ignore_above: 1024,
+ description: 'Optional VLAN name as reported by the observer.',
+ example: 'outside',
+ default_field: false,
},
{
- name: 'request.opcode_value',
- type: 'long',
- description: 'The binary protocol message opcode value.',
- },
- {
- name: 'response.opcode_value',
- type: 'long',
- description: 'The binary protocol message opcode value.',
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name given by operators to sections of their network.',
+ example: 'Guest Wifi',
},
{
- name: 'request.opaque',
+ name: 'packets',
+ level: 'core',
type: 'long',
description:
- 'The binary protocol opaque header value used for correlating request with response messages.',
+ 'Total packets transferred in both directions.\n\nIf `source.packets` and `destination.packets` are known, `network.packets`\nis their sum.',
+ example: 24,
},
{
- name: 'response.opaque',
- type: 'long',
+ name: 'protocol',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
description:
- 'The binary protocol opaque header value used for correlating request with response messages.',
- },
- {
- name: 'request.vbucket',
- type: 'long',
- description: 'The vbucket index sent in the binary message.',
+ 'L7 Network protocol name. ex. http, lumberjack, transport protocol.\n\nThe field value must be normalized to lowercase for querying. See the documentation\nsection "Implementing ECS".',
+ example: 'http',
},
{
- name: 'response.status',
+ name: 'transport',
+ level: 'core',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'The textual representation of the response error code (binary protocol only).',
+ 'Same as network.iana_number, but instead using the Keyword name\nof the transport layer (udp, tcp, ipv6-icmp, etc.)\n\nThe field value must be normalized to lowercase for querying. See the documentation\nsection "Implementing ECS".',
+ example: 'tcp',
},
{
- name: 'response.status_code',
- type: 'long',
- description: 'The status code value returned in the response (binary protocol only).',
+ name: 'type',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'In the OSI Model this would be the Network Layer. ipv4, ipv6,\nipsec, pim, etc\n\nThe field value must be normalized to lowercase for querying. See the documentation\nsection "Implementing ECS".',
+ example: 'ipv4',
},
{
- name: 'request.keys',
- type: 'array',
- description: 'The list of keys sent in the store or load commands.',
+ name: 'vlan.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'VLAN ID as reported by the observer.',
+ example: 10,
+ default_field: false,
},
{
- name: 'response.keys',
- type: 'array',
- description: 'The list of keys returned for the load command (if present).',
+ name: 'vlan.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Optional VLAN name as reported by the observer.',
+ example: 'outside',
+ default_field: false,
},
+ ],
+ },
+ {
+ name: 'observer',
+ title: 'Observer',
+ group: 2,
+ description:
+ 'An observer is defined as a special network, security, or application\ndevice used to detect, observe, or create network, security, or application-related\nevents and metrics.\n\nThis could be a custom hardware appliance or a server that has been configured\nto run special network, security, or application software. Examples include\nfirewalls, web proxies, intrusion detection/prevention systems, network monitoring\nsensors, web application firewalls, data loss prevention systems, and APM servers.\nThe observer.* fields shall be populated with details of the system, if any,\nthat detects, observes and/or creates a network, security, or application event\nor metric. Message queues and ETL components used in processing events or metrics\nare not considered observers in ECS.',
+ type: 'group',
+ fields: [
{
- name: 'request.count_values',
- type: 'long',
+ name: 'egress',
+ level: 'extended',
+ type: 'object',
+ object_type: 'keyword',
description:
- 'The number of values found in the memcache request message. If the command does not send any data, this field is missing.',
+ 'Observer.egress holds information like interface number and name,\nvlan, and zone information to classify egress traffic. Single armed monitoring\nsuch as a network sensor on a span port should only use observer.ingress\nto categorize traffic.',
+ default_field: false,
},
{
- name: 'response.count_values',
- type: 'long',
+ name: 'egress.interface.alias',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
description:
- 'The number of values found in the memcache response message. If the command does not send any data, this field is missing.',
+ 'Interface alias as reported by the system, typically used in firewall\nimplementations for e.g. inside, outside, or dmz logical interface naming.',
+ example: 'outside',
+ default_field: false,
},
{
- name: 'request.values',
- type: 'array',
- description: 'The list of base64 encoded values sent with the request (if present).',
+ name: 'egress.interface.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Interface ID as reported by an observer (typically SNMP interface\nID).',
+ example: 10,
+ default_field: false,
},
{
- name: 'response.values',
- type: 'array',
- description: 'The list of base64 encoded values sent with the response (if present).',
+ name: 'egress.interface.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Interface name as reported by the system.',
+ example: 'eth0',
+ default_field: false,
},
{
- name: 'request.bytes',
- type: 'long',
- format: 'bytes',
- description: 'The byte count of the values being transferred.',
+ name: 'egress.vlan.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'VLAN ID as reported by the observer.',
+ example: 10,
+ default_field: false,
},
{
- name: 'response.bytes',
- type: 'long',
- format: 'bytes',
- description: 'The byte count of the values being transferred.',
+ name: 'egress.vlan.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Optional VLAN name as reported by the observer.',
+ example: 'outside',
+ default_field: false,
},
{
- name: 'request.delta',
- type: 'long',
- description: 'The counter increment/decrement delta value.',
+ name: 'egress.zone',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Network zone of outbound traffic as reported by the observer to\ncategorize the destination area of egress traffic, e.g. Internal, External,\nDMZ, HR, Legal, etc.',
+ example: 'Public_Internet',
+ default_field: false,
},
{
- name: 'request.initial',
- type: 'long',
- description:
- 'The counter increment/decrement initial value parameter (binary protocol only).',
+ name: 'geo.city_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
},
{
- name: 'request.verbosity',
- type: 'long',
- description: 'The value of the memcache "verbosity" command.',
+ name: 'geo.continent_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
},
{
- name: 'request.raw_args',
+ name: 'geo.country_iso_code',
+ level: 'core',
type: 'keyword',
- description:
- 'The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands.',
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
},
{
- name: 'request.source_class',
- type: 'long',
- description: "The source class id in 'slab reassign' command. ",
+ name: 'geo.country_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
},
{
- name: 'request.dest_class',
- type: 'long',
- description: "The destination class id in 'slab reassign' command. ",
+ name: 'geo.location',
+ level: 'core',
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
},
{
- name: 'request.automove',
+ name: 'geo.name',
+ level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'The automove mode in the \'slab automove\' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown.',
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
},
{
- name: 'request.flags',
- type: 'long',
- description: 'The memcache command flags sent in the request (if present).',
+ name: 'geo.region_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
},
{
- name: 'response.flags',
- type: 'long',
- description: 'The memcache message flags sent in the response (if present).',
+ name: 'geo.region_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
},
{
- name: 'request.exptime',
- type: 'long',
+ name: 'hostname',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Hostname of the observer.',
+ },
+ {
+ name: 'ingress',
+ level: 'extended',
+ type: 'object',
+ object_type: 'keyword',
description:
- 'The data expiry time in seconds sent with the memcache command (if present). If the value is <30 days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit).',
+ 'Observer.ingress holds information like interface number and name,\nvlan, and zone information to classify ingress traffic. Single armed monitoring\nsuch as a network sensor on a span port should only use observer.ingress\nto categorize traffic.',
+ default_field: false,
},
{
- name: 'request.sleep_us',
- type: 'long',
- description: "The sleep setting in microseconds for the 'lru_crawler sleep' command. ",
+ name: 'ingress.interface.alias',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Interface alias as reported by the system, typically used in firewall\nimplementations for e.g. inside, outside, or dmz logical interface naming.',
+ example: 'outside',
+ default_field: false,
},
{
- name: 'response.value',
- type: 'long',
- description: 'The counter value returned by a counter operation.',
+ name: 'ingress.interface.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Interface ID as reported by an observer (typically SNMP interface\nID).',
+ example: 10,
+ default_field: false,
},
{
- name: 'request.noreply',
- type: 'boolean',
- description:
- 'Set to true if noreply was set in the request. The `memcache.response` field will be missing.',
+ name: 'ingress.interface.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Interface name as reported by the system.',
+ example: 'eth0',
+ default_field: false,
},
{
- name: 'request.quiet',
- type: 'boolean',
+ name: 'ingress.vlan.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'VLAN ID as reported by the observer.',
+ example: 10,
+ default_field: false,
+ },
+ {
+ name: 'ingress.vlan.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Optional VLAN name as reported by the observer.',
+ example: 'outside',
+ default_field: false,
+ },
+ {
+ name: 'ingress.zone',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
description:
- 'Set to true if the binary protocol message is to be treated as a quiet message.',
+ 'Network zone of incoming traffic as reported by the observer to\ncategorize the source area of ingress traffic. e.g. internal, External, DMZ,\nHR, Legal, etc.',
+ example: 'DMZ',
+ default_field: false,
},
{
- name: 'request.cas_unique',
- type: 'long',
- description: 'The CAS (compare-and-swap) identifier if present.',
+ name: 'ip',
+ level: 'core',
+ type: 'ip',
+ description: 'IP addresses of the observer.',
},
{
- name: 'response.cas_unique',
- type: 'long',
+ name: 'mac',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'MAC addresses of the observer',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
description:
- 'The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present).',
+ 'Custom name of the observer.\n\nThis is a name that can be given to an observer. This can be helpful for example\nif multiple firewalls of the same model are used in an organization.\n\nIf no custom name is needed, the field can be left empty.',
+ example: '1_proxySG',
+ },
+ {
+ name: 'os.family',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'OS family (such as redhat, debian, freebsd, windows).',
+ example: 'debian',
+ },
+ {
+ name: 'os.full',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Operating system name, including the version or code name.',
+ example: 'Mac OS Mojave',
+ },
+ {
+ name: 'os.kernel',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system kernel version as a raw string.',
+ example: '4.4.0-112-generic',
+ },
+ {
+ name: 'os.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Operating system name, without the version.',
+ example: 'Mac OS X',
+ },
+ {
+ name: 'os.platform',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system platform (such centos, ubuntu, windows).',
+ example: 'darwin',
+ },
+ {
+ name: 'os.version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system version as a raw string.',
+ example: '10.14.1',
+ },
+ {
+ name: 'product',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The product name of the observer.',
+ example: 's200',
+ },
+ {
+ name: 'serial_number',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Observer serial number.',
},
{
- name: 'response.stats',
- type: 'array',
+ name: 'type',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
description:
- 'The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value".',
+ 'The type of the observer the data is coming from.\n\nThere is no predefined list of observer types. Some examples are `forwarder`,\n`firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.',
+ example: 'firewall',
+ },
+ {
+ name: 'vendor',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Vendor name of the observer.',
+ example: 'Symantec',
},
{
- name: 'response.version',
+ name: 'version',
+ level: 'core',
type: 'keyword',
- description: 'The returned memcache version string.',
+ ignore_above: 1024,
+ description: 'Observer version.',
},
],
},
- ],
- },
- {
- key: 'mongodb',
- title: 'MongoDb',
- description:
- 'MongoDB-specific event fields. These fields mirror closely the fields for the MongoDB wire protocol. The higher level fields (for example, `query` and `resource`) apply to MongoDB events as well.',
- fields: [
{
- name: 'mongodb',
+ name: 'organization',
+ title: 'Organization',
+ group: 2,
+ description:
+ 'The organization fields enrich data with information about the company\nor entity the data is associated with.\n\nThese fields help you arrange or filter data stored in an index by one or multiple\norganizations.',
type: 'group',
fields: [
{
- name: 'error',
- description:
- 'If the MongoDB request has resulted in an error, this field contains the error message returned by the server.',
+ name: 'id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the organization.',
},
{
- name: 'fullCollectionName',
- description:
- 'The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar.',
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Organization name.',
+ },
+ ],
+ },
+ {
+ name: 'os',
+ title: 'Operating System',
+ group: 2,
+ description: 'The OS fields contain information about the operating system.',
+ type: 'group',
+ fields: [
+ {
+ name: 'family',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'OS family (such as redhat, debian, freebsd, windows).',
+ example: 'debian',
},
{
- name: 'numberToSkip',
- type: 'long',
+ name: 'full',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Operating system name, including the version or code name.',
+ example: 'Mac OS Mojave',
+ },
+ {
+ name: 'kernel',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system kernel version as a raw string.',
+ example: '4.4.0-112-generic',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Operating system name, without the version.',
+ example: 'Mac OS X',
+ },
+ {
+ name: 'platform',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system platform (such centos, ubuntu, windows).',
+ example: 'darwin',
+ },
+ {
+ name: 'version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system version as a raw string.',
+ example: '10.14.1',
+ },
+ ],
+ },
+ {
+ name: 'package',
+ title: 'Package',
+ group: 2,
+ description:
+ 'These fields contain information about an installed software package.\nIt contains general information about a package, such as name, version or size.\nIt also contains installation details, such as time or location.',
+ type: 'group',
+ fields: [
+ {
+ name: 'architecture',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Package architecture.',
+ example: 'x86_64',
+ },
+ {
+ name: 'build_version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
description:
- 'Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query.',
+ 'Additional information about the build version of the installed\npackage.\n\nFor example use the commit SHA of a non-released package.',
+ example: '36f4f7e89dd61b0988b12ee000b98966867710cd',
+ default_field: false,
},
{
- name: 'numberToReturn',
- type: 'long',
- description: 'The requested maximum number of documents to be returned.',
+ name: 'checksum',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Checksum of the installed package for verification.',
+ example: '68b329da9893e34099c7d8ad5cb9c940',
},
{
- name: 'numberReturned',
- type: 'long',
- description: 'The number of documents in the reply.',
+ name: 'description',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Description of the package.',
+ example:
+ 'Open source programming language to build simple/reliable/efficient\nsoftware.',
},
{
- name: 'startingFrom',
- description: 'Where in the cursor this reply is starting.',
+ name: 'install_scope',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Indicating how the package was installed, e.g. user-local, global.',
+ example: 'global',
},
{
- name: 'query',
+ name: 'installed',
+ level: 'extended',
+ type: 'date',
+ description: 'Time when package was installed.',
+ },
+ {
+ name: 'license',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
description:
- 'A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot.',
+ 'License under which the package was released.\n\nUse a short name, e.g. the license identifier from SPDX License List where\npossible (https://spdx.org/licenses/).',
+ example: 'Apache License 2.0',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Package name',
+ example: 'go',
+ },
+ {
+ name: 'path',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Path where the package is installed.',
+ example: '/usr/local/Cellar/go/1.12.9/',
},
{
- name: 'returnFieldsSelector',
+ name: 'reference',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
description:
- 'A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1.',
+ 'Home page or reference URL of the software in this package, if\navailable.',
+ example: 'https://golang.org',
+ default_field: false,
+ },
+ {
+ name: 'size',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: 'Package size in bytes.',
+ example: 62231,
},
{
- name: 'selector',
+ name: 'type',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
description:
- 'A BSON document that specifies the query for selecting the document to update or delete.',
+ 'Type of package.\n\nThis should contain the package file type, rather than the package manager\nname. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.',
+ example: 'rpm',
+ default_field: false,
+ },
+ {
+ name: 'version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Package version',
+ example: '1.12.9',
+ },
+ ],
+ },
+ {
+ name: 'pe',
+ title: 'PE Header',
+ group: 2,
+ description: 'These fields contain Windows Portable Executable (PE) metadata.',
+ type: 'group',
+ fields: [
+ {
+ name: 'company',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal company name of the file, provided at compile-time.',
+ example: 'Microsoft Corporation',
+ default_field: false,
+ },
+ {
+ name: 'description',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal description of the file, provided at compile-time.',
+ example: 'Paint',
+ default_field: false,
+ },
+ {
+ name: 'file_version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal version of the file, provided at compile-time.',
+ example: '6.3.9600.17415',
+ default_field: false,
+ },
+ {
+ name: 'original_file_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal name of the file, provided at compile-time.',
+ example: 'MSPAINT.EXE',
+ default_field: false,
+ },
+ {
+ name: 'product',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal product name of the file, provided at compile-time.',
+ example: 'Microsoft® Windows® Operating System',
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'process',
+ title: 'Process',
+ group: 2,
+ description:
+ 'These fields contain information about a process.\n\nThese fields can help you correlate metrics information with a process id/name\nfrom a log message. The `process.pid` often stays in the metric itself and\nis copied to the global field for correlation.',
+ type: 'group',
+ fields: [
+ {
+ name: 'args',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.',
+ example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'],
+ },
+ {
+ name: 'args_count',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'Length of the process.args array.\n\nThis field can be useful for querying or performing bucket analysis on how\nmany arguments were provided to start a process. More arguments may be an\nindication of suspicious activity.',
+ example: 4,
+ default_field: false,
+ },
+ {
+ name: 'code_signature.exists',
+ level: 'core',
+ type: 'boolean',
+ description: 'Boolean to capture if a signature is present.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.status',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Additional information about the certificate status.\n\nThis is useful for logging cryptographic errors with the certificate validity\nor trust status. Leave unpopulated if the validity or trust of the certificate\nwas unchecked.',
+ example: 'ERROR_UNTRUSTED_ROOT',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.subject_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Subject name of the code signer',
+ example: 'Microsoft Corporation',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.trusted',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Stores the trust status of the certificate chain.\n\nValidating the trust of the certificate chain may be complicated, and this\nfield should only be populated by tools that actively check the status.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.valid',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Boolean to capture if the digital signature is verified against\nthe binary content.\n\nLeave unpopulated if a certificate was unchecked.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'command_line',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ },
+ ],
+ description:
+ 'Full command line that started the process, including the absolute\npath to the executable, and all arguments.\n\nSome arguments may be filtered to protect sensitive information.',
+ example: '/usr/bin/ssh -l user 10.0.0.16',
+ default_field: false,
+ },
+ {
+ name: 'entity_id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique identifier for the process.\n\nThe implementation of this is specified by the data source, but some examples\nof what could be used here are a process-generated UUID, Sysmon Process GUIDs,\nor a hash of some uniquely identifying components of a process.\n\nConstructing a globally unique identifier is a common practice to mitigate\nPID reuse as well as to identify a specific process over time, across multiple\nmonitored hosts.',
+ example: 'c2c455d9f99375d',
+ default_field: false,
+ },
+ {
+ name: 'executable',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Absolute path to the process executable.',
+ example: '/usr/bin/ssh',
+ },
+ {
+ name: 'exit_code',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'The exit code of the process, if this is a termination event.\n\nThe field should be absent if there is no exit code for the event (e.g. process\nstart).',
+ example: 137,
+ default_field: false,
+ },
+ {
+ name: 'hash.md5',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'MD5 hash.',
+ },
+ {
+ name: 'hash.sha1',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA1 hash.',
+ },
+ {
+ name: 'hash.sha256',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA256 hash.',
+ },
+ {
+ name: 'hash.sha512',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA512 hash.',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Process name.\n\nSometimes called program name or similar.',
+ example: 'ssh',
+ },
+ {
+ name: 'parent.args',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Array of process arguments.\n\nMay be filtered to protect sensitive information.',
+ example: ['ssh', '-l', 'user', '10.0.0.16'],
+ default_field: false,
+ },
+ {
+ name: 'parent.args_count',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'Length of the process.args array.\n\nThis field can be useful for querying or performing bucket analysis on how\nmany arguments were provided to start a process. More arguments may be an\nindication of suspicious activity.',
+ example: 4,
+ default_field: false,
+ },
+ {
+ name: 'parent.code_signature.exists',
+ level: 'core',
+ type: 'boolean',
+ description: 'Boolean to capture if a signature is present.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'parent.code_signature.status',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Additional information about the certificate status.\n\nThis is useful for logging cryptographic errors with the certificate validity\nor trust status. Leave unpopulated if the validity or trust of the certificate\nwas unchecked.',
+ example: 'ERROR_UNTRUSTED_ROOT',
+ default_field: false,
+ },
+ {
+ name: 'parent.code_signature.subject_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Subject name of the code signer',
+ example: 'Microsoft Corporation',
+ default_field: false,
+ },
+ {
+ name: 'parent.code_signature.trusted',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Stores the trust status of the certificate chain.\n\nValidating the trust of the certificate chain may be complicated, and this\nfield should only be populated by tools that actively check the status.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'parent.code_signature.valid',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Boolean to capture if the digital signature is verified against\nthe binary content.\n\nLeave unpopulated if a certificate was unchecked.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'parent.command_line',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ },
+ ],
+ description:
+ 'Full command line that started the process, including the absolute\npath to the executable, and all arguments.\n\nSome arguments may be filtered to protect sensitive information.',
+ example: '/usr/bin/ssh -l user 10.0.0.16',
+ default_field: false,
+ },
+ {
+ name: 'parent.entity_id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique identifier for the process.\n\nThe implementation of this is specified by the data source, but some examples\nof what could be used here are a process-generated UUID, Sysmon Process GUIDs,\nor a hash of some uniquely identifying components of a process.\n\nConstructing a globally unique identifier is a common practice to mitigate\nPID reuse as well as to identify a specific process over time, across multiple\nmonitored hosts.',
+ example: 'c2c455d9f99375d',
+ default_field: false,
+ },
+ {
+ name: 'parent.executable',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ },
+ ],
+ description: 'Absolute path to the process executable.',
+ example: '/usr/bin/ssh',
+ default_field: false,
+ },
+ {
+ name: 'parent.exit_code',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'The exit code of the process, if this is a termination event.\n\nThe field should be absent if there is no exit code for the event (e.g. process\nstart).',
+ example: 137,
+ default_field: false,
+ },
+ {
+ name: 'parent.hash.md5',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'MD5 hash.',
+ default_field: false,
+ },
+ {
+ name: 'parent.hash.sha1',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA1 hash.',
+ default_field: false,
+ },
+ {
+ name: 'parent.hash.sha256',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA256 hash.',
+ default_field: false,
+ },
+ {
+ name: 'parent.hash.sha512',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA512 hash.',
+ default_field: false,
+ },
+ {
+ name: 'parent.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ },
+ ],
+ description: 'Process name.\n\nSometimes called program name or similar.',
+ example: 'ssh',
+ default_field: false,
+ },
+ {
+ name: 'parent.pgid',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: 'Identifier of the group of processes the process belongs to.',
+ default_field: false,
+ },
+ {
+ name: 'parent.pid',
+ level: 'core',
+ type: 'long',
+ format: 'string',
+ description: 'Process id.',
+ example: 4242,
+ default_field: false,
+ },
+ {
+ name: 'parent.ppid',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: "Parent process' pid.",
+ example: 4241,
+ default_field: false,
+ },
+ {
+ name: 'parent.start',
+ level: 'extended',
+ type: 'date',
+ description: 'The time the process started.',
+ example: '2016-05-23T08:05:34.853Z',
+ default_field: false,
+ },
+ {
+ name: 'parent.thread.id',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: 'Thread ID.',
+ example: 4242,
+ default_field: false,
+ },
+ {
+ name: 'parent.thread.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Thread name.',
+ example: 'thread-0',
+ default_field: false,
+ },
+ {
+ name: 'parent.title',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ },
+ ],
+ description:
+ 'Process title.\n\nThe proctitle, some times the same as process name. Can also be different:\nfor example a browser setting its title to the web page currently opened.',
+ default_field: false,
+ },
+ {
+ name: 'parent.uptime',
+ level: 'extended',
+ type: 'long',
+ description: 'Seconds the process has been up.',
+ example: 1325,
+ default_field: false,
+ },
+ {
+ name: 'parent.working_directory',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ },
+ ],
+ description: 'The working directory of the process.',
+ example: '/home/alice',
+ default_field: false,
+ },
+ {
+ name: 'pe.company',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal company name of the file, provided at compile-time.',
+ example: 'Microsoft Corporation',
+ default_field: false,
+ },
+ {
+ name: 'pe.description',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal description of the file, provided at compile-time.',
+ example: 'Paint',
+ default_field: false,
+ },
+ {
+ name: 'pe.file_version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal version of the file, provided at compile-time.',
+ example: '6.3.9600.17415',
+ default_field: false,
+ },
+ {
+ name: 'pe.original_file_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal name of the file, provided at compile-time.',
+ example: 'MSPAINT.EXE',
+ default_field: false,
+ },
+ {
+ name: 'pe.product',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal product name of the file, provided at compile-time.',
+ example: 'Microsoft® Windows® Operating System',
+ default_field: false,
+ },
+ {
+ name: 'pgid',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: 'Identifier of the group of processes the process belongs to.',
+ },
+ {
+ name: 'pid',
+ level: 'core',
+ type: 'long',
+ format: 'string',
+ description: 'Process id.',
+ example: 4242,
+ },
+ {
+ name: 'ppid',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: "Parent process' pid.",
+ example: 4241,
+ },
+ {
+ name: 'start',
+ level: 'extended',
+ type: 'date',
+ description: 'The time the process started.',
+ example: '2016-05-23T08:05:34.853Z',
+ },
+ {
+ name: 'thread.id',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: 'Thread ID.',
+ example: 4242,
+ },
+ {
+ name: 'thread.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Thread name.',
+ example: 'thread-0',
+ },
+ {
+ name: 'title',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description:
+ 'Process title.\n\nThe proctitle, some times the same as process name. Can also be different:\nfor example a browser setting its title to the web page currently opened.',
+ },
+ {
+ name: 'uptime',
+ level: 'extended',
+ type: 'long',
+ description: 'Seconds the process has been up.',
+ example: 1325,
+ },
+ {
+ name: 'working_directory',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'The working directory of the process.',
+ example: '/home/alice',
+ },
+ ],
+ },
+ {
+ name: 'registry',
+ title: 'Registry',
+ group: 2,
+ description: 'Fields related to Windows Registry operations.',
+ type: 'group',
+ fields: [
+ {
+ name: 'data.bytes',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Original bytes written with base64 encoding.\n\nFor Windows registry operations, such as SetValueEx and RegQueryValueEx, this\ncorresponds to the data pointed by `lp_data`. This is optional but provides\nbetter recoverability and should be populated for REG_BINARY encoded values.',
+ example: 'ZQBuAC0AVQBTAAAAZQBuAAAAAAA=',
+ default_field: false,
+ },
+ {
+ name: 'data.strings',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Content when writing string types.\n\nPopulated as an array when writing string data to the registry. For single\nstring registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with\none string. For sequences of string with REG_MULTI_SZ, this array will be\nvariable length. For numeric data, such as REG_DWORD and REG_QWORD, this should\nbe populated with the decimal representation (e.g `"1"`).',
+ example: '["C:\\rta\\red_ttp\\bin\\myapp.exe"]',
+ default_field: false,
+ },
+ {
+ name: 'data.type',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Standard registry type for encoding contents',
+ example: 'REG_SZ',
+ default_field: false,
+ },
+ {
+ name: 'hive',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Abbreviated name for the hive.',
+ example: 'HKLM',
+ default_field: false,
+ },
+ {
+ name: 'key',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Hive-relative path of keys.',
+ example:
+ 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe',
+ default_field: false,
+ },
+ {
+ name: 'path',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Full path, including hive, key and value',
+ example:
+ 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution\nOptions\\winword.exe\\Debugger',
+ default_field: false,
+ },
+ {
+ name: 'value',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the value written.',
+ example: 'Debugger',
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'related',
+ title: 'Related',
+ group: 2,
+ description:
+ 'This field set is meant to facilitate pivoting around a piece of\ndata.\n\nSome pieces of information can be seen in many places in an ECS event. To facilitate\nsearching for them, store an array of all seen values to their corresponding\nfield in `related.`.\n\nA concrete example is IP addresses, which can be under host, observer, source,\ndestination, client, server, and network.forwarded_ip. If you append all IPs\nto `related.ip`, you can then search for a given IP trivially, no matter where\nit appeared, by querying `related.ip:192.0.2.15`.',
+ type: 'group',
+ fields: [
+ {
+ name: 'hash',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ "All the hashes seen on your event. Populating this field, then\nusing it to search for hashes can help in situations where you're unsure what\nthe hash algorithm is (and therefore which key name to search).",
+ default_field: false,
+ },
+ {
+ name: 'ip',
+ level: 'extended',
+ type: 'ip',
+ description: 'All of the IPs seen on your event.',
+ },
+ {
+ name: 'user',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'All the user names seen on your event.',
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'rule',
+ title: 'Rule',
+ group: 2,
+ description:
+ 'Rule fields are used to capture the specifics of any observer or\nagent rules that generate alerts or other notable events.\n\nExamples of data sources that would populate the rule fields include: network\nadmission control platforms, network or host IDS/IPS, network firewalls, web\napplication firewalls, url filters, endpoint detection and response (EDR) systems,\netc.',
+ type: 'group',
+ fields: [
+ {
+ name: 'author',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name, organization, or pseudonym of the author or authors who created\nthe rule used to generate this event.',
+ example: ['Star-Lord'],
+ default_field: false,
+ },
+ {
+ name: 'category',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A categorization value keyword used by the entity using the rule\nfor detection of this event.',
+ example: 'Attempted Information Leak',
+ default_field: false,
+ },
+ {
+ name: 'description',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The description of the rule generating the event.',
+ example: 'Block requests to public DNS over HTTPS / TLS protocols',
+ default_field: false,
+ },
+ {
+ name: 'id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A rule ID that is unique within the scope of an agent, observer,\nor other entity using the rule for detection of this event.',
+ example: 101,
+ default_field: false,
+ },
+ {
+ name: 'license',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the license under which the rule used to generate this\nevent is made available.',
+ example: 'Apache 2.0',
+ default_field: false,
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The name of the rule or signature generating the event.',
+ example: 'BLOCK_DNS_over_TLS',
+ default_field: false,
+ },
+ {
+ name: 'reference',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Reference URL to additional information about the rule used to\ngenerate this event.\n\nThe URL can point to the vendor documentation about the rule. If that is\nnot available, it can also be a link to a more general page describing this\ntype of alert.',
+ example: 'https://en.wikipedia.org/wiki/DNS_over_TLS',
+ default_field: false,
+ },
+ {
+ name: 'ruleset',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the ruleset, policy, group, or parent category in which\nthe rule used to generate this event is a member.',
+ example: 'Standard_Protocol_Filters',
+ default_field: false,
+ },
+ {
+ name: 'uuid',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A rule ID that is unique within the scope of a set or group of\nagents, observers, or other entities using the rule for detection of this\nevent.',
+ example: 1100110011,
+ default_field: false,
+ },
+ {
+ name: 'version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The version / revision of the rule being used for analysis.',
+ example: 1.1,
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'server',
+ title: 'Server',
+ group: 2,
+ description:
+ 'A Server is defined as the responder in a network connection for\nevents regarding sessions, connections, or bidirectional flow records.\n\nFor TCP events, the server is the receiver of the initial SYN packet(s) of the\nTCP connection. For other protocols, the server is generally the responder in\nthe network transaction. Some systems actually use the term "responder" to refer\nthe server in TCP connections. The server fields describe details about the\nsystem acting as the server in the network event. Server fields are usually\npopulated in conjunction with client fields. Server fields are generally not\npopulated for packet-level events.\n\nClient / server representations can add semantic context to an exchange, which\nis helpful to visualize the data in certain situations. If your context falls\nin that category, you should still ensure that source and destination are filled\nappropriately.',
+ type: 'group',
+ fields: [
+ {
+ name: 'address',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Some event server addresses are defined ambiguously. The event\nwill sometimes list an IP, a domain or a unix socket. You should always store\nthe raw address in the `.address` field.\n\nThen it should be duplicated to `.ip` or `.domain`, depending on which one\nit is.',
+ },
+ {
+ name: 'as.number',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'Unique number allocated to the autonomous system. The autonomous\nsystem number (ASN) uniquely identifies each network on the Internet.',
+ example: 15169,
+ },
+ {
+ name: 'as.organization.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Organization name.',
+ example: 'Google LLC',
+ },
+ {
+ name: 'bytes',
+ level: 'core',
+ type: 'long',
+ format: 'bytes',
+ description: 'Bytes sent from the server to the client.',
+ example: 184,
+ },
+ {
+ name: 'domain',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Server domain.',
+ },
+ {
+ name: 'geo.city_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
+ },
+ {
+ name: 'geo.continent_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
+ },
+ {
+ name: 'geo.country_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
+ },
+ {
+ name: 'geo.country_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
+ },
+ {
+ name: 'geo.location',
+ level: 'core',
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
+ },
+ {
+ name: 'geo.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
+ },
+ {
+ name: 'geo.region_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
+ },
+ {
+ name: 'geo.region_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
+ },
+ {
+ name: 'ip',
+ level: 'core',
+ type: 'ip',
+ description:
+ 'IP address of the server.\n\nCan be one or multiple IPv4 or IPv6 addresses.',
+ },
+ {
+ name: 'mac',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'MAC address of the server.',
+ },
+ {
+ name: 'nat.ip',
+ level: 'extended',
+ type: 'ip',
+ description:
+ 'Translated ip of destination based NAT sessions (e.g. internet\nto private DMZ)\n\nTypically used with load balancers, firewalls, or routers.',
+ },
+ {
+ name: 'nat.port',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description:
+ 'Translated port of destination based NAT sessions (e.g. internet\nto private DMZ)\n\nTypically used with load balancers, firewalls, or routers.',
+ },
+ {
+ name: 'packets',
+ level: 'core',
+ type: 'long',
+ description: 'Packets sent from the server to the client.',
+ example: 12,
+ },
+ {
+ name: 'port',
+ level: 'core',
+ type: 'long',
+ format: 'string',
+ description: 'Port of the server.',
+ },
+ {
+ name: 'registered_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The highest registered server domain, stripped of the subdomain.\n\nFor example, the registered domain for "foo.google.com" is "google.com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last two labels will not work well for TLDs such as "co.uk".',
+ example: 'google.com',
+ },
+ {
+ name: 'top_level_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The effective top level domain (eTLD), also known as the domain\nsuffix, is the last part of the domain name. For example, the top level domain\nfor google.com is "com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last label will not work well for effective TLDs such as "co.uk".',
+ example: 'co.uk',
+ },
+ {
+ name: 'user.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the user is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'user.email',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'User email address.',
+ },
+ {
+ name: 'user.full_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: "User's full name, if available.",
+ example: 'Albert Einstein',
+ },
+ {
+ name: 'user.group.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'user.group.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
+ },
+ {
+ name: 'user.group.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the group.',
+ },
+ {
+ name: 'user.hash',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique user hash to correlate information for a user in anonymized\nform.\n\nUseful if `user.id` or `user.name` contain confidential information and cannot\nbe used.',
+ },
+ {
+ name: 'user.id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifiers of the user.',
+ },
+ {
+ name: 'user.name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Short name or login of the user.',
+ example: 'albert',
+ },
+ ],
+ },
+ {
+ name: 'service',
+ title: 'Service',
+ group: 2,
+ description:
+ 'The service fields describe the service for or from which the data\nwas collected.\n\nThese fields help you find and correlate logs for a specific service and version.',
+ type: 'group',
+ fields: [
+ {
+ name: 'ephemeral_id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Ephemeral identifier of this service (if one exists).\n\nThis id normally changes across restarts, but `service.id` does not.',
+ example: '8a4f500f',
+ },
+ {
+ name: 'id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique identifier of the running service. If the service is comprised\nof many nodes, the `service.id` should be the same for all nodes.\n\nThis id should uniquely identify the service. This makes it possible to correlate\nlogs and metrics for one specific service, no matter which particular node\nemitted the event.\n\nNote that if you need to see the events from one specific host of the service,\nyou should filter on that `host.name` or `host.id` instead.',
+ example: 'd37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6',
+ },
+ {
+ name: 'name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the service data is collected from.\n\nThe name of the service is normally user given. This allows for distributed\nservices that run on multiple hosts to correlate the related instances based\non the name.\n\nIn the case of Elasticsearch the `service.name` could contain the cluster\nname. For Beats the `service.name` is by default a copy of the `service.type`\nfield if no name is specified.',
+ example: 'elasticsearch-metrics',
+ },
+ {
+ name: 'node.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of a service node.\n\nThis allows for two nodes of the same service running on the same host to\nbe differentiated. Therefore, `service.node.name` should typically be unique\nacross nodes of a given service.\n\nIn the case of Elasticsearch, the `service.node.name` could contain the unique\nnode name within the Elasticsearch cluster. In cases where the service does not\nhave the concept of a node name, the host name or container name can be used\nto distinguish running instances that make up this service. If those do not\nprovide uniqueness (e.g. multiple instances of the service running on the\nsame host) - the node name can be manually set.',
+ example: 'instance-0000000016',
+ },
+ {
+ name: 'state',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Current state of the service.',
+ },
+ {
+ name: 'type',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The type of the service data is collected from.\n\nThe type can be used to group and correlate logs and metrics from one service\ntype.\n\nExample: If logs or metrics are collected from Elasticsearch, `service.type`\nwould be `elasticsearch`.',
+ example: 'elasticsearch',
+ },
+ {
+ name: 'version',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Version of the service the data was collected from.\n\nThis allows to look at a data set only for a specific version of a service.',
+ example: '3.2.4',
+ },
+ ],
+ },
+ {
+ name: 'source',
+ title: 'Source',
+ group: 2,
+ description:
+ 'Source fields describe details about the source of a packet/event.\n\nSource fields are usually populated in conjunction with destination fields.',
+ type: 'group',
+ fields: [
+ {
+ name: 'address',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Some event source addresses are defined ambiguously. The event\nwill sometimes list an IP, a domain or a unix socket. You should always store\nthe raw address in the `.address` field.\n\nThen it should be duplicated to `.ip` or `.domain`, depending on which one\nit is.',
+ },
+ {
+ name: 'as.number',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'Unique number allocated to the autonomous system. The autonomous\nsystem number (ASN) uniquely identifies each network on the Internet.',
+ example: 15169,
+ },
+ {
+ name: 'as.organization.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Organization name.',
+ example: 'Google LLC',
+ },
+ {
+ name: 'bytes',
+ level: 'core',
+ type: 'long',
+ format: 'bytes',
+ description: 'Bytes sent from the source to the destination.',
+ example: 184,
+ },
+ {
+ name: 'domain',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Source domain.',
+ },
+ {
+ name: 'geo.city_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
+ },
+ {
+ name: 'geo.continent_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
+ },
+ {
+ name: 'geo.country_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
+ },
+ {
+ name: 'geo.country_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
+ },
+ {
+ name: 'geo.location',
+ level: 'core',
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
+ },
+ {
+ name: 'geo.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
+ },
+ {
+ name: 'geo.region_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
+ },
+ {
+ name: 'geo.region_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
+ },
+ {
+ name: 'ip',
+ level: 'core',
+ type: 'ip',
+ description:
+ 'IP address of the source.\n\nCan be one or multiple IPv4 or IPv6 addresses.',
+ },
+ {
+ name: 'mac',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'MAC address of the source.',
+ },
+ {
+ name: 'nat.ip',
+ level: 'extended',
+ type: 'ip',
+ description:
+ 'Translated ip of source based NAT sessions (e.g. internal client\nto internet)\n\nTypically connections traversing load balancers, firewalls, or routers.',
+ },
+ {
+ name: 'nat.port',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description:
+ 'Translated port of source based NAT sessions. (e.g. internal client\nto internet)\n\nTypically used with load balancers, firewalls, or routers.',
+ },
+ {
+ name: 'packets',
+ level: 'core',
+ type: 'long',
+ description: 'Packets sent from the source to the destination.',
+ example: 12,
+ },
+ {
+ name: 'port',
+ level: 'core',
+ type: 'long',
+ format: 'string',
+ description: 'Port of the source.',
+ },
+ {
+ name: 'registered_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The highest registered source domain, stripped of the subdomain.\n\nFor example, the registered domain for "foo.google.com" is "google.com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last two labels will not work well for TLDs such as "co.uk".',
+ example: 'google.com',
+ },
+ {
+ name: 'top_level_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The effective top level domain (eTLD), also known as the domain\nsuffix, is the last part of the domain name. For example, the top level domain\nfor google.com is "com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last label will not work well for effective TLDs such as "co.uk".',
+ example: 'co.uk',
+ },
+ {
+ name: 'user.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the user is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'user.email',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'User email address.',
+ },
+ {
+ name: 'user.full_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: "User's full name, if available.",
+ example: 'Albert Einstein',
+ },
+ {
+ name: 'user.group.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'user.group.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
+ },
+ {
+ name: 'user.group.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the group.',
+ },
+ {
+ name: 'user.hash',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique user hash to correlate information for a user in anonymized\nform.\n\nUseful if `user.id` or `user.name` contain confidential information and cannot\nbe used.',
+ },
+ {
+ name: 'user.id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifiers of the user.',
+ },
+ {
+ name: 'user.name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Short name or login of the user.',
+ example: 'albert',
+ },
+ ],
+ },
+ {
+ name: 'threat',
+ title: 'Threat',
+ group: 2,
+ description:
+ 'Fields to classify events and alerts according to a threat taxonomy\nsuch as the Mitre ATT&CK framework.\n\nThese fields are for users to classify alerts from all of their sources (e.g.\nIDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to\ncapture the high level category of the threat (e.g. "impact"). The threat.technique.*\nfields are meant to capture which kind of approach is used by this detected\nthreat, to accomplish the goal (e.g. "endpoint denial of service").',
+ type: 'group',
+ fields: [
+ {
+ name: 'framework',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the threat framework used to further categorize and classify\nthe tactic and technique of the reported threat. Framework classification\ncan be provided by detecting systems, evaluated at ingest time, or retrospectively\ntagged to events.',
+ example: 'MITRE ATT&CK',
+ },
+ {
+ name: 'tactic.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The id of tactic used by this threat. You can use the Mitre ATT&CK\nMatrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/\n)',
+ example: 'TA0040',
+ },
+ {
+ name: 'tactic.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the type of tactic used by this threat. You can use the\nMitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/\n)',
+ example: 'impact',
+ },
+ {
+ name: 'tactic.reference',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The reference url of tactic used by this threat. You can use the\nMitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/\n)',
+ example: 'https://attack.mitre.org/tactics/TA0040/',
+ },
+ {
+ name: 'technique.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The id of technique used by this tactic. You can use the Mitre\nATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/\n)',
+ example: 'T1499',
+ },
+ {
+ name: 'technique.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description:
+ 'The name of technique used by this tactic. You can use the Mitre\nATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/\n)',
+ example: 'endpoint denial of service',
+ },
+ {
+ name: 'technique.reference',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The reference url of technique used by this tactic. You can use\nthe Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/\n)',
+ example: 'https://attack.mitre.org/techniques/T1499/',
+ },
+ ],
+ },
+ {
+ name: 'tls',
+ title: 'TLS',
+ group: 2,
+ description:
+ 'Fields related to a TLS connection. These fields focus on the TLS\nprotocol itself and intentionally avoids in-depth analysis of the related x.509\ncertificate files.',
+ type: 'group',
+ fields: [
+ {
+ name: 'cipher',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'String indicating the cipher used during the current connection.',
+ example: 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
+ default_field: false,
+ },
+ {
+ name: 'client.certificate',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'PEM-encoded stand-alone certificate offered by the client. This\nis usually mutually-exclusive of `client.certificate_chain` since this value\nalso exists in that list.',
+ example: 'MII...',
+ default_field: false,
+ },
+ {
+ name: 'client.certificate_chain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Array of PEM-encoded certificates that make up the certificate\nchain offered by the client. This is usually mutually-exclusive of `client.certificate`\nsince that value should be the first certificate in the chain.',
+ example: ['MII...', 'MII...'],
+ default_field: false,
+ },
+ {
+ name: 'client.hash.md5',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Certificate fingerprint using the MD5 digest of DER-encoded version\nof certificate offered by the client. For consistency with other hash values,\nthis value should be formatted as an uppercase hash.',
+ example: '0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC',
+ default_field: false,
+ },
+ {
+ name: 'client.hash.sha1',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Certificate fingerprint using the SHA1 digest of DER-encoded version\nof certificate offered by the client. For consistency with other hash values,\nthis value should be formatted as an uppercase hash.',
+ example: '9E393D93138888D288266C2D915214D1D1CCEB2A',
+ default_field: false,
+ },
+ {
+ name: 'client.hash.sha256',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Certificate fingerprint using the SHA256 digest of DER-encoded\nversion of certificate offered by the client. For consistency with other hash\nvalues, this value should be formatted as an uppercase hash.',
+ example: '0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0',
+ default_field: false,
+ },
+ {
+ name: 'client.issuer',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Distinguished name of subject of the issuer of the x.509 certificate\npresented by the client.',
+ example: 'CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com',
+ default_field: false,
+ },
+ {
+ name: 'client.ja3',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A hash that identifies clients based on how they perform an SSL/TLS\nhandshake.',
+ example: 'd4e5b18d6b55c71272893221c96ba240',
+ default_field: false,
+ },
+ {
+ name: 'client.not_after',
+ level: 'extended',
+ type: 'date',
+ description:
+ 'Date/Time indicating when client certificate is no longer considered\nvalid.',
+ example: '2021-01-01T00:00:00.000Z',
+ default_field: false,
+ },
+ {
+ name: 'client.not_before',
+ level: 'extended',
+ type: 'date',
+ description: 'Date/Time indicating when client certificate is first considered\nvalid.',
+ example: '1970-01-01T00:00:00.000Z',
+ default_field: false,
+ },
+ {
+ name: 'client.server_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Also called an SNI, this tells the server which hostname to which\nthe client is attempting to connect. When this value is available, it should\nget copied to `destination.domain`.',
+ example: 'www.elastic.co',
+ default_field: false,
+ },
+ {
+ name: 'client.subject',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Distinguished name of subject of the x.509 certificate presented\nby the client.',
+ example: 'CN=myclient, OU=Documentation Team, DC=mydomain, DC=com',
+ default_field: false,
+ },
+ {
+ name: 'client.supported_ciphers',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Array of ciphers offered by the client during the client hello.',
+ example: [
+ 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
+ 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
+ '...',
+ ],
+ default_field: false,
+ },
+ {
+ name: 'curve',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'String indicating the curve used for the given cipher, when applicable.',
+ example: 'secp256r1',
+ default_field: false,
+ },
+ {
+ name: 'established',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Boolean flag indicating if the TLS negotiation was successful and\ntransitioned to an encrypted tunnel.',
+ default_field: false,
+ },
+ {
+ name: 'next_protocol',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'String indicating the protocol being tunneled. Per the values in\nthe IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids),\nthis string should be lower case.',
+ example: 'http/1.1',
+ default_field: false,
+ },
+ {
+ name: 'resumed',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Boolean flag indicating if this TLS connection was resumed from\nan existing TLS negotiation.',
+ default_field: false,
+ },
+ {
+ name: 'server.certificate',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'PEM-encoded stand-alone certificate offered by the server. This\nis usually mutually-exclusive of `server.certificate_chain` since this value\nalso exists in that list.',
+ example: 'MII...',
+ default_field: false,
+ },
+ {
+ name: 'server.certificate_chain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Array of PEM-encoded certificates that make up the certificate\nchain offered by the server. This is usually mutually-exclusive of `server.certificate`\nsince that value should be the first certificate in the chain.',
+ example: ['MII...', 'MII...'],
+ default_field: false,
+ },
+ {
+ name: 'server.hash.md5',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Certificate fingerprint using the MD5 digest of DER-encoded version\nof certificate offered by the server. For consistency with other hash values,\nthis value should be formatted as an uppercase hash.',
+ example: '0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC',
+ default_field: false,
+ },
+ {
+ name: 'server.hash.sha1',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Certificate fingerprint using the SHA1 digest of DER-encoded version\nof certificate offered by the server. For consistency with other hash values,\nthis value should be formatted as an uppercase hash.',
+ example: '9E393D93138888D288266C2D915214D1D1CCEB2A',
+ default_field: false,
+ },
+ {
+ name: 'server.hash.sha256',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Certificate fingerprint using the SHA256 digest of DER-encoded\nversion of certificate offered by the server. For consistency with other hash\nvalues, this value should be formatted as an uppercase hash.',
+ example: '0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0',
+ default_field: false,
+ },
+ {
+ name: 'server.issuer',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Subject of the issuer of the x.509 certificate presented by the\nserver.',
+ example: 'CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com',
+ default_field: false,
+ },
+ {
+ name: 'server.ja3s',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A hash that identifies servers based on how they perform an SSL/TLS\nhandshake.',
+ example: '394441ab65754e2207b1e1b457b3641d',
+ default_field: false,
+ },
+ {
+ name: 'server.not_after',
+ level: 'extended',
+ type: 'date',
+ description:
+ 'Timestamp indicating when server certificate is no longer considered\nvalid.',
+ example: '2021-01-01T00:00:00.000Z',
+ default_field: false,
+ },
+ {
+ name: 'server.not_before',
+ level: 'extended',
+ type: 'date',
+ description: 'Timestamp indicating when server certificate is first considered\nvalid.',
+ example: '1970-01-01T00:00:00.000Z',
+ default_field: false,
+ },
+ {
+ name: 'server.subject',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Subject of the x.509 certificate presented by the server.',
+ example: 'CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com',
+ default_field: false,
+ },
+ {
+ name: 'version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Numeric part of the version parsed from the original string.',
+ example: '1.2',
+ default_field: false,
+ },
+ {
+ name: 'version_protocol',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Normalized lowercase protocol name parsed from original string.',
+ example: 'tls',
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'tracing',
+ title: 'Tracing',
+ group: 2,
+ description:
+ 'Distributed tracing makes it possible to analyze performance throughout\na microservice architecture all in one view. This is accomplished by tracing\nall of the requests - from the initial web request in the front-end service\n- to queries made through multiple back-end services.',
+ type: 'group',
+ fields: [
+ {
+ name: 'trace.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique identifier of the trace.\n\nA trace groups multiple events like transactions that belong together. For\nexample, a user request handled by multiple inter-connected services.',
+ example: '4bf92f3577b34da6a3ce929d0e0e4736',
+ },
+ {
+ name: 'transaction.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique identifier of the transaction.\n\nA transaction is the highest level of work measured within a service, such\nas a request to a server.',
+ example: '00f067aa0ba902b7',
+ },
+ ],
+ },
+ {
+ name: 'url',
+ title: 'URL',
+ group: 2,
+ description:
+ 'URL fields provide support for complete or partial URLs, and supports\nthe breaking down into scheme, domain, path, and so on.',
+ type: 'group',
+ fields: [
+ {
+ name: 'domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Domain of the url, such as "www.elastic.co".\n\nIn some cases a URL may refer to an IP and/or port directly, without a domain\nname. In this case, the IP address would go to the `domain` field.',
+ example: 'www.elastic.co',
+ },
+ {
+ name: 'extension',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The field contains the file extension from the original request\nurl.\n\nThe file extension is only set if it exists, as not every url has a file extension.\n\nThe leading period must not be included. For example, the value must be "png",\nnot ".png".',
+ example: 'png',
+ },
+ {
+ name: 'fragment',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Portion of the url after the `#`, such as "top".\n\nThe `#` is not part of the fragment.',
+ },
+ {
+ name: 'full',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description:
+ 'If full URLs are important to your use case, they should be stored\nin `url.full`, whether this field is reconstructed or present in the event\nsource.',
+ example: 'https://www.elastic.co:443/search?q=elasticsearch#top',
+ },
+ {
+ name: 'original',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description:
+ 'Unmodified original url as seen in the event source.\n\nNote that in network monitoring, the observed URL may be a full URL, whereas\nin access logs, the URL is often just represented as a path.\n\nThis field is meant to represent the URL as it was observed, complete or not.',
+ example:
+ 'https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch',
+ },
+ {
+ name: 'password',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Password of the request.',
+ },
+ {
+ name: 'path',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Path of the request, such as "/search".',
+ },
+ {
+ name: 'port',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: 'Port of the request, such as 443.',
+ example: 443,
+ },
+ {
+ name: 'query',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The query field describes the query string of the request, such\nas "q=elasticsearch".\n\nThe `?` is excluded from the query string. If a URL contains no `?`, there\nis no query field. If there is a `?` but no query, the query field exists\nwith an empty string. The `exists` query can be used to differentiate between\nthe two cases.',
+ },
+ {
+ name: 'registered_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The highest registered url domain, stripped of the subdomain.\n\nFor example, the registered domain for "foo.google.com" is "google.com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last two labels will not work well for TLDs such as "co.uk".',
+ example: 'google.com',
+ },
+ {
+ name: 'scheme',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Scheme of the request, such as "https".\n\nNote: The `:` is not part of the scheme.',
+ example: 'https',
+ },
+ {
+ name: 'top_level_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The effective top level domain (eTLD), also known as the domain\nsuffix, is the last part of the domain name. For example, the top level domain\nfor google.com is "com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last label will not work well for effective TLDs such as "co.uk".',
+ example: 'co.uk',
+ },
+ {
+ name: 'username',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Username of the request.',
+ },
+ ],
+ },
+ {
+ name: 'user',
+ title: 'User',
+ group: 2,
+ description:
+ 'The user fields describe information about the user that is relevant\nto the event.\n\nFields can have one entry or multiple entries. If a user has more than one id,\nprovide an array that includes all of them.',
+ type: 'group',
+ fields: [
+ {
+ name: 'domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the user is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'email',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'User email address.',
+ },
+ {
+ name: 'full_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: "User's full name, if available.",
+ example: 'Albert Einstein',
+ },
+ {
+ name: 'group.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'group.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
+ },
+ {
+ name: 'group.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the group.',
+ },
+ {
+ name: 'hash',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique user hash to correlate information for a user in anonymized\nform.\n\nUseful if `user.id` or `user.name` contain confidential information and cannot\nbe used.',
+ },
+ {
+ name: 'id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifiers of the user.',
+ },
+ {
+ name: 'name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Short name or login of the user.',
+ example: 'albert',
+ },
+ ],
+ },
+ {
+ name: 'user_agent',
+ title: 'User agent',
+ group: 2,
+ description:
+ 'The user_agent fields normally come from a browser request.\n\nThey often show up in web service logs coming from the parsed user agent string.',
+ type: 'group',
+ fields: [
+ {
+ name: 'device.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the device.',
+ example: 'iPhone',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the user agent.',
+ example: 'Safari',
+ },
+ {
+ name: 'original',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ },
+ ],
+ description: 'Unparsed user_agent string.',
+ example:
+ 'Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15\n(KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1',
+ },
+ {
+ name: 'os.family',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'OS family (such as redhat, debian, freebsd, windows).',
+ example: 'debian',
+ },
+ {
+ name: 'os.full',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Operating system name, including the version or code name.',
+ example: 'Mac OS Mojave',
+ },
+ {
+ name: 'os.kernel',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system kernel version as a raw string.',
+ example: '4.4.0-112-generic',
+ },
+ {
+ name: 'os.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Operating system name, without the version.',
+ example: 'Mac OS X',
+ },
+ {
+ name: 'os.platform',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system platform (such centos, ubuntu, windows).',
+ example: 'darwin',
+ },
+ {
+ name: 'os.version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system version as a raw string.',
+ example: '10.14.1',
+ },
+ {
+ name: 'version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Version of the user agent.',
+ example: 12,
+ },
+ ],
+ },
+ {
+ name: 'vlan',
+ title: 'VLAN',
+ group: 2,
+ description:
+ 'The VLAN fields are used to identify 802.1q tag(s) of a packet,\nas well as ingress and egress VLAN associations of an observer in relation to\na specific packet or connection.\n\nNetwork.vlan fields are used to record a single VLAN tag, or the outer tag in\nthe case of q-in-q encapsulations, for a packet or connection as observed, typically\nprovided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic.\n\nNetwork.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple\n802.1q encapsulations) as observed, typically provided by a network sensor (e.g.\nZeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should\nonly be used in addition to network.vlan fields to indicate q-in-q tagging.\n\nObserver.ingress and observer.egress VLAN values are used to record observer\nspecific information when observer events contain discrete ingress and egress\nVLAN information, typically provided by firewalls, routers, or load balancers.',
+ type: 'group',
+ fields: [
+ {
+ name: 'id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'VLAN ID as reported by the observer.',
+ example: 10,
+ default_field: false,
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Optional VLAN name as reported by the observer.',
+ example: 'outside',
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'vulnerability',
+ title: 'Vulnerability',
+ group: 2,
+ description:
+ 'The vulnerability fields describe information about a vulnerability\nthat is relevant to an event.',
+ type: 'group',
+ fields: [
+ {
+ name: 'category',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The type of system or architecture that the vulnerability affects.\nThese may be platform-specific (for example, Debian or SUSE) or general (for\nexample, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys\nvulnerability categories])\n\nThis field must be an array.',
+ example: '["Firewall"]',
+ default_field: false,
+ },
+ {
+ name: 'classification',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The classification of the vulnerability scoring system. For example\n(https://www.first.org/cvss/)',
+ example: 'CVSS',
+ default_field: false,
+ },
+ {
+ name: 'description',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ },
+ ],
+ description:
+ 'The description of the vulnerability that provides additional context\nof the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common\nVulnerabilities and Exposure CVE description])',
+ example: 'In macOS before 2.12.6, there is a vulnerability in the RPC...',
+ default_field: false,
+ },
+ {
+ name: 'enumeration',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The type of identifier used for this vulnerability. For example\n(https://cve.mitre.org/about/)',
+ example: 'CVE',
+ default_field: false,
+ },
+ {
+ name: 'id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The identification (ID) is the number portion of a vulnerability\nentry. It includes a unique identification number for the vulnerability. For\nexample (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities\nand Exposure CVE ID]',
+ example: 'CVE-2019-00001',
+ default_field: false,
+ },
+ {
+ name: 'reference',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A resource that provides additional information, context, and mitigations\nfor the identified vulnerability.',
+ example: 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111',
+ default_field: false,
+ },
+ {
+ name: 'report_id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The report or scan identification number.',
+ example: 20191018.0001,
+ default_field: false,
+ },
+ {
+ name: 'scanner.vendor',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The name of the vulnerability scanner vendor.',
+ example: 'Tenable',
+ default_field: false,
+ },
+ {
+ name: 'score.base',
+ level: 'extended',
+ type: 'float',
+ description:
+ 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\n\nBase scores cover an assessment for exploitability metrics (attack vector,\ncomplexity, privileges, and user interaction), impact metrics (confidentiality,\nintegrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)',
+ example: 5.5,
+ default_field: false,
+ },
+ {
+ name: 'score.environmental',
+ level: 'extended',
+ type: 'float',
+ description:
+ 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\n\nEnvironmental scores cover an assessment for any modified Base metrics, confidentiality,\nintegrity, and availability requirements. For example (https://www.first.org/cvss/specification-document)',
+ example: 5.5,
+ default_field: false,
+ },
+ {
+ name: 'score.temporal',
+ level: 'extended',
+ type: 'float',
+ description:
+ 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\n\nTemporal scores cover an assessment for code maturity, remediation level,\nand confidence. For example (https://www.first.org/cvss/specification-document)',
+ default_field: false,
+ },
+ {
+ name: 'score.version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The National Vulnerability Database (NVD) provides qualitative\nseverity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score\nranges in addition to the severity ratings for CVSS v3.0 as they are defined\nin the CVSS v3.0 specification.\n\nCVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit\norganization, whose mission is to help computer security incident response\nteams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)',
+ example: 2,
+ default_field: false,
+ },
+ {
+ name: 'severity',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The severity of the vulnerability can help with metrics and internal\nprioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)',
+ example: 'Critical',
+ default_field: false,
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'beat',
+ anchor: 'beat-common',
+ title: 'Beat',
+ description: 'Contains common beat fields available in all event types.\n',
+ fields: [
+ {
+ name: 'agent.hostname',
+ type: 'keyword',
+ description: 'Hostname of the agent.',
+ },
+ {
+ name: 'beat.timezone',
+ type: 'alias',
+ path: 'event.timezone',
+ migration: true,
+ },
+ {
+ name: 'fields',
+ type: 'object',
+ object_type: 'keyword',
+ description: 'Contains user configurable fields.\n',
+ },
+ {
+ name: 'beat.name',
+ type: 'alias',
+ path: 'host.name',
+ migration: true,
+ },
+ {
+ name: 'beat.hostname',
+ type: 'alias',
+ path: 'agent.hostname',
+ migration: true,
+ },
+ {
+ name: 'timeseries.instance',
+ type: 'keyword',
+ description: 'Time series instance id',
+ },
+ ],
+ },
+ {
+ key: 'cloud',
+ title: 'Cloud provider metadata',
+ description: 'Metadata from cloud providers added by the add_cloud_metadata processor.\n',
+ fields: [
+ {
+ name: 'cloud.project.id',
+ example: 'project-x',
+ description: 'Name of the project in Google Cloud.\n',
+ },
+ {
+ name: 'cloud.image.id',
+ example: 'ami-abcd1234',
+ description: 'Image ID for the cloud instance.\n',
+ },
+ {
+ name: 'meta.cloud.provider',
+ type: 'alias',
+ path: 'cloud.provider',
+ migration: true,
+ },
+ {
+ name: 'meta.cloud.instance_id',
+ type: 'alias',
+ path: 'cloud.instance.id',
+ migration: true,
+ },
+ {
+ name: 'meta.cloud.instance_name',
+ type: 'alias',
+ path: 'cloud.instance.name',
+ migration: true,
+ },
+ {
+ name: 'meta.cloud.machine_type',
+ type: 'alias',
+ path: 'cloud.machine.type',
+ migration: true,
+ },
+ {
+ name: 'meta.cloud.availability_zone',
+ type: 'alias',
+ path: 'cloud.availability_zone',
+ migration: true,
+ },
+ {
+ name: 'meta.cloud.project_id',
+ type: 'alias',
+ path: 'cloud.project.id',
+ migration: true,
+ },
+ {
+ name: 'meta.cloud.region',
+ type: 'alias',
+ path: 'cloud.region',
+ migration: true,
+ },
+ ],
+ },
+ {
+ key: 'docker',
+ title: 'Docker',
+ description: 'Docker stats collected from Docker.\n',
+ short_config: false,
+ anchor: 'docker-processor',
+ fields: [
+ {
+ name: 'docker',
+ type: 'group',
+ fields: [
+ {
+ name: 'container.id',
+ type: 'alias',
+ path: 'container.id',
+ migration: true,
+ },
+ {
+ name: 'container.image',
+ type: 'alias',
+ path: 'container.image.name',
+ migration: true,
+ },
+ {
+ name: 'container.name',
+ type: 'alias',
+ path: 'container.name',
+ migration: true,
+ },
+ {
+ name: 'container.labels',
+ type: 'object',
+ object_type: 'keyword',
+ description: 'Image labels.\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'host',
+ title: 'Host',
+ description: 'Info collected for the host machine.\n',
+ anchor: 'host-processor',
+ fields: [
+ {
+ name: 'host',
+ type: 'group',
+ fields: [
+ {
+ name: 'containerized',
+ type: 'boolean',
+ description: 'If the host is a container.\n',
+ },
+ {
+ name: 'os.build',
+ type: 'keyword',
+ example: '18D109',
+ description: 'OS build information.\n',
+ },
+ {
+ name: 'os.codename',
+ type: 'keyword',
+ example: 'stretch',
+ description: 'OS codename, if any.\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'kubernetes',
+ title: 'Kubernetes',
+ description: 'Kubernetes metadata added by the kubernetes processor\n',
+ short_config: false,
+ anchor: 'kubernetes-processor',
+ fields: [
+ {
+ name: 'kubernetes',
+ type: 'group',
+ fields: [
+ {
+ name: 'pod.name',
+ type: 'keyword',
+ description: 'Kubernetes pod name\n',
+ },
+ {
+ name: 'pod.uid',
+ type: 'keyword',
+ description: 'Kubernetes Pod UID\n',
+ },
+ {
+ name: 'namespace',
+ type: 'keyword',
+ description: 'Kubernetes namespace\n',
+ },
+ {
+ name: 'node.name',
+ type: 'keyword',
+ description: 'Kubernetes node name\n',
+ },
+ {
+ name: 'labels.*',
+ type: 'object',
+ object_type: 'keyword',
+ object_type_mapping_type: '*',
+ description: 'Kubernetes labels map\n',
+ },
+ {
+ name: 'annotations.*',
+ type: 'object',
+ object_type: 'keyword',
+ object_type_mapping_type: '*',
+ description: 'Kubernetes annotations map\n',
+ },
+ {
+ name: 'replicaset.name',
+ type: 'keyword',
+ description: 'Kubernetes replicaset name\n',
+ },
+ {
+ name: 'deployment.name',
+ type: 'keyword',
+ description: 'Kubernetes deployment name\n',
+ },
+ {
+ name: 'statefulset.name',
+ type: 'keyword',
+ description: 'Kubernetes statefulset name\n',
+ },
+ {
+ name: 'container.name',
+ type: 'keyword',
+ description: 'Kubernetes container name\n',
+ },
+ {
+ name: 'container.image',
+ type: 'keyword',
+ description: 'Kubernetes container image\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'process',
+ title: 'Process',
+ description: 'Process metadata fields\n',
+ fields: [
+ {
+ name: 'process',
+ type: 'group',
+ fields: [
+ {
+ name: 'exe',
+ type: 'alias',
+ path: 'process.executable',
+ migration: true,
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'jolokia-autodiscover',
+ title: 'Jolokia Discovery autodiscover provider',
+ description: 'Metadata from Jolokia Discovery added by the jolokia provider.\n',
+ fields: [
+ {
+ name: 'jolokia.agent.version',
+ type: 'keyword',
+ description: 'Version number of jolokia agent.\n',
+ },
+ {
+ name: 'jolokia.agent.id',
+ type: 'keyword',
+ description:
+ 'Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type.\n',
+ },
+ {
+ name: 'jolokia.server.product',
+ type: 'keyword',
+ description: 'The container product if detected.\n',
+ },
+ {
+ name: 'jolokia.server.version',
+ type: 'keyword',
+ description: "The container's version (if detected).\n",
+ },
+ {
+ name: 'jolokia.server.vendor',
+ type: 'keyword',
+ description: 'The vendor of the container the agent is running in.\n',
+ },
+ {
+ name: 'jolokia.url',
+ type: 'keyword',
+ description: 'The URL how this agent can be contacted.\n',
+ },
+ {
+ name: 'jolokia.secured',
+ type: 'boolean',
+ description: 'Whether the agent was configured for authentication or not.\n',
+ },
+ ],
+ },
+ {
+ key: 'common',
+ title: 'Common',
+ description: 'Contains common fields available in all event types.\n',
+ fields: [
+ {
+ name: 'file',
+ type: 'group',
+ description: 'File attributes.',
+ fields: [
+ {
+ name: 'setuid',
+ type: 'boolean',
+ example: true,
+ description: 'Set if the file has the `setuid` bit set. Omitted otherwise.',
+ },
+ {
+ name: 'setgid',
+ type: 'boolean',
+ example: true,
+ description: 'Set if the file has the `setgid` bit set. Omitted otherwise.',
+ },
+ {
+ name: 'origin',
+ type: 'keyword',
+ description:
+ 'An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.\n',
+ multi_fields: [
+ {
+ name: 'raw',
+ type: 'keyword',
+ description:
+ 'This is a non-analyzed field that is useful for aggregations on the origin data.\n',
+ },
+ ],
+ },
+ {
+ name: 'selinux',
+ type: 'group',
+ description: 'The SELinux identity of the file.',
+ fields: [
+ {
+ name: 'user',
+ type: 'keyword',
+ description: 'The owner of the object.',
+ },
+ {
+ name: 'role',
+ type: 'keyword',
+ description: "The object's SELinux role.",
+ },
+ {
+ name: 'domain',
+ type: 'keyword',
+ description: "The object's SELinux domain or type.",
+ },
+ {
+ name: 'level',
+ type: 'keyword',
+ example: 's0',
+ description: "The object's SELinux level.",
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'user',
+ type: 'group',
+ description: 'User information.',
+ fields: [
+ {
+ name: 'audit',
+ type: 'group',
+ description: 'Audit user information.',
+ fields: [
+ {
+ name: 'id',
+ type: 'keyword',
+ description: 'Audit user ID.',
+ },
+ {
+ name: 'name',
+ type: 'keyword',
+ description: 'Audit user name.',
+ },
+ ],
+ },
+ {
+ name: 'effective',
+ type: 'group',
+ description: 'Effective user information.',
+ fields: [
+ {
+ name: 'id',
+ type: 'keyword',
+ description: 'Effective user ID.',
+ },
+ {
+ name: 'name',
+ type: 'keyword',
+ description: 'Effective user name.',
+ },
+ {
+ name: 'group',
+ type: 'group',
+ description: 'Effective group information.',
+ fields: [
+ {
+ name: 'id',
+ type: 'keyword',
+ description: 'Effective group ID.',
+ },
+ {
+ name: 'name',
+ type: 'keyword',
+ description: 'Effective group name.',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'filesystem',
+ type: 'group',
+ description: 'Filesystem user information.',
+ fields: [
+ {
+ name: 'id',
+ type: 'keyword',
+ description: 'Filesystem user ID.',
+ },
+ {
+ name: 'name',
+ type: 'keyword',
+ description: 'Filesystem user name.',
+ },
+ {
+ name: 'group',
+ type: 'group',
+ description: 'Filesystem group information.',
+ fields: [
+ {
+ name: 'id',
+ type: 'keyword',
+ description: 'Filesystem group ID.',
+ },
+ {
+ name: 'name',
+ type: 'keyword',
+ description: 'Filesystem group name.',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'saved',
+ type: 'group',
+ description: 'Saved user information.',
+ fields: [
+ {
+ name: 'id',
+ type: 'keyword',
+ description: 'Saved user ID.',
+ },
+ {
+ name: 'name',
+ type: 'keyword',
+ description: 'Saved user name.',
+ },
+ {
+ name: 'group',
+ type: 'group',
+ description: 'Saved group information.',
+ fields: [
+ {
+ name: 'id',
+ type: 'keyword',
+ description: 'Saved group ID.',
+ },
+ {
+ name: 'name',
+ type: 'keyword',
+ description: 'Saved group name.',
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'auditd',
+ title: 'Auditd',
+ description: 'These are the fields generated by the auditd module.',
+ fields: [
+ {
+ name: 'user',
+ type: 'group',
+ fields: [
+ {
+ name: 'auid',
+ type: 'alias',
+ path: 'user.audit.id',
+ migration: true,
+ },
+ {
+ name: 'uid',
+ type: 'alias',
+ path: 'user.id',
+ migration: true,
+ },
+ {
+ name: 'euid',
+ type: 'alias',
+ path: 'user.effective.id',
+ migration: true,
+ },
+ {
+ name: 'fsuid',
+ type: 'alias',
+ path: 'user.filesystem.id',
+ migration: true,
+ },
+ {
+ name: 'suid',
+ type: 'alias',
+ path: 'user.saved.id',
+ migration: true,
+ },
+ {
+ name: 'gid',
+ type: 'alias',
+ path: 'user.group.id',
+ migration: true,
+ },
+ {
+ name: 'egid',
+ type: 'alias',
+ path: 'user.effective.group.id',
+ migration: true,
+ },
+ {
+ name: 'sgid',
+ type: 'alias',
+ path: 'user.saved.group.id',
+ migration: true,
+ },
+ {
+ name: 'fsgid',
+ type: 'alias',
+ path: 'user.filesystem.group.id',
+ migration: true,
+ },
+ {
+ name: 'name_map',
+ type: 'group',
+ description:
+ 'If `resolve_ids` is set to true in the configuration then `name_map` will contain a mapping of uid field names to the resolved name (e.g. auid -> root).\n',
+ fields: [
+ {
+ name: 'auid',
+ type: 'alias',
+ path: 'user.audit.name',
+ migration: true,
+ },
+ {
+ name: 'uid',
+ type: 'alias',
+ path: 'user.name',
+ migration: true,
+ },
+ {
+ name: 'euid',
+ type: 'alias',
+ path: 'user.effective.name',
+ migration: true,
+ },
+ {
+ name: 'fsuid',
+ type: 'alias',
+ path: 'user.filesystem.name',
+ migration: true,
+ },
+ {
+ name: 'suid',
+ type: 'alias',
+ path: 'user.saved.name',
+ migration: true,
+ },
+ {
+ name: 'gid',
+ type: 'alias',
+ path: 'user.group.name',
+ migration: true,
+ },
+ {
+ name: 'egid',
+ type: 'alias',
+ path: 'user.effective.group.name',
+ migration: true,
+ },
+ {
+ name: 'sgid',
+ type: 'alias',
+ path: 'user.saved.group.name',
+ migration: true,
+ },
+ {
+ name: 'fsgid',
+ type: 'alias',
+ path: 'user.filesystem.group.name',
+ migration: true,
+ },
+ ],
+ },
+ {
+ name: 'selinux',
+ type: 'group',
+ description: 'The SELinux identity of the actor.',
+ fields: [
+ {
+ name: 'user',
+ type: 'keyword',
+ description: 'account submitted for authentication',
+ },
+ {
+ name: 'role',
+ type: 'keyword',
+ description: "user's SELinux role",
+ },
+ {
+ name: 'domain',
+ type: 'keyword',
+ description: "The actor's SELinux domain or type.",
+ },
+ {
+ name: 'level',
+ type: 'keyword',
+ example: 's0',
+ description: "The actor's SELinux level.",
+ },
+ {
+ name: 'category',
+ type: 'keyword',
+ description: "The actor's SELinux category or compartments.",
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'process',
+ type: 'group',
+ description: 'Process attributes.',
+ fields: [
+ {
+ name: 'cwd',
+ type: 'alias',
+ path: 'process.working_directory',
+ migration: true,
+ description: 'The current working directory.',
+ },
+ ],
+ },
+ {
+ name: 'source',
+ type: 'group',
+ description: 'Source that triggered the event.',
+ fields: [
+ {
+ name: 'path',
+ type: 'keyword',
+ description: 'This is the path associated with a unix socket.',
+ },
+ ],
+ },
+ {
+ name: 'destination',
+ type: 'group',
+ description: 'Destination address that triggered the event.',
+ fields: [
+ {
+ name: 'path',
+ type: 'keyword',
+ description: 'This is the path associated with a unix socket.',
+ },
+ ],
+ },
+ {
+ name: 'auditd',
+ type: 'group',
+ fields: [
+ {
+ name: 'message_type',
+ type: 'keyword',
+ example: 'syscall',
+ description: 'The audit message type (e.g. syscall or apparmor_denied).\n',
+ },
+ {
+ name: 'sequence',
+ type: 'long',
+ description:
+ 'The sequence number of the event as assigned by the kernel. Sequence numbers are stored as a uint32 in the kernel and can rollover.\n',
+ },
+ {
+ name: 'session',
+ type: 'keyword',
+ description:
+ 'The session ID assigned to a login. All events related to a login session will have the same value.\n',
+ },
+ {
+ name: 'result',
+ type: 'keyword',
+ example: 'success or fail',
+ description: 'The result of the audited operation (success/fail).',
+ },
+ {
+ name: 'summary',
+ type: 'group',
+ fields: [
+ {
+ name: 'actor',
+ type: 'group',
+ description: 'The actor is the user that triggered the audit event.',
+ fields: [
+ {
+ name: 'primary',
+ type: 'keyword',
+ description:
+ "The primary identity of the actor. This is the actor's original login ID. It will not change even if the user changes to another account.\n",
+ },
+ {
+ name: 'secondary',
+ type: 'keyword',
+ description:
+ 'The secondary identity of the actor. This is typically\nthe same as the primary, except for when the user has used `su`.',
+ },
+ ],
+ },
+ {
+ name: 'object',
+ type: 'group',
+ description: 'This is the thing or object being acted upon in the event.\n',
+ fields: [
+ {
+ name: 'type',
+ type: 'keyword',
+ description:
+ 'A description of the what the "thing" is (e.g. file, socket, user-session).\n',
+ },
+ {
+ name: 'primary',
+ type: 'keyword',
+ description: '',
+ },
+ {
+ name: 'secondary',
+ type: 'keyword',
+ description: '',
+ },
+ ],
+ },
+ {
+ name: 'how',
+ type: 'keyword',
+ description:
+ 'This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event.\n',
+ },
+ ],
+ },
+ {
+ name: 'paths',
+ type: 'group',
+ description: 'List of paths associated with the event.',
+ fields: [
+ {
+ name: 'inode',
+ type: 'keyword',
+ description: 'inode number',
+ },
+ {
+ name: 'dev',
+ type: 'keyword',
+ description: 'device name as found in /dev',
+ },
+ {
+ name: 'obj_user',
+ type: 'keyword',
+ description: '',
+ },
+ {
+ name: 'obj_role',
+ type: 'keyword',
+ description: '',
+ },
+ {
+ name: 'obj_domain',
+ type: 'keyword',
+ description: '',
+ },
+ {
+ name: 'obj_level',
+ type: 'keyword',
+ description: '',
+ },
+ {
+ name: 'objtype',
+ type: 'keyword',
+ description: '',
+ },
+ {
+ name: 'ouid',
+ type: 'keyword',
+ description: 'file owner user ID',
+ },
+ {
+ name: 'rdev',
+ type: 'keyword',
+ description: 'the device identifier (special files only)',
+ },
+ {
+ name: 'nametype',
+ type: 'keyword',
+ description: 'kind of file operation being referenced',
+ },
+ {
+ name: 'ogid',
+ type: 'keyword',
+ description: 'file owner group ID',
+ },
+ {
+ name: 'item',
+ type: 'keyword',
+ description: 'which item is being recorded',
+ },
+ {
+ name: 'mode',
+ type: 'keyword',
+ description: 'mode flags on a file',
+ },
+ {
+ name: 'name',
+ type: 'keyword',
+ description: 'file name in avcs',
+ },
+ ],
+ },
+ {
+ name: 'data',
+ type: 'group',
+ description: 'The data from the audit messages.',
+ fields: [
+ {
+ name: 'action',
+ type: 'keyword',
+ description: 'netfilter packet disposition',
+ },
+ {
+ name: 'minor',
+ type: 'keyword',
+ description: 'device minor number',
+ },
+ {
+ name: 'acct',
+ type: 'keyword',
+ description: "a user's account name",
+ },
+ {
+ name: 'addr',
+ type: 'keyword',
+ description: 'the remote address that the user is connecting from',
+ },
+ {
+ name: 'cipher',
+ type: 'keyword',
+ description: 'name of crypto cipher selected',
+ },
+ {
+ name: 'id',
+ type: 'keyword',
+ description: 'during account changes',
+ },
+ {
+ name: 'entries',
+ type: 'keyword',
+ description: 'number of entries in the netfilter table',
+ },
+ {
+ name: 'kind',
+ type: 'keyword',
+ description: 'server or client in crypto operation',
+ },
+ {
+ name: 'ksize',
+ type: 'keyword',
+ description: 'key size for crypto operation',
+ },
+ {
+ name: 'spid',
+ type: 'keyword',
+ description: 'sent process ID',
+ },
+ {
+ name: 'arch',
+ type: 'keyword',
+ description: 'the elf architecture flags',
+ },
+ {
+ name: 'argc',
+ type: 'keyword',
+ description: 'the number of arguments to an execve syscall',
+ },
+ {
+ name: 'major',
+ type: 'keyword',
+ description: 'device major number',
+ },
+ {
+ name: 'unit',
+ type: 'keyword',
+ description: 'systemd unit',
+ },
+ {
+ name: 'table',
+ type: 'keyword',
+ description: 'netfilter table name',
+ },
+ {
+ name: 'terminal',
+ type: 'keyword',
+ description: 'terminal name the user is running programs on',
+ },
+ {
+ name: 'grantors',
+ type: 'keyword',
+ description: 'pam modules approving the action',
+ },
+ {
+ name: 'direction',
+ type: 'keyword',
+ description: 'direction of crypto operation',
+ },
+ {
+ name: 'op',
+ type: 'keyword',
+ description: 'the operation being performed that is audited',
+ },
+ {
+ name: 'tty',
+ type: 'keyword',
+ description: 'tty udevice the user is running programs on',
+ },
+ {
+ name: 'syscall',
+ type: 'keyword',
+ description: 'syscall number in effect when the event occurred',
+ },
+ {
+ name: 'data',
+ type: 'keyword',
+ description: 'TTY text',
+ },
+ {
+ name: 'family',
+ type: 'keyword',
+ description: 'netfilter protocol',
+ },
+ {
+ name: 'mac',
+ type: 'keyword',
+ description: 'crypto MAC algorithm selected',
+ },
+ {
+ name: 'pfs',
+ type: 'keyword',
+ description: 'perfect forward secrecy method',
+ },
+ {
+ name: 'items',
+ type: 'keyword',
+ description: 'the number of path records in the event',
+ },
+ {
+ name: 'a0',
+ type: 'keyword',
+ description: '',
+ },
+ {
+ name: 'a1',
+ type: 'keyword',
+ description: '',
+ },
+ {
+ name: 'a2',
+ type: 'keyword',
+ description: '',
+ },
+ {
+ name: 'a3',
+ type: 'keyword',
+ description: '',
+ },
+ {
+ name: 'hostname',
+ type: 'keyword',
+ description: 'the hostname that the user is connecting from',
+ },
+ {
+ name: 'lport',
+ type: 'keyword',
+ description: 'local network port',
+ },
+ {
+ name: 'rport',
+ type: 'keyword',
+ description: 'remote port number',
+ },
+ {
+ name: 'exit',
+ type: 'keyword',
+ description: 'syscall exit code',
+ },
+ {
+ name: 'fp',
+ type: 'keyword',
+ description: 'crypto key finger print',
+ },
+ {
+ name: 'laddr',
+ type: 'keyword',
+ description: 'local network address',
+ },
+ {
+ name: 'sport',
+ type: 'keyword',
+ description: 'local port number',
+ },
+ {
+ name: 'capability',
+ type: 'keyword',
+ description: 'posix capabilities',
+ },
+ {
+ name: 'nargs',
+ type: 'keyword',
+ description: 'the number of arguments to a socket call',
+ },
+ {
+ name: 'new-enabled',
+ type: 'keyword',
+ description: 'new TTY audit enabled setting',
+ },
+ {
+ name: 'audit_backlog_limit',
+ type: 'keyword',
+ description: "audit system's backlog queue size",
+ },
+ {
+ name: 'dir',
+ type: 'keyword',
+ description: 'directory name',
+ },
+ {
+ name: 'cap_pe',
+ type: 'keyword',
+ description: 'process effective capability map',
+ },
+ {
+ name: 'model',
+ type: 'keyword',
+ description: 'security model being used for virt',
+ },
+ {
+ name: 'new_pp',
+ type: 'keyword',
+ description: 'new process permitted capability map',
+ },
+ {
+ name: 'old-enabled',
+ type: 'keyword',
+ description: 'present TTY audit enabled setting',
+ },
+ {
+ name: 'oauid',
+ type: 'keyword',
+ description: "object's login user ID",
+ },
+ {
+ name: 'old',
+ type: 'keyword',
+ description: 'old value',
+ },
+ {
+ name: 'banners',
+ type: 'keyword',
+ description: 'banners used on printed page',
+ },
+ {
+ name: 'feature',
+ type: 'keyword',
+ description: 'kernel feature being changed',
+ },
+ {
+ name: 'vm-ctx',
+ type: 'keyword',
+ description: "the vm's context string",
+ },
+ {
+ name: 'opid',
+ type: 'keyword',
+ description: "object's process ID",
+ },
+ {
+ name: 'seperms',
+ type: 'keyword',
+ description: 'SELinux permissions being used',
+ },
+ {
+ name: 'seresult',
+ type: 'keyword',
+ description: 'SELinux AVC decision granted/denied',
+ },
+ {
+ name: 'new-rng',
+ type: 'keyword',
+ description: 'device name of rng being added from a vm',
+ },
+ {
+ name: 'old-net',
+ type: 'keyword',
+ description: 'present MAC address assigned to vm',
+ },
+ {
+ name: 'sigev_signo',
+ type: 'keyword',
+ description: 'signal number',
+ },
+ {
+ name: 'ino',
+ type: 'keyword',
+ description: 'inode number',
+ },
+ {
+ name: 'old_enforcing',
+ type: 'keyword',
+ description: 'old MAC enforcement status',
+ },
+ {
+ name: 'old-vcpu',
+ type: 'keyword',
+ description: 'present number of CPU cores',
+ },
+ {
+ name: 'range',
+ type: 'keyword',
+ description: "user's SE Linux range",
+ },
+ {
+ name: 'res',
+ type: 'keyword',
+ description: 'result of the audited operation(success/fail)',
+ },
+ {
+ name: 'added',
+ type: 'keyword',
+ description: 'number of new files detected',
+ },
+ {
+ name: 'fam',
+ type: 'keyword',
+ description: 'socket address family',
+ },
+ {
+ name: 'nlnk-pid',
+ type: 'keyword',
+ description: 'pid of netlink packet sender',
+ },
+ {
+ name: 'subj',
+ type: 'keyword',
+ description: "lspp subject's context string",
+ },
+ {
+ name: 'a[0-3]',
+ type: 'keyword',
+ description: 'the arguments to a syscall',
+ },
+ {
+ name: 'cgroup',
+ type: 'keyword',
+ description: 'path to cgroup in sysfs',
+ },
+ {
+ name: 'kernel',
+ type: 'keyword',
+ description: "kernel's version number",
+ },
+ {
+ name: 'ocomm',
+ type: 'keyword',
+ description: "object's command line name",
+ },
+ {
+ name: 'new-net',
+ type: 'keyword',
+ description: 'MAC address being assigned to vm',
+ },
+ {
+ name: 'permissive',
+ type: 'keyword',
+ description: 'SELinux is in permissive mode',
+ },
+ {
+ name: 'class',
+ type: 'keyword',
+ description: 'resource class assigned to vm',
+ },
+ {
+ name: 'compat',
+ type: 'keyword',
+ description: 'is_compat_task result',
+ },
+ {
+ name: 'fi',
+ type: 'keyword',
+ description: 'file assigned inherited capability map',
+ },
+ {
+ name: 'changed',
+ type: 'keyword',
+ description: 'number of changed files',
+ },
+ {
+ name: 'msg',
+ type: 'keyword',
+ description: 'the payload of the audit record',
+ },
+ {
+ name: 'dport',
+ type: 'keyword',
+ description: 'remote port number',
+ },
+ {
+ name: 'new-seuser',
+ type: 'keyword',
+ description: 'new SELinux user',
+ },
+ {
+ name: 'invalid_context',
+ type: 'keyword',
+ description: 'SELinux context',
+ },
+ {
+ name: 'dmac',
+ type: 'keyword',
+ description: 'remote MAC address',
+ },
+ {
+ name: 'ipx-net',
+ type: 'keyword',
+ description: 'IPX network number',
+ },
+ {
+ name: 'iuid',
+ type: 'keyword',
+ description: "ipc object's user ID",
+ },
+ {
+ name: 'macproto',
+ type: 'keyword',
+ description: 'ethernet packet type ID field',
+ },
+ {
+ name: 'obj',
+ type: 'keyword',
+ description: 'lspp object context string',
+ },
+ {
+ name: 'ipid',
+ type: 'keyword',
+ description: 'IP datagram fragment identifier',
+ },
+ {
+ name: 'new-fs',
+ type: 'keyword',
+ description: 'file system being added to vm',
+ },
+ {
+ name: 'vm-pid',
+ type: 'keyword',
+ description: "vm's process ID",
+ },
+ {
+ name: 'cap_pi',
+ type: 'keyword',
+ description: 'process inherited capability map',
+ },
+ {
+ name: 'old-auid',
+ type: 'keyword',
+ description: 'previous auid value',
+ },
+ {
+ name: 'oses',
+ type: 'keyword',
+ description: "object's session ID",
+ },
+ {
+ name: 'fd',
+ type: 'keyword',
+ description: 'file descriptor number',
+ },
+ {
+ name: 'igid',
+ type: 'keyword',
+ description: "ipc object's group ID",
+ },
+ {
+ name: 'new-disk',
+ type: 'keyword',
+ description: 'disk being added to vm',
+ },
+ {
+ name: 'parent',
+ type: 'keyword',
+ description: 'the inode number of the parent file',
+ },
+ {
+ name: 'len',
+ type: 'keyword',
+ description: 'length',
+ },
+ {
+ name: 'oflag',
+ type: 'keyword',
+ description: 'open syscall flags',
+ },
+ {
+ name: 'uuid',
+ type: 'keyword',
+ description: 'a UUID',
+ },
+ {
+ name: 'code',
+ type: 'keyword',
+ description: 'seccomp action code',
+ },
+ {
+ name: 'nlnk-grp',
+ type: 'keyword',
+ description: 'netlink group number',
+ },
+ {
+ name: 'cap_fp',
+ type: 'keyword',
+ description: 'file permitted capability map',
+ },
+ {
+ name: 'new-mem',
+ type: 'keyword',
+ description: 'new amount of memory in KB',
+ },
+ {
+ name: 'seperm',
+ type: 'keyword',
+ description: 'SELinux permission being decided on',
+ },
+ {
+ name: 'enforcing',
+ type: 'keyword',
+ description: 'new MAC enforcement status',
+ },
+ {
+ name: 'new-chardev',
+ type: 'keyword',
+ description: 'new character device being assigned to vm',
+ },
+ {
+ name: 'old-rng',
+ type: 'keyword',
+ description: 'device name of rng being removed from a vm',
+ },
+ {
+ name: 'outif',
+ type: 'keyword',
+ description: 'out interface number',
+ },
+ {
+ name: 'cmd',
+ type: 'keyword',
+ description: 'command being executed',
+ },
+ {
+ name: 'hook',
+ type: 'keyword',
+ description: 'netfilter hook that packet came from',
+ },
+ {
+ name: 'new-level',
+ type: 'keyword',
+ description: 'new run level',
+ },
+ {
+ name: 'sauid',
+ type: 'keyword',
+ description: 'sent login user ID',
+ },
+ {
+ name: 'sig',
+ type: 'keyword',
+ description: 'signal number',
+ },
+ {
+ name: 'audit_backlog_wait_time',
+ type: 'keyword',
+ description: "audit system's backlog wait time",
+ },
+ {
+ name: 'printer',
+ type: 'keyword',
+ description: 'printer name',
+ },
+ {
+ name: 'old-mem',
+ type: 'keyword',
+ description: 'present amount of memory in KB',
+ },
+ {
+ name: 'perm',
+ type: 'keyword',
+ description: 'the file permission being used',
+ },
+ {
+ name: 'old_pi',
+ type: 'keyword',
+ description: 'old process inherited capability map',
+ },
+ {
+ name: 'state',
+ type: 'keyword',
+ description: 'audit daemon configuration resulting state',
+ },
+ {
+ name: 'format',
+ type: 'keyword',
+ description: "audit log's format",
+ },
+ {
+ name: 'new_gid',
+ type: 'keyword',
+ description: 'new group ID being assigned',
+ },
+ {
+ name: 'tcontext',
+ type: 'keyword',
+ description: "the target's or object's context string",
+ },
+ {
+ name: 'maj',
+ type: 'keyword',
+ description: 'device major number',
+ },
+ {
+ name: 'watch',
+ type: 'keyword',
+ description: 'file name in a watch record',
+ },
+ {
+ name: 'device',
+ type: 'keyword',
+ description: 'device name',
+ },
+ {
+ name: 'grp',
+ type: 'keyword',
+ description: 'group name',
+ },
+ {
+ name: 'bool',
+ type: 'keyword',
+ description: 'name of SELinux boolean',
+ },
+ {
+ name: 'icmp_type',
+ type: 'keyword',
+ description: 'type of icmp message',
+ },
+ {
+ name: 'new_lock',
+ type: 'keyword',
+ description: 'new value of feature lock',
+ },
+ {
+ name: 'old_prom',
+ type: 'keyword',
+ description: 'network promiscuity flag',
+ },
+ {
+ name: 'acl',
+ type: 'keyword',
+ description: 'access mode of resource assigned to vm',
+ },
+ {
+ name: 'ip',
+ type: 'keyword',
+ description: 'network address of a printer',
+ },
+ {
+ name: 'new_pi',
+ type: 'keyword',
+ description: 'new process inherited capability map',
+ },
+ {
+ name: 'default-context',
+ type: 'keyword',
+ description: 'default MAC context',
+ },
+ {
+ name: 'inode_gid',
+ type: 'keyword',
+ description: "group ID of the inode's owner",
+ },
+ {
+ name: 'new-log_passwd',
+ type: 'keyword',
+ description: 'new value for TTY password logging',
+ },
+ {
+ name: 'new_pe',
+ type: 'keyword',
+ description: 'new process effective capability map',
+ },
+ {
+ name: 'selected-context',
+ type: 'keyword',
+ description: 'new MAC context assigned to session',
+ },
+ {
+ name: 'cap_fver',
+ type: 'keyword',
+ description: 'file system capabilities version number',
+ },
+ {
+ name: 'file',
+ type: 'keyword',
+ description: 'file name',
+ },
+ {
+ name: 'net',
+ type: 'keyword',
+ description: 'network MAC address',
+ },
+ {
+ name: 'virt',
+ type: 'keyword',
+ description: 'kind of virtualization being referenced',
+ },
+ {
+ name: 'cap_pp',
+ type: 'keyword',
+ description: 'process permitted capability map',
+ },
+ {
+ name: 'old-range',
+ type: 'keyword',
+ description: 'present SELinux range',
+ },
+ {
+ name: 'resrc',
+ type: 'keyword',
+ description: 'resource being assigned',
+ },
+ {
+ name: 'new-range',
+ type: 'keyword',
+ description: 'new SELinux range',
+ },
+ {
+ name: 'obj_gid',
+ type: 'keyword',
+ description: 'group ID of object',
+ },
+ {
+ name: 'proto',
+ type: 'keyword',
+ description: 'network protocol',
+ },
+ {
+ name: 'old-disk',
+ type: 'keyword',
+ description: 'disk being removed from vm',
+ },
+ {
+ name: 'audit_failure',
+ type: 'keyword',
+ description: "audit system's failure mode",
+ },
+ {
+ name: 'inif',
+ type: 'keyword',
+ description: 'in interface number',
+ },
+ {
+ name: 'vm',
+ type: 'keyword',
+ description: 'virtual machine name',
+ },
+ {
+ name: 'flags',
+ type: 'keyword',
+ description: 'mmap syscall flags',
+ },
+ {
+ name: 'nlnk-fam',
+ type: 'keyword',
+ description: 'netlink protocol number',
+ },
+ {
+ name: 'old-fs',
+ type: 'keyword',
+ description: 'file system being removed from vm',
+ },
+ {
+ name: 'old-ses',
+ type: 'keyword',
+ description: 'previous ses value',
+ },
+ {
+ name: 'seqno',
+ type: 'keyword',
+ description: 'sequence number',
+ },
+ {
+ name: 'fver',
+ type: 'keyword',
+ description: 'file system capabilities version number',
+ },
+ {
+ name: 'qbytes',
+ type: 'keyword',
+ description: 'ipc objects quantity of bytes',
+ },
+ {
+ name: 'seuser',
+ type: 'keyword',
+ description: "user's SE Linux user acct",
+ },
+ {
+ name: 'cap_fe',
+ type: 'keyword',
+ description: 'file assigned effective capability map',
+ },
+ {
+ name: 'new-vcpu',
+ type: 'keyword',
+ description: 'new number of CPU cores',
+ },
+ {
+ name: 'old-level',
+ type: 'keyword',
+ description: 'old run level',
+ },
+ {
+ name: 'old_pp',
+ type: 'keyword',
+ description: 'old process permitted capability map',
+ },
+ {
+ name: 'daddr',
+ type: 'keyword',
+ description: 'remote IP address',
+ },
+ {
+ name: 'old-role',
+ type: 'keyword',
+ description: 'present SELinux role',
+ },
+ {
+ name: 'ioctlcmd',
+ type: 'keyword',
+ description: 'The request argument to the ioctl syscall',
+ },
+ {
+ name: 'smac',
+ type: 'keyword',
+ description: 'local MAC address',
+ },
+ {
+ name: 'apparmor',
+ type: 'keyword',
+ description: 'apparmor event information',
+ },
+ {
+ name: 'fe',
+ type: 'keyword',
+ description: 'file assigned effective capability map',
+ },
+ {
+ name: 'perm_mask',
+ type: 'keyword',
+ description: 'file permission mask that triggered a watch event',
+ },
+ {
+ name: 'ses',
+ type: 'keyword',
+ description: 'login session ID',
+ },
+ {
+ name: 'cap_fi',
+ type: 'keyword',
+ description: 'file inherited capability map',
+ },
+ {
+ name: 'obj_uid',
+ type: 'keyword',
+ description: 'user ID of object',
+ },
+ {
+ name: 'reason',
+ type: 'keyword',
+ description: 'text string denoting a reason for the action',
+ },
+ {
+ name: 'list',
+ type: 'keyword',
+ description: "the audit system's filter list number",
+ },
+ {
+ name: 'old_lock',
+ type: 'keyword',
+ description: 'present value of feature lock',
+ },
+ {
+ name: 'bus',
+ type: 'keyword',
+ description: 'name of subsystem bus a vm resource belongs to',
+ },
+ {
+ name: 'old_pe',
+ type: 'keyword',
+ description: 'old process effective capability map',
+ },
+ {
+ name: 'new-role',
+ type: 'keyword',
+ description: 'new SELinux role',
+ },
+ {
+ name: 'prom',
+ type: 'keyword',
+ description: 'network promiscuity flag',
+ },
+ {
+ name: 'uri',
+ type: 'keyword',
+ description: 'URI pointing to a printer',
+ },
+ {
+ name: 'audit_enabled',
+ type: 'keyword',
+ description: "audit systems's enable/disable status",
+ },
+ {
+ name: 'old-log_passwd',
+ type: 'keyword',
+ description: 'present value for TTY password logging',
+ },
+ {
+ name: 'old-seuser',
+ type: 'keyword',
+ description: 'present SELinux user',
+ },
+ {
+ name: 'per',
+ type: 'keyword',
+ description: 'linux personality',
+ },
+ {
+ name: 'scontext',
+ type: 'keyword',
+ description: "the subject's context string",
+ },
+ {
+ name: 'tclass',
+ type: 'keyword',
+ description: "target's object classification",
+ },
+ {
+ name: 'ver',
+ type: 'keyword',
+ description: "audit daemon's version number",
+ },
+ {
+ name: 'new',
+ type: 'keyword',
+ description: 'value being set in feature',
+ },
+ {
+ name: 'val',
+ type: 'keyword',
+ description: 'generic value associated with the operation',
+ },
+ {
+ name: 'img-ctx',
+ type: 'keyword',
+ description: "the vm's disk image context string",
+ },
+ {
+ name: 'old-chardev',
+ type: 'keyword',
+ description: 'present character device assigned to vm',
+ },
+ {
+ name: 'old_val',
+ type: 'keyword',
+ description: 'current value of SELinux boolean',
+ },
+ {
+ name: 'success',
+ type: 'keyword',
+ description: 'whether the syscall was successful or not',
+ },
+ {
+ name: 'inode_uid',
+ type: 'keyword',
+ description: "user ID of the inode's owner",
+ },
+ {
+ name: 'removed',
+ type: 'keyword',
+ description: 'number of deleted files',
+ },
+ {
+ name: 'socket',
+ type: 'group',
+ fields: [
+ {
+ name: 'port',
+ type: 'keyword',
+ description: 'The port number.',
+ },
+ {
+ name: 'saddr',
+ type: 'keyword',
+ description: 'The raw socket address structure.',
+ },
+ {
+ name: 'addr',
+ type: 'keyword',
+ description: 'The remote address.',
+ },
+ {
+ name: 'family',
+ type: 'keyword',
+ example: 'unix',
+ description: 'The socket family (unix, ipv4, ipv6, netlink).',
+ },
+ {
+ name: 'path',
+ type: 'keyword',
+ description: 'This is the path associated with a unix socket.',
+ },
+ ],
+ },
+ ],
},
{
- name: 'update',
+ name: 'messages',
+ type: 'alias',
+ migration: true,
+ path: 'event.original',
description:
- 'A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual.',
+ 'An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if `include_raw_message` is set in the config.\n',
},
{
- name: 'cursorId',
+ name: 'warnings',
+ type: 'alias',
+ migration: true,
+ path: 'error.message',
description:
- 'The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database.',
+ 'The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only.\n',
},
],
},
- ],
- },
- {
- key: 'mysql',
- title: 'MySQL',
- description: 'MySQL-specific event fields.',
- fields: [
{
- name: 'mysql',
+ name: 'geoip',
type: 'group',
+ description:
+ 'The geoip fields are defined as a convenience in case you decide to enrich the data using a geoip filter in Logstash or Ingest Node.\n',
fields: [
{
- name: 'affected_rows',
- type: 'long',
- description:
- 'If the MySQL command is successful, this field contains the affected number of rows of the last statement.',
- },
- {
- name: 'insert_id',
- description:
- 'If the INSERT query is successful, this field contains the id of the newly inserted row.',
- },
- {
- name: 'num_fields',
- description:
- 'If the SELECT query is successful, this field is set to the number of fields returned.',
+ name: 'continent_name',
+ type: 'keyword',
+ description: 'The name of the continent.\n',
},
{
- name: 'num_rows',
- description:
- 'If the SELECT query is successful, this field is set to the number of rows returned.',
+ name: 'city_name',
+ type: 'keyword',
+ description: 'The name of the city.\n',
},
{
- name: 'query',
- description: "The row mysql query as read from the transaction's request. ",
+ name: 'region_name',
+ type: 'keyword',
+ description: 'The name of the region.\n',
},
{
- name: 'error_code',
- type: 'long',
- description: 'The error code returned by MySQL.',
+ name: 'country_iso_code',
+ type: 'keyword',
+ description: 'Country ISO code.\n',
},
{
- name: 'error_message',
- description: 'The error info message returned by MySQL.',
+ name: 'location',
+ type: 'geo_point',
+ description: 'The longitude and latitude.\n',
},
],
},
],
},
{
- key: 'nfs',
- title: 'NFS',
- description: 'NFS v4/3 specific event fields.',
+ key: 'file_integrity',
+ title: 'File Integrity',
+ description: 'These are the fields generated by the file_integrity module.',
fields: [
{
- name: 'nfs',
- type: 'group',
- fields: [
- {
- name: 'version',
- type: 'long',
- description: 'NFS protocol version number.',
- },
- {
- name: 'minor_version',
- type: 'long',
- description: 'NFS protocol minor version number.',
- },
- {
- name: 'tag',
- description: 'NFS v4 COMPOUND operation tag.',
- },
- {
- name: 'opcode',
- description: 'NFS operation name, or main operation name, in case of COMPOUND calls.',
- },
- {
- name: 'status',
- description: 'NFS operation reply status.',
- },
- ],
- },
- {
- name: 'rpc',
+ name: 'hash',
type: 'group',
- description: 'ONC RPC specific event fields.',
+ description:
+ 'Hashes of the file. The keys are algorithm names and the values are the hex encoded digest values.\n',
fields: [
{
- name: 'xid',
- description: 'RPC message transaction identifier.',
- },
- {
- name: 'status',
- description: 'RPC message reply status.',
- },
- {
- name: 'auth_flavor',
- description: 'RPC authentication flavor.',
- },
- {
- name: 'cred.uid',
- type: 'long',
- description: "RPC caller's user id, in case of auth-unix.",
- },
- {
- name: 'cred.gid',
- type: 'long',
- description: "RPC caller's group id, in case of auth-unix.",
- },
- {
- name: 'cred.gids',
- description: "RPC caller's secondary group ids, in case of auth-unix.",
+ name: 'blake2b_256',
+ type: 'keyword',
+ description: 'BLAKE2b-256 hash of the file.',
},
{
- name: 'cred.stamp',
- type: 'long',
- description: 'Arbitrary ID which the caller machine may generate.',
+ name: 'blake2b_384',
+ type: 'keyword',
+ description: 'BLAKE2b-384 hash of the file.',
},
{
- name: 'cred.machinename',
- description: "The name of the caller's machine.",
+ name: 'blake2b_512',
+ type: 'keyword',
+ description: 'BLAKE2b-512 hash of the file.',
},
{
- name: 'call_size',
- type: 'alias',
- path: 'source.bytes',
- migration: true,
- description: 'RPC call size with argument.',
+ name: 'md5',
+ overwrite: true,
+ type: 'keyword',
+ description: 'MD5 hash of the file.',
},
{
- name: 'reply_size',
- type: 'alias',
- path: 'destination.bytes',
- migration: true,
- description: 'RPC reply size with argument.',
+ name: 'sha1',
+ overwrite: true,
+ type: 'keyword',
+ description: 'SHA1 hash of the file.',
},
- ],
- },
- ],
- },
- {
- key: 'pgsql',
- title: 'PostgreSQL',
- description: 'PostgreSQL-specific event fields.',
- fields: [
- {
- name: 'pgsql',
- type: 'group',
- fields: [
{
- name: 'error_code',
- description: 'The PostgreSQL error code.',
- type: 'long',
+ name: 'sha224',
+ type: 'keyword',
+ description: 'SHA224 hash of the file.',
},
{
- name: 'error_message',
- description: 'The PostgreSQL error message.',
+ name: 'sha256',
+ overwrite: true,
+ type: 'keyword',
+ description: 'SHA256 hash of the file.',
},
{
- name: 'error_severity',
- description: 'The PostgreSQL error severity.',
- possible_values: ['ERROR', 'FATAL', 'PANIC'],
+ name: 'sha384',
+ type: 'keyword',
+ description: 'SHA384 hash of the file.',
},
{
- name: 'num_fields',
- description:
- 'If the SELECT query if successful, this field is set to the number of fields returned.',
+ name: 'sha3_224',
+ type: 'keyword',
+ description: 'SHA3_224 hash of the file.',
},
{
- name: 'num_rows',
- description:
- 'If the SELECT query if successful, this field is set to the number of rows returned.',
+ name: 'sha3_256',
+ type: 'keyword',
+ description: 'SHA3_256 hash of the file.',
},
- ],
- },
- ],
- },
- {
- key: 'redis',
- title: 'Redis',
- description: 'Redis-specific event fields.',
- fields: [
- {
- name: 'redis',
- type: 'group',
- fields: [
{
- name: 'return_value',
- description: 'The return value of the Redis command in a human readable format.',
+ name: 'sha3_384',
+ type: 'keyword',
+ description: 'SHA3_384 hash of the file.',
},
{
- name: 'error',
- description:
- 'If the Redis command has resulted in an error, this field contains the error message returned by the Redis server.',
+ name: 'sha3_512',
+ type: 'keyword',
+ description: 'SHA3_512 hash of the file.',
},
- ],
- },
- ],
- },
- {
- key: 'thrift',
- title: 'Thrift-RPC',
- description: 'Thrift-RPC specific event fields.',
- fields: [
- {
- name: 'thrift',
- type: 'group',
- fields: [
{
- name: 'params',
- description:
- 'The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used.',
+ name: 'sha512',
+ overwrite: true,
+ type: 'keyword',
+ description: 'SHA512 hash of the file.',
},
{
- name: 'service',
- description: 'The name of the Thrift-RPC service as defined in the IDL files.',
+ name: 'sha512_224',
+ type: 'keyword',
+ description: 'SHA512/224 hash of the file.',
},
{
- name: 'return_value',
- description:
- 'The value returned by the Thrift-RPC call. This is encoded in a human readable format.',
+ name: 'sha512_256',
+ type: 'keyword',
+ description: 'SHA512/256 hash of the file.',
},
{
- name: 'exceptions',
- description:
- 'If the call resulted in exceptions, this field contains the exceptions in a human readable format.',
+ name: 'xxh64',
+ type: 'keyword',
+ description: 'XX64 hash of the file.',
},
],
},
],
},
{
- key: 'tls',
- title: 'TLS',
- description: 'TLS-specific event fields.',
+ key: 'system',
+ title: 'System',
+ description: 'These are the fields generated by the system module.\n',
+ release: 'beta',
fields: [
{
- name: 'tls',
+ name: 'event',
type: 'group',
fields: [
{
- name: 'version',
+ name: 'origin',
type: 'keyword',
- description: 'The version of the TLS protocol used.',
- example: 'TLS 1.3',
- },
- {
- name: 'handshake_completed',
- type: 'boolean',
description:
- 'Whether the TLS negotiation has been successful and the session has transitioned to encrypted mode.',
- },
- {
- name: 'resumed',
- type: 'boolean',
- description: 'If the TLS session has been resumed from a previous session.',
+ 'Origin of the event. This can be a file path (e.g. `/var/log/log.1`), or the name of the system component that supplied the data (e.g. `netlink`).\n',
},
+ ],
+ },
+ {
+ name: 'user',
+ type: 'group',
+ fields: [
{
- name: 'resumption_method',
+ name: 'entity_id',
type: 'keyword',
description:
- 'If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension.',
+ 'ID uniquely identifying the user on a host. It is computed as a SHA-256 hash of the host ID, user ID, and user name.\n',
},
{
- name: 'client_certificate_requested',
- type: 'boolean',
- description:
- 'Whether the server has requested the client to authenticate itself using a client certificate.',
+ name: 'terminal',
+ type: 'keyword',
+ description: 'Terminal of the user.\n',
},
+ ],
+ },
+ {
+ name: 'process',
+ type: 'group',
+ fields: [
{
- name: 'client_hello',
+ name: 'hash',
type: 'group',
+ description:
+ 'Hashes of the executable. The keys are algorithm names and the values are the hex encoded digest values.\n',
fields: [
{
- name: 'version',
+ name: 'blake2b_256',
type: 'keyword',
- description:
- 'The version of the TLS protocol by which the client wishes to communicate during this session.',
+ description: 'BLAKE2b-256 hash of the executable.',
},
{
- name: 'supported_ciphers',
- type: 'array',
- description:
- 'List of ciphers the client is willing to use for this session. See https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4',
+ name: 'blake2b_384',
+ type: 'keyword',
+ description: 'BLAKE2b-384 hash of the executable.',
},
{
- name: 'supported_compression_methods',
- type: 'array',
- description:
- 'The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml',
+ name: 'blake2b_512',
+ type: 'keyword',
+ description: 'BLAKE2b-512 hash of the executable.',
},
{
- name: 'extensions',
- type: 'group',
- description: 'The hello extensions provided by the client.',
- fields: [
- {
- name: 'server_name_indication',
- type: 'keyword',
- description: 'List of hostnames',
- },
- {
- name: 'application_layer_protocol_negotiation',
- type: 'keyword',
- description:
- 'List of application-layer protocols the client is willing to use.',
- },
- {
- name: 'session_ticket',
- type: 'keyword',
- description:
- 'Length of the session ticket, if provided, or an empty string to advertise support for tickets.',
- },
- {
- name: 'supported_versions',
- type: 'keyword',
- description: 'List of TLS versions that the client is willing to use.',
- },
- {
- name: 'supported_groups',
- type: 'keyword',
- description:
- 'List of Elliptic Curve Cryptography (ECC) curve groups supported by the client.',
- },
- {
- name: 'signature_algorithms',
- type: 'keyword',
- description:
- 'List of signature algorithms that may be use in digital signatures.',
- },
- {
- name: 'ec_points_formats',
- type: 'keyword',
- description:
- 'List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse.',
- },
- {
- name: '_unparsed_',
- type: 'keyword',
- description: 'List of extensions that were left unparsed by Packetbeat.',
- },
- ],
+ name: 'sha224',
+ type: 'keyword',
+ description: 'SHA224 hash of the executable.',
},
- ],
- },
- {
- name: 'server_hello',
- type: 'group',
- fields: [
{
- name: 'version',
+ name: 'sha384',
type: 'keyword',
- description:
- 'The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello.',
+ description: 'SHA384 hash of the executable.',
},
{
- name: 'selected_cipher',
+ name: 'sha3_224',
type: 'keyword',
- description:
- 'The cipher suite selected by the server from the list provided by in the client hello.',
+ description: 'SHA3_224 hash of the executable.',
},
{
- name: 'selected_compression_method',
+ name: 'sha3_256',
type: 'keyword',
- description:
- 'The compression method selected by the server from the list provided in the client hello.',
+ description: 'SHA3_256 hash of the executable.',
},
{
- name: 'session_id',
+ name: 'sha3_384',
type: 'keyword',
- description:
- 'Unique number to identify the session for the corresponding connection with the client.',
+ description: 'SHA3_384 hash of the executable.',
},
{
- name: 'extensions',
- type: 'group',
- description: 'The hello extensions provided by the server.',
- fields: [
- {
- name: 'application_layer_protocol_negotiation',
- type: 'array',
- description: 'Negotiated application layer protocol',
- },
- {
- name: 'session_ticket',
- type: 'keyword',
- description:
- 'Used to announce that a session ticket will be provided by the server. Always an empty string.',
- },
- {
- name: 'supported_versions',
- type: 'keyword',
- description: 'Negotiated TLS version to be used.',
- },
- {
- name: 'ec_points_formats',
- type: 'keyword',
- description:
- 'List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse.',
- },
- {
- name: '_unparsed_',
- type: 'keyword',
- description: 'List of extensions that were left unparsed by Packetbeat.',
- },
- ],
+ name: 'sha3_512',
+ type: 'keyword',
+ description: 'SHA3_512 hash of the executable.',
+ },
+ {
+ name: 'sha512_224',
+ type: 'keyword',
+ description: 'SHA512/224 hash of the executable.',
+ },
+ {
+ name: 'sha512_256',
+ type: 'keyword',
+ description: 'SHA512/256 hash of the executable.',
+ },
+ {
+ name: 'xxh64',
+ type: 'keyword',
+ description: 'XX64 hash of the executable.',
},
],
},
+ ],
+ },
+ {
+ name: 'socket',
+ type: 'group',
+ fields: [
+ {
+ name: 'entity_id',
+ type: 'keyword',
+ description:
+ 'ID uniquely identifying the socket. It is computed as a SHA-256 hash of the host ID, socket inode, local IP, local port, remote IP, and remote port.\n',
+ },
+ ],
+ },
+ {
+ name: 'system.audit',
+ type: 'group',
+ description: '\n',
+ fields: [
{
- name: 'client_certificate',
+ name: 'host',
type: 'group',
- description: 'Certificate provided by the client for authentication.',
+ description: '`host` contains general host information.\n',
+ release: 'beta',
fields: [
{
- name: 'version',
+ name: 'uptime',
type: 'long',
- description: 'X509 format version.',
- },
- {
- name: 'serial_number',
- type: 'keyword',
- description: "The certificate's serial number.",
+ format: 'duration',
+ input_format: 'nanoseconds',
+ output_format: 'asDays',
+ output_precision: 1,
+ description: 'Uptime in nanoseconds.\n',
},
{
- name: 'not_before',
+ name: 'boottime',
type: 'date',
- description: 'Date before which the certificate is not valid.',
+ description: 'Boot time.\n',
},
{
- name: 'not_after',
- type: 'date',
- description: 'Date after which the certificate expires.',
+ name: 'containerized',
+ type: 'boolean',
+ description: 'Set if host is a container.\n',
},
{
- name: 'public_key_algorithm',
+ name: 'timezone.name',
type: 'keyword',
- description:
- "The algorithm used for this certificate's public key. One of RSA, DSA or ECDSA. ",
+ description: 'Name of the timezone of the host, e.g. BST.\n',
},
{
- name: 'public_key_size',
+ name: 'timezone.offset.sec',
type: 'long',
- description: 'Size of the public key.',
+ description: 'Timezone offset in seconds.\n',
+ },
+ {
+ name: 'hostname',
+ type: 'keyword',
+ description: 'Hostname.\n',
},
{
- name: 'signature_algorithm',
+ name: 'id',
type: 'keyword',
- description: "The algorithm used for the certificate's signature. ",
+ description: 'Host ID.\n',
},
{
- name: 'alternative_names',
- type: 'array',
- description: 'Subject Alternative Names for this certificate.',
+ name: 'architecture',
+ type: 'keyword',
+ description: 'Host architecture (e.g. x86_64).\n',
},
{
- name: 'raw',
+ name: 'mac',
type: 'keyword',
- description: 'The raw certificate in PEM format.',
+ description: 'MAC addresses.\n',
},
{
- name: 'subject',
- type: 'group',
- description: 'Subject represented by this certificate.',
- fields: [
- {
- name: 'country',
- type: 'keyword',
- description: 'Country code.',
- },
- {
- name: 'organization',
- type: 'keyword',
- description: 'Organization name.',
- },
- {
- name: 'organizational_unit',
- type: 'keyword',
- description: 'Unit within organization.',
- },
- {
- name: 'province',
- type: 'keyword',
- description: 'Province or region within country.',
- },
- {
- name: 'common_name',
- type: 'keyword',
- description: 'Name or host name identified by the certificate.',
- },
- ],
+ name: 'ip',
+ type: 'ip',
+ description: 'IP addresses.\n',
},
{
- name: 'issuer',
+ name: 'os',
type: 'group',
- description: 'Entity that issued and signed this certificate.',
+ description: '`os` contains information about the operating system.\n',
fields: [
{
- name: 'country',
+ name: 'codename',
type: 'keyword',
- description: 'Country code.',
+ description: 'OS codename, if any (e.g. stretch).\n',
},
{
- name: 'organization',
+ name: 'platform',
type: 'keyword',
- description: 'Organization name.',
+ description: 'OS platform (e.g. centos, ubuntu, windows).\n',
},
{
- name: 'organizational_unit',
+ name: 'name',
type: 'keyword',
- description: 'Unit within organization.',
+ description: 'OS name (e.g. Mac OS X).\n',
},
{
- name: 'province',
- type: 'keyword',
- description: 'Province or region within country.',
- },
- {
- name: 'common_name',
- type: 'keyword',
- description: 'Name or host name identified by the certificate.',
- },
- ],
- },
- {
- name: 'fingerprint',
- type: 'group',
- fields: [
- {
- name: 'md5',
+ name: 'family',
type: 'keyword',
- description: "Certificate's MD5 fingerprint.",
+ description: 'OS family (e.g. redhat, debian, freebsd, windows).\n',
},
{
- name: 'sha1',
+ name: 'version',
type: 'keyword',
- description: "Certificate's SHA-1 fingerprint.",
+ description: 'OS version.\n',
},
{
- name: 'sha256',
+ name: 'kernel',
type: 'keyword',
- description: "Certificate's SHA-256 fingerprint.",
+ description: "The operating system's kernel version.\n",
},
],
},
],
},
{
- name: 'server_certificate',
+ name: 'package',
type: 'group',
- description: 'Certificate provided by the server for authentication.',
+ description: '`package` contains information about an installed or removed package.\n',
+ release: 'beta',
fields: [
+ {
+ name: 'entity_id',
+ type: 'keyword',
+ description:
+ 'ID uniquely identifying the package. It is computed as a SHA-256 hash of the host ID, package name, and package version.\n',
+ },
+ {
+ name: 'name',
+ type: 'keyword',
+ description: 'Package name.\n',
+ },
{
name: 'version',
- type: 'long',
- description: 'X509 format version.',
+ type: 'keyword',
+ description: 'Package version.\n',
},
{
- name: 'serial_number',
+ name: 'release',
type: 'keyword',
- description: "The certificate's serial number.",
+ description: 'Package release.\n',
},
{
- name: 'not_before',
- type: 'date',
- description: 'Date before which the certificate is not valid.',
+ name: 'arch',
+ type: 'keyword',
+ description: 'Package architecture.\n',
},
{
- name: 'not_after',
+ name: 'license',
+ type: 'keyword',
+ description: 'Package license.\n',
+ },
+ {
+ name: 'installtime',
type: 'date',
- description: 'Date after which the certificate expires.',
+ description: 'Package install time.\n',
+ },
+ {
+ name: 'size',
+ type: 'long',
+ description: 'Package size.\n',
+ },
+ {
+ name: 'summary',
+ description: 'Package summary.\n',
},
{
- name: 'public_key_algorithm',
+ name: 'url',
type: 'keyword',
- description:
- "The algorithm used for this certificate's public key. One of RSA, DSA or ECDSA. ",
+ description: 'Package URL.\n',
},
+ ],
+ },
+ {
+ name: 'user',
+ type: 'group',
+ description: '`user` contains information about the users on a system.\n',
+ release: 'beta',
+ fields: [
{
- name: 'public_key_size',
- type: 'long',
- description: 'Size of the public key.',
+ name: 'name',
+ type: 'keyword',
+ description: 'User name.\n',
},
{
- name: 'signature_algorithm',
+ name: 'uid',
type: 'keyword',
- description: "The algorithm used for the certificate's signature. ",
+ description: 'User ID.\n',
},
{
- name: 'alternative_names',
- type: 'array',
- description: 'Subject Alternative Names for this certificate.',
+ name: 'gid',
+ type: 'keyword',
+ description: 'Group ID.\n',
},
{
- name: 'raw',
+ name: 'dir',
type: 'keyword',
- description: 'The raw certificate in PEM format.',
+ description: "User's home directory.\n",
},
{
- name: 'subject',
- type: 'group',
- description: 'Subject represented by this certificate.',
- fields: [
- {
- name: 'country',
- type: 'keyword',
- description: 'Country code.',
- },
- {
- name: 'organization',
- type: 'keyword',
- description: 'Organization name.',
- },
- {
- name: 'organizational_unit',
- type: 'keyword',
- description: 'Unit within organization.',
- },
- {
- name: 'province',
- type: 'keyword',
- description: 'Province or region within country.',
- },
- {
- name: 'common_name',
- type: 'keyword',
- description: 'Name or host name identified by the certificate.',
- },
- ],
+ name: 'shell',
+ type: 'keyword',
+ description: 'Program to run at login.\n',
},
{
- name: 'issuer',
- type: 'group',
- description: 'Entity that issued and signed this certificate.',
- fields: [
- {
- name: 'country',
- type: 'keyword',
- description: 'Country code.',
- },
- {
- name: 'organization',
- type: 'keyword',
- description: 'Organization name.',
- },
- {
- name: 'organizational_unit',
- type: 'keyword',
- description: 'Unit within organization.',
- },
- {
- name: 'province',
- type: 'keyword',
- description: 'Province or region within country.',
- },
- {
- name: 'common_name',
- type: 'keyword',
- description: 'Name or host name identified by the certificate.',
- },
- ],
+ name: 'user_information',
+ type: 'keyword',
+ description: 'General user information. On Linux, this is the gecos field.\n',
},
{
- name: 'fingerprint',
- type: 'group',
+ name: 'group',
+ type: 'object',
+ description:
+ "`group` contains information about any groups the user is part of (beyond the user's primary group).\n",
fields: [
{
- name: 'md5',
+ name: 'name',
type: 'keyword',
- description: "Certificate's MD5 fingerprint.",
+ description: 'Group name.\n',
},
{
- name: 'sha1',
- type: 'keyword',
- description: "Certificate's SHA-1 fingerprint.",
- },
- {
- name: 'sha256',
- type: 'keyword',
- description: "Certificate's SHA-256 fingerprint.",
+ name: 'gid',
+ type: 'integer',
+ description: 'Group ID.\n',
},
],
},
- ],
- },
- {
- name: 'server_certificate_chain',
- type: 'array',
- description: 'Chain of trust for the server certificate.',
- },
- {
- name: 'client_certificate_chain',
- type: 'array',
- description: 'Chain of trust for the client certificate.',
- },
- {
- name: 'alert_types',
- type: 'keyword',
- description: 'An array containing the TLS alert type for every alert received.',
- },
- {
- name: 'fingerprints',
- type: 'group',
- description: 'Fingerprints for this TLS session.',
- fields: [
{
- name: 'ja3',
+ name: 'password',
type: 'group',
- description: 'JA3 TLS client fingerprint',
+ description:
+ "`password` contains information about a user's password (not the password itself).\n",
fields: [
{
- name: 'hash',
+ name: 'type',
type: 'keyword',
- description: 'The JA3 fingerprint hash for the client side.',
+ description:
+ "A user's password type. Possible values are `shadow_password` (the password hash is in the shadow file), `password_disabled`, `no_password` (this is dangerous as anyone can log in), and `crypt_password` (when the password field in /etc/passwd seems to contain an encrypted password).\n",
},
{
- name: 'str',
- type: 'keyword',
- description: 'The JA3 string used to calculate the hash.',
+ name: 'last_changed',
+ type: 'date',
+ description: "The day the user's password was last changed.\n",
},
],
},
diff --git a/x-pack/legacy/plugins/siem/server/utils/beat_schema/8.0.0/ecs.ts b/x-pack/legacy/plugins/siem/server/utils/beat_schema/8.0.0/ecs.ts
index 34deee7fa88950..a439d105d63df1 100644
--- a/x-pack/legacy/plugins/siem/server/utils/beat_schema/8.0.0/ecs.ts
+++ b/x-pack/legacy/plugins/siem/server/utils/beat_schema/8.0.0/ecs.ts
@@ -13,1997 +13,5663 @@
* instances e.g. `@timestamp` to `timestamp`
*/
-import { EcsSchema } from '../type';
+import { Schema } from '../type';
-export const ecsSchema: EcsSchema = {
- agent: {
- description:
- 'The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.\n',
- fields: {
- 'agent.ephemeral_id': {
- description:
- 'Ephemeral identifier of this agent (if one exists).\nThis id normally changes across restarts, but `agent.id` does not.',
- example: '8a4f500f',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'agent.ephemeral_id',
- required: false,
- type: 'keyword',
- },
- 'agent.id': {
- description:
- 'Unique identifier of this agent (if one exists).\nExample: For Beats this would be beat.id.',
- example: '8a4f500d',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'agent.id',
- required: false,
- type: 'keyword',
- },
- 'agent.name': {
- description:
- 'Name of the agent.\nThis is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from.\nIf no name is given, the name is often left empty.',
- example: 'foo',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'agent.name',
- required: false,
- type: 'keyword',
- },
- 'agent.type': {
- description:
- 'Type of the agent.\nThe agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.',
- example: 'filebeat',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'agent.type',
- required: false,
- type: 'keyword',
- },
- 'agent.version': {
- description: 'Version of the agent.',
- example: '6.0.0-rc2',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'agent.version',
- required: false,
- type: 'keyword',
- },
- },
- group: 2,
- name: 'agent',
- title: 'Agent',
- type: 'group',
- },
- base: {
- description:
- 'The base set contains all fields which are on the top level. These fields are common across all types of events.\n',
- fields: {
- '@timestamp': {
- description:
- 'Date/time when the event originated.\nFor log events this is the date/time when the event was generated, and not when it was read.\nRequired field for all events.',
- example: '2016-05-23T08:05:34.853Z',
- footnote: '',
- group: 1,
- level: 'core',
+export const ecsSchema: Schema = [
+ {
+ key: 'ecs',
+ title: 'ECS',
+ description: 'ECS Fields.',
+ fields: [
+ {
name: '@timestamp',
+ level: 'core',
required: true,
type: 'date',
- },
- labels: {
description:
- 'Key/value pairs.\nCan be used to add meta information to events. Should not contain nested objects. All values are stored as keyword.\nExample: `docker` and `k8s` labels.',
- example: "{'application': 'foo-bar', 'env': 'production'}",
- footnote: '',
- group: 1,
- level: 'core',
+ 'Date/time when the event originated.\n\nThis is the date/time extracted from the event, typically representing when\nthe event was generated by the source.\n\nIf the event source has no original timestamp, this value is typically populated\nby the first time the event was received by the pipeline.\n\nRequired field for all events.',
+ example: '2016-05-23T08:05:34.853Z',
+ },
+ {
name: 'labels',
- required: false,
+ level: 'core',
type: 'object',
- },
- message: {
+ object_type: 'keyword',
description:
- 'For log events the message field contains the log message.\nIn other use cases the message field can be used to concatenate different values which are then freely searchable. If multiple messages exist, they can be combined into one message.',
- example: 'Hello World',
- footnote: '',
- group: 1,
- level: 'core',
+ 'Custom key/value pairs.\n\nCan be used to add meta information to events. Should not contain nested objects.\nAll values are stored as keyword.\n\nExample: `docker` and `k8s` labels.',
+ example: '{"application": "foo-bar", "env": "production"}',
+ },
+ {
name: 'message',
- required: false,
+ level: 'core',
type: 'text',
+ description:
+ 'For log events the message field contains the log message, optimized\nfor viewing in a log viewer.\n\nFor structured logs without an original message field, other fields can be concatenated\nto form a human-readable summary of the event.\n\nIf multiple messages exist, they can be combined into one message.',
+ example: 'Hello World',
},
- tags: {
- description: 'List of keywords used to tag each event.',
- example: '["production", "env2"]',
- footnote: '',
- group: 1,
- level: 'core',
+ {
name: 'tags',
- required: false,
- type: 'keyword',
- },
- },
- group: 1,
- name: 'base',
- title: 'Base',
- type: 'group',
- },
- client: {
- description:
- 'A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjuction with server fields. Client fields are generally not populated for packet-level events. \n',
- fields: {
- 'client.bytes': {
- description: 'Bytes sent from the client to the server.',
- example: '184',
- footnote: '',
- group: 2,
level: 'core',
- name: 'client.bytes',
- required: false,
- type: 'long',
- },
- 'client.domain': {
- description: 'Client domain.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'client.domain',
- required: false,
- type: 'keyword',
- },
- 'client.ip': {
- description: 'IP address of the client.\nCan be one or multiple IPv4 or IPv6 addresses.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'client.ip',
- required: false,
- type: 'ip',
- },
- 'client.mac': {
- description: 'MAC address of the client.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'client.mac',
- required: false,
type: 'keyword',
+ ignore_above: 1024,
+ description: 'List of keywords used to tag each event.',
+ example: '["production", "env2"]',
},
- 'client.packets': {
- description: 'Packets sent from the client to the server.',
- example: '12',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'client.packets',
- required: false,
- type: 'long',
- },
- 'client.port': {
- description: 'Port of the client.',
- example: '',
- footnote: '',
+ {
+ name: 'agent',
+ title: 'Agent',
group: 2,
- level: 'core',
- name: 'client.port',
- required: false,
- type: 'long',
- },
- },
- group: 2,
- name: 'client',
- title: 'Client',
- type: 'group',
- },
- cloud: {
- description: 'Fields related to the cloud or infrastructure the events are coming from.\n',
- fields: {
- 'cloud.account.id': {
description:
- 'The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier.',
- example: '666777888999',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'cloud.account.id',
- required: false,
- type: 'keyword',
- },
- 'cloud.availability_zone': {
- description: 'Availability zone in which this host is running.',
- example: 'us-east-1c',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'cloud.availability_zone',
- required: false,
- type: 'keyword',
- },
- 'cloud.instance.id': {
- description: 'Instance ID of the host machine.',
- example: 'i-1234567890abcdef0',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'cloud.instance.id',
- required: false,
- type: 'keyword',
- },
- 'cloud.instance.name': {
- description: 'Instance name of the host machine.',
- example: '',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'cloud.instance.name',
- required: false,
- type: 'keyword',
- },
- 'cloud.machine.type': {
- description: 'Machine type of the host machine.',
- example: 't2.medium',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'cloud.machine.type',
- required: false,
- type: 'keyword',
- },
- 'cloud.provider': {
- description: 'Name of the cloud provider. Example values are ec2, gce, or digitalocean.',
- example: 'ec2',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'cloud.provider',
- required: false,
- type: 'keyword',
- },
- 'cloud.region': {
- description: 'Region in which this host is running.',
- example: 'us-east-1',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'cloud.region',
- required: false,
- type: 'keyword',
- },
- },
- group: 2,
- name: 'cloud',
- title: 'Cloud',
- type: 'group',
- },
- container: {
- description:
- 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.\n',
- fields: {
- 'container.id': {
- description: 'Unique container id.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'container.id',
- required: false,
- type: 'keyword',
- },
- 'container.image.name': {
- description: 'Name of the image the container was built on.',
- example: '',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'container.image.name',
- required: false,
- type: 'keyword',
- },
- 'container.image.tag': {
- description: 'Container image tag.',
- example: '',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'container.image.tag',
- required: false,
- type: 'keyword',
- },
- 'container.labels': {
- description: 'Image labels.',
- example: '',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'container.labels',
- required: false,
- type: 'object',
- },
- 'container.name': {
- description: 'Container name.',
- example: '',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'container.name',
- required: false,
- type: 'keyword',
- },
- 'container.runtime': {
- description: 'Runtime managing this container.',
- example: 'docker',
- footnote: '',
+ 'The agent fields contain the data about the software entity, if\nany, that collects, detects, or observes events on a host, or takes measurements\non a host.\n\nExamples include Beats. Agents may also run on observers. ECS agent.* fields\nshall be populated with details of the agent running on the host or observer\nwhere the event happened or the measurement was taken.',
+ footnote:
+ 'Examples: In the case of Beats for logs, the agent.name is filebeat.\nFor APM, it is the agent running in the app/service. The agent information does\nnot change if data is sent through queuing systems like Kafka, Redis, or processing\nsystems such as Logstash or APM Server.',
+ type: 'group',
+ fields: [
+ {
+ name: 'build.original',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Extended build information for the agent.\n\nThis field is intended to contain any build information that a data source\nmay provide, no specific formatting is required.',
+ example:
+ 'metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c\nbuilt 2020-02-05 23:10:10 +0000 UTC]',
+ default_field: false,
+ },
+ {
+ name: 'ephemeral_id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Ephemeral identifier of this agent (if one exists).\n\nThis id normally changes across restarts, but `agent.id` does not.',
+ example: '8a4f500f',
+ },
+ {
+ name: 'id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique identifier of this agent (if one exists).\n\nExample: For Beats this would be beat.id.',
+ example: '8a4f500d',
+ },
+ {
+ name: 'name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Custom name of the agent.\n\nThis is a name that can be given to an agent. This can be helpful if for example\ntwo Filebeat instances are running on the same host but a human readable separation\nis needed on which Filebeat instance data is coming from.\n\nIf no name is given, the name is often left empty.',
+ example: 'foo',
+ },
+ {
+ name: 'type',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Type of the agent.\n\nThe agent type stays always the same and should be given by the agent used.\nIn case of Filebeat the agent would always be Filebeat also if two Filebeat\ninstances are run on the same machine.',
+ example: 'filebeat',
+ },
+ {
+ name: 'version',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Version of the agent.',
+ example: '6.0.0-rc2',
+ },
+ ],
+ },
+ {
+ name: 'as',
+ title: 'Autonomous System',
group: 2,
- level: 'extended',
- name: 'container.runtime',
- required: false,
- type: 'keyword',
- },
- },
- group: 2,
- name: 'container',
- title: 'Container',
- type: 'group',
- },
- destination: {
- description:
- 'Destination fields describe details about the destination of a packet/event. Destination fields are usually populated in conjunction with source fields.\n',
- fields: {
- 'destination.bytes': {
- description: 'Bytes sent from the destination to the source.',
- example: '184',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'destination.bytes',
- required: false,
- type: 'long',
- },
- 'destination.domain': {
- description: 'Destination domain.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'destination.domain',
- required: false,
- type: 'keyword',
- },
- 'destination.ip': {
description:
- 'IP address of the destination.\nCan be one or multiple IPv4 or IPv6 addresses.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'destination.ip',
- required: false,
- type: 'ip',
- },
- 'destination.mac': {
- description: 'MAC address of the destination.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'destination.mac',
- required: false,
- type: 'keyword',
- },
- 'destination.packets': {
- description: 'Packets sent from the destination to the source.',
- example: '12',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'destination.packets',
- required: false,
- type: 'long',
- },
- 'destination.port': {
- description: 'Port of the destination.',
- example: '',
- footnote: '',
+ 'An autonomous system (AS) is a collection of connected Internet Protocol\n(IP) routing prefixes under the control of one or more network operators on\nbehalf of a single administrative entity or domain that presents a common, clearly\ndefined routing policy to the internet.',
+ type: 'group',
+ fields: [
+ {
+ name: 'number',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'Unique number allocated to the autonomous system. The autonomous\nsystem number (ASN) uniquely identifies each network on the Internet.',
+ example: 15169,
+ },
+ {
+ name: 'organization.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Organization name.',
+ example: 'Google LLC',
+ },
+ ],
+ },
+ {
+ name: 'client',
+ title: 'Client',
group: 2,
- level: 'core',
- name: 'destination.port',
- required: false,
- type: 'long',
- },
- },
- group: 2,
- name: 'destination',
- title: 'Destination',
- type: 'group',
- },
- ecs: {
- description: 'Meta-information specific to ECS.\n',
- fields: {
- 'ecs.version': {
description:
- 'ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.\nWhen querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.\nThe current version is 1.0.0-beta1 .',
- example: '1.0.0-beta1',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'ecs.version',
- required: true,
- type: 'keyword',
- },
- },
- group: 2,
- name: 'ecs',
- title: 'ECS',
- type: 'group',
- },
- error: {
- description:
- 'These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error.\n',
- fields: {
- 'error.code': {
- description: 'Error code describing the error.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'error.code',
- required: false,
- type: 'keyword',
- },
- 'error.id': {
- description: 'Unique identifier for the error.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'error.id',
- required: false,
- type: 'keyword',
- },
- 'error.message': {
- description: 'Error message.',
- example: '',
- footnote: '',
+ 'A client is defined as the initiator of a network connection for\nevents regarding sessions, connections, or bidirectional flow records.\n\nFor TCP events, the client is the initiator of the TCP connection that sends\nthe SYN packet(s). For other protocols, the client is generally the initiator\nor requestor in the network transaction. Some systems use the term "originator"\nto refer the client in TCP connections. The client fields describe details about\nthe system acting as the client in the network event. Client fields are usually\npopulated in conjunction with server fields. Client fields are generally not\npopulated for packet-level events.\n\nClient / server representations can add semantic context to an exchange, which\nis helpful to visualize the data in certain situations. If your context falls\nin that category, you should still ensure that source and destination are filled\nappropriately.',
+ type: 'group',
+ fields: [
+ {
+ name: 'address',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Some event client addresses are defined ambiguously. The event\nwill sometimes list an IP, a domain or a unix socket. You should always store\nthe raw address in the `.address` field.\n\nThen it should be duplicated to `.ip` or `.domain`, depending on which one\nit is.',
+ },
+ {
+ name: 'as.number',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'Unique number allocated to the autonomous system. The autonomous\nsystem number (ASN) uniquely identifies each network on the Internet.',
+ example: 15169,
+ },
+ {
+ name: 'as.organization.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Organization name.',
+ example: 'Google LLC',
+ },
+ {
+ name: 'bytes',
+ level: 'core',
+ type: 'long',
+ format: 'bytes',
+ description: 'Bytes sent from the client to the server.',
+ example: 184,
+ },
+ {
+ name: 'domain',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Client domain.',
+ },
+ {
+ name: 'geo.city_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
+ },
+ {
+ name: 'geo.continent_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
+ },
+ {
+ name: 'geo.country_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
+ },
+ {
+ name: 'geo.country_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
+ },
+ {
+ name: 'geo.location',
+ level: 'core',
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
+ },
+ {
+ name: 'geo.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
+ },
+ {
+ name: 'geo.region_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
+ },
+ {
+ name: 'geo.region_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
+ },
+ {
+ name: 'ip',
+ level: 'core',
+ type: 'ip',
+ description: 'IP address of the client (IPv4 or IPv6).',
+ },
+ {
+ name: 'mac',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'MAC address of the client.',
+ },
+ {
+ name: 'nat.ip',
+ level: 'extended',
+ type: 'ip',
+ description:
+ 'Translated IP of source based NAT sessions (e.g. internal client\nto internet).\n\nTypically connections traversing load balancers, firewalls, or routers.',
+ },
+ {
+ name: 'nat.port',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description:
+ 'Translated port of source based NAT sessions (e.g. internal client\nto internet).\n\nTypically connections traversing load balancers, firewalls, or routers.',
+ },
+ {
+ name: 'packets',
+ level: 'core',
+ type: 'long',
+ description: 'Packets sent from the client to the server.',
+ example: 12,
+ },
+ {
+ name: 'port',
+ level: 'core',
+ type: 'long',
+ format: 'string',
+ description: 'Port of the client.',
+ },
+ {
+ name: 'registered_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The highest registered client domain, stripped of the subdomain.\n\nFor example, the registered domain for "foo.google.com" is "google.com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last two labels will not work well for TLDs such as "co.uk".',
+ example: 'google.com',
+ },
+ {
+ name: 'top_level_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The effective top level domain (eTLD), also known as the domain\nsuffix, is the last part of the domain name. For example, the top level domain\nfor google.com is "com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last label will not work well for effective TLDs such as "co.uk".',
+ example: 'co.uk',
+ },
+ {
+ name: 'user.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the user is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'user.email',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'User email address.',
+ },
+ {
+ name: 'user.full_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: "User's full name, if available.",
+ example: 'Albert Einstein',
+ },
+ {
+ name: 'user.group.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'user.group.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
+ },
+ {
+ name: 'user.group.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the group.',
+ },
+ {
+ name: 'user.hash',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique user hash to correlate information for a user in anonymized\nform.\n\nUseful if `user.id` or `user.name` contain confidential information and cannot\nbe used.',
+ },
+ {
+ name: 'user.id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier of the user.',
+ },
+ {
+ name: 'user.name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Short name or login of the user.',
+ example: 'albert',
+ },
+ ],
+ },
+ {
+ name: 'cloud',
+ title: 'Cloud',
+ group: 2,
+ description: 'Fields related to the cloud or infrastructure the events are coming\nfrom.',
+ footnote:
+ 'Examples: If Metricbeat is running on an EC2 host and fetches data\nfrom its host, the cloud info contains the data about this machine. If Metricbeat\nruns on a remote machine outside the cloud and fetches data from a service running\nin the cloud, the field contains cloud data from the machine the service is\nrunning on.',
+ type: 'group',
+ fields: [
+ {
+ name: 'account.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The cloud account or organization id used to identify different\nentities in a multi-tenant environment.\n\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier.',
+ example: 666777888999,
+ },
+ {
+ name: 'availability_zone',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Availability zone in which this host is running.',
+ example: 'us-east-1c',
+ },
+ {
+ name: 'instance.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Instance ID of the host machine.',
+ example: 'i-1234567890abcdef0',
+ },
+ {
+ name: 'instance.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Instance name of the host machine.',
+ },
+ {
+ name: 'machine.type',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Machine type of the host machine.',
+ example: 't2.medium',
+ },
+ {
+ name: 'provider',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the cloud provider. Example values are aws, azure, gcp,\nor digitalocean.',
+ example: 'aws',
+ },
+ {
+ name: 'region',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region in which this host is running.',
+ example: 'us-east-1',
+ },
+ ],
+ },
+ {
+ name: 'code_signature',
+ title: 'Code Signature',
+ group: 2,
+ description: 'These fields contain information about binary code signatures.',
+ type: 'group',
+ fields: [
+ {
+ name: 'exists',
+ level: 'core',
+ type: 'boolean',
+ description: 'Boolean to capture if a signature is present.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'status',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Additional information about the certificate status.\n\nThis is useful for logging cryptographic errors with the certificate validity\nor trust status. Leave unpopulated if the validity or trust of the certificate\nwas unchecked.',
+ example: 'ERROR_UNTRUSTED_ROOT',
+ default_field: false,
+ },
+ {
+ name: 'subject_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Subject name of the code signer',
+ example: 'Microsoft Corporation',
+ default_field: false,
+ },
+ {
+ name: 'trusted',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Stores the trust status of the certificate chain.\n\nValidating the trust of the certificate chain may be complicated, and this\nfield should only be populated by tools that actively check the status.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'valid',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Boolean to capture if the digital signature is verified against\nthe binary content.\n\nLeave unpopulated if a certificate was unchecked.',
+ example: 'true',
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'container',
+ title: 'Container',
group: 2,
- level: 'core',
- name: 'error.message',
- required: false,
- type: 'text',
- },
- },
- group: 2,
- name: 'error',
- title: 'Error',
- type: 'group',
- },
- event: {
- description:
- 'The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host.\n',
- fields: {
- 'event.action': {
description:
- 'The action captured by the event.\nThis describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.',
- example: 'user-password-change',
- footnote: '',
+ 'Container fields are used for meta information about the specific\ncontainer that is the source of information.\n\nThese fields help correlate data based containers from any runtime.',
+ type: 'group',
+ fields: [
+ {
+ name: 'id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique container id.',
+ },
+ {
+ name: 'image.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the image the container was built on.',
+ },
+ {
+ name: 'image.tag',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Container image tags.',
+ },
+ {
+ name: 'labels',
+ level: 'extended',
+ type: 'object',
+ object_type: 'keyword',
+ description: 'Image labels.',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Container name.',
+ },
+ {
+ name: 'runtime',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Runtime managing this container.',
+ example: 'docker',
+ },
+ ],
+ },
+ {
+ name: 'destination',
+ title: 'Destination',
group: 2,
- level: 'core',
- name: 'event.action',
- required: false,
- type: 'keyword',
- },
- 'event.category': {
description:
- 'Event category.\nThis contains high-level information about the contents of the event. It is more generic than `event.action`, in the sense that typically a category contains multiple actions. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution.',
- example: 'user-management',
- footnote: '',
+ 'Destination fields describe details about the destination of a packet/event.\n\nDestination fields are usually populated in conjunction with source fields.',
+ type: 'group',
+ fields: [
+ {
+ name: 'address',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Some event destination addresses are defined ambiguously. The\nevent will sometimes list an IP, a domain or a unix socket. You should always\nstore the raw address in the `.address` field.\n\nThen it should be duplicated to `.ip` or `.domain`, depending on which one\nit is.',
+ },
+ {
+ name: 'as.number',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'Unique number allocated to the autonomous system. The autonomous\nsystem number (ASN) uniquely identifies each network on the Internet.',
+ example: 15169,
+ },
+ {
+ name: 'as.organization.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Organization name.',
+ example: 'Google LLC',
+ },
+ {
+ name: 'bytes',
+ level: 'core',
+ type: 'long',
+ format: 'bytes',
+ description: 'Bytes sent from the destination to the source.',
+ example: 184,
+ },
+ {
+ name: 'domain',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Destination domain.',
+ },
+ {
+ name: 'geo.city_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
+ },
+ {
+ name: 'geo.continent_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
+ },
+ {
+ name: 'geo.country_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
+ },
+ {
+ name: 'geo.country_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
+ },
+ {
+ name: 'geo.location',
+ level: 'core',
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
+ },
+ {
+ name: 'geo.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
+ },
+ {
+ name: 'geo.region_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
+ },
+ {
+ name: 'geo.region_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
+ },
+ {
+ name: 'ip',
+ level: 'core',
+ type: 'ip',
+ description: 'IP address of the destination (IPv4 or IPv6).',
+ },
+ {
+ name: 'mac',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'MAC address of the destination.',
+ },
+ {
+ name: 'nat.ip',
+ level: 'extended',
+ type: 'ip',
+ description:
+ 'Translated ip of destination based NAT sessions (e.g. internet\nto private DMZ)\n\nTypically used with load balancers, firewalls, or routers.',
+ },
+ {
+ name: 'nat.port',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description:
+ 'Port the source session is translated to by NAT Device.\n\nTypically used with load balancers, firewalls, or routers.',
+ },
+ {
+ name: 'packets',
+ level: 'core',
+ type: 'long',
+ description: 'Packets sent from the destination to the source.',
+ example: 12,
+ },
+ {
+ name: 'port',
+ level: 'core',
+ type: 'long',
+ format: 'string',
+ description: 'Port of the destination.',
+ },
+ {
+ name: 'registered_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The highest registered destination domain, stripped of the subdomain.\n\nFor example, the registered domain for "foo.google.com" is "google.com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last two labels will not work well for TLDs such as "co.uk".',
+ example: 'google.com',
+ },
+ {
+ name: 'top_level_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The effective top level domain (eTLD), also known as the domain\nsuffix, is the last part of the domain name. For example, the top level domain\nfor google.com is "com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last label will not work well for effective TLDs such as "co.uk".',
+ example: 'co.uk',
+ },
+ {
+ name: 'user.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the user is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'user.email',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'User email address.',
+ },
+ {
+ name: 'user.full_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: "User's full name, if available.",
+ example: 'Albert Einstein',
+ },
+ {
+ name: 'user.group.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'user.group.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
+ },
+ {
+ name: 'user.group.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the group.',
+ },
+ {
+ name: 'user.hash',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique user hash to correlate information for a user in anonymized\nform.\n\nUseful if `user.id` or `user.name` contain confidential information and cannot\nbe used.',
+ },
+ {
+ name: 'user.id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier of the user.',
+ },
+ {
+ name: 'user.name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Short name or login of the user.',
+ example: 'albert',
+ },
+ ],
+ },
+ {
+ name: 'dll',
+ title: 'DLL',
group: 2,
- level: 'core',
- name: 'event.category',
- required: false,
- type: 'keyword',
- },
- 'event.created': {
description:
- 'event.created contains the date when the event was created.\nThis timestamp is distinct from @timestamp in that @timestamp contains the processed timestamp. For logs these two timestamps can be different as the timestamp in the log line and when the event is read for example by Filebeat are not identical. `@timestamp` must contain the timestamp extracted from the log line, event.created when the log line is read. The same could apply to package capturing where @timestamp contains the timestamp extracted from the network package and event.created when the event was created.\nIn case the two timestamps are identical, @timestamp should be used.',
- example: '',
- footnote: '',
+ 'These fields contain information about code libraries dynamically\nloaded into processes.\n\n\nMany operating systems refer to "shared code libraries" with different names,\nbut this field set refers to all of the following:\n\n* Dynamic-link library (`.dll`) commonly used on Windows\n\n* Shared Object (`.so`) commonly used on Unix-like operating systems\n\n* Dynamic library (`.dylib`) commonly used on macOS',
+ type: 'group',
+ fields: [
+ {
+ name: 'code_signature.exists',
+ level: 'core',
+ type: 'boolean',
+ description: 'Boolean to capture if a signature is present.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.status',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Additional information about the certificate status.\n\nThis is useful for logging cryptographic errors with the certificate validity\nor trust status. Leave unpopulated if the validity or trust of the certificate\nwas unchecked.',
+ example: 'ERROR_UNTRUSTED_ROOT',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.subject_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Subject name of the code signer',
+ example: 'Microsoft Corporation',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.trusted',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Stores the trust status of the certificate chain.\n\nValidating the trust of the certificate chain may be complicated, and this\nfield should only be populated by tools that actively check the status.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.valid',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Boolean to capture if the digital signature is verified against\nthe binary content.\n\nLeave unpopulated if a certificate was unchecked.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'hash.md5',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'MD5 hash.',
+ default_field: false,
+ },
+ {
+ name: 'hash.sha1',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA1 hash.',
+ default_field: false,
+ },
+ {
+ name: 'hash.sha256',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA256 hash.',
+ default_field: false,
+ },
+ {
+ name: 'hash.sha512',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA512 hash.',
+ default_field: false,
+ },
+ {
+ name: 'name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the library.\n\nThis generally maps to the name of the file on disk.',
+ example: 'kernel32.dll',
+ default_field: false,
+ },
+ {
+ name: 'path',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Full file path of the library.',
+ example: 'C:\\Windows\\System32\\kernel32.dll',
+ default_field: false,
+ },
+ {
+ name: 'pe.architecture',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'CPU architecture target for the file.',
+ example: 'x64',
+ default_field: false,
+ },
+ {
+ name: 'pe.company',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal company name of the file, provided at compile-time.',
+ example: 'Microsoft Corporation',
+ default_field: false,
+ },
+ {
+ name: 'pe.description',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal description of the file, provided at compile-time.',
+ example: 'Paint',
+ default_field: false,
+ },
+ {
+ name: 'pe.file_version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal version of the file, provided at compile-time.',
+ example: '6.3.9600.17415',
+ default_field: false,
+ },
+ {
+ name: 'pe.imphash',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A hash of the imports in a PE file. An imphash -- or import hash\n-- can be used to fingerprint binaries even after recompilation or other code-level\ntransformations have occurred, which would change more traditional hash values.\n\nLearn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.',
+ example: '0c6803c4e922103c4dca5963aad36ddf',
+ default_field: false,
+ },
+ {
+ name: 'pe.original_file_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal name of the file, provided at compile-time.',
+ example: 'MSPAINT.EXE',
+ default_field: false,
+ },
+ {
+ name: 'pe.product',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal product name of the file, provided at compile-time.',
+ example: 'Microsoft® Windows® Operating System',
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'dns',
+ title: 'DNS',
group: 2,
- level: 'core',
- name: 'event.created',
- required: false,
- type: 'date',
- },
- 'event.dataset': {
description:
- 'Name of the dataset.\nThe concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name.',
- example: 'stats',
- footnote: '',
+ 'Fields describing DNS queries and answers.\n\nDNS events should either represent a single DNS query prior to getting answers\n(`dns.type:query`) or they should represent a full exchange and contain the\nquery details as well as all of the answers that were provided for this query\n(`dns.type:answer`).',
+ type: 'group',
+ fields: [
+ {
+ name: 'answers',
+ level: 'extended',
+ type: 'object',
+ object_type: 'keyword',
+ description:
+ 'An array containing an object for each answer section returned\nby the server.\n\nThe main keys that should be present in these objects are defined by ECS.\nRecords that have more information may contain more keys than what ECS defines.\n\nNot all DNS data sources give all details about DNS answers. At minimum, answer\nobjects must contain the `data` key. If more information is available, map\nas much of it to ECS as possible, and add any additional fields to the answer\nobjects as custom fields.',
+ },
+ {
+ name: 'answers.class',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The class of DNS data contained in this resource record.',
+ example: 'IN',
+ },
+ {
+ name: 'answers.data',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The data describing the resource.\n\nThe meaning of this data depends on the type and class of the resource record.',
+ example: '10.10.10.10',
+ },
+ {
+ name: 'answers.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The domain name to which this resource record pertains.\n\nIf a chain of CNAME is being resolved, each answer `name` should be the\none that corresponds with the answer `data`. It should not simply be the\noriginal `question.name` repeated.',
+ example: 'www.google.com',
+ },
+ {
+ name: 'answers.ttl',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'The time interval in seconds that this resource record may be cached\nbefore it should be discarded. Zero values mean that the data should not be\ncached.',
+ example: 180,
+ },
+ {
+ name: 'answers.type',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The type of data contained in this resource record.',
+ example: 'CNAME',
+ },
+ {
+ name: 'header_flags',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Array of 2 letter DNS header flags.\n\nExpected values are: AA, TC, RD, RA, AD, CD, DO.',
+ example: ['RD', 'RA'],
+ },
+ {
+ name: 'id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The DNS packet identifier assigned by the program that generated\nthe query. The identifier is copied to the response.',
+ example: 62111,
+ },
+ {
+ name: 'op_code',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The DNS operation code that specifies the kind of query in the\nmessage. This value is set by the originator of a query and copied into the\nresponse.',
+ example: 'QUERY',
+ },
+ {
+ name: 'question.class',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The class of records being queried.',
+ example: 'IN',
+ },
+ {
+ name: 'question.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The name being queried.\n\nIf the name field contains non-printable characters (below 32 or above 126),\nthose characters should be represented as escaped base 10 integers (\\DDD).\nBack slashes and quotes should be escaped. Tabs, carriage returns, and line\nfeeds should be converted to \\t, \\r, and \\n respectively.',
+ example: 'www.google.com',
+ },
+ {
+ name: 'question.registered_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The highest registered domain, stripped of the subdomain.\n\nFor example, the registered domain for "foo.google.com" is "google.com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last two labels will not work well for TLDs such as "co.uk".',
+ example: 'google.com',
+ },
+ {
+ name: 'question.subdomain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The subdomain is all of the labels under the registered_domain.\n\nIf the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",\nthe subdomain field should contain "sub2.sub1", with no trailing period.',
+ example: 'www',
+ },
+ {
+ name: 'question.top_level_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The effective top level domain (eTLD), also known as the domain\nsuffix, is the last part of the domain name. For example, the top level domain\nfor google.com is "com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last label will not work well for effective TLDs such as "co.uk".',
+ example: 'co.uk',
+ },
+ {
+ name: 'question.type',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The type of record being queried.',
+ example: 'AAAA',
+ },
+ {
+ name: 'resolved_ip',
+ level: 'extended',
+ type: 'ip',
+ description:
+ 'Array containing all IPs seen in `answers.data`.\n\nThe `answers` array can be difficult to use, because of the variety of data\nformats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip`\nmakes it possible to index them as IP addresses, and makes them easier to\nvisualize and query for.',
+ example: ['10.10.10.10', '10.10.10.11'],
+ },
+ {
+ name: 'response_code',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The DNS response code.',
+ example: 'NOERROR',
+ },
+ {
+ name: 'type',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The type of DNS event captured, query or answer.\n\nIf your source of DNS events only gives you DNS queries, you should only create\ndns events of type `dns.type:query`.\n\nIf your source of DNS events gives you answers as well, you should create\none event per query (optionally as soon as the query is seen). And a second\nevent containing all query details as well as an array of answers.',
+ example: 'answer',
+ },
+ ],
+ },
+ {
+ name: 'ecs',
+ title: 'ECS',
+ group: 2,
+ description: 'Meta-information specific to ECS.',
+ type: 'group',
+ fields: [
+ {
+ name: 'version',
+ level: 'core',
+ required: true,
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'ECS version this event conforms to. `ecs.version` is a required\nfield and must exist in all events.\n\nWhen querying across multiple indices -- which may conform to slightly different\nECS versions -- this field lets integrations adjust to the schema version\nof the events.',
+ example: '1.0.0',
+ },
+ ],
+ },
+ {
+ name: 'error',
+ title: 'Error',
group: 2,
- level: 'core',
- name: 'event.dataset',
- required: false,
- type: 'keyword',
- },
- 'event.duration': {
description:
- 'Duration of the event in nanoseconds.\nIf event.start and event.end are known this value should be the difference between the end and start time.',
- example: '',
- footnote: '',
+ 'These fields can represent errors of any kind.\n\nUse them for errors that happen while fetching events or in cases where the\nevent itself contains an error.',
+ type: 'group',
+ fields: [
+ {
+ name: 'code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Error code describing the error.',
+ },
+ {
+ name: 'id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the error.',
+ },
+ {
+ name: 'message',
+ level: 'core',
+ type: 'text',
+ description: 'Error message.',
+ },
+ {
+ name: 'stack_trace',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'The stack trace of this error in plain text.',
+ },
+ {
+ name: 'type',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The type of the error, for example the class name of the exception.',
+ example: 'java.lang.NullPointerException',
+ },
+ ],
+ },
+ {
+ name: 'event',
+ title: 'Event',
group: 2,
- level: 'core',
- name: 'event.duration',
- required: false,
- type: 'long',
- },
- 'event.end': {
description:
- 'event.end contains the date when the event ended or when the activity was last observed.',
- example: '',
- footnote: '',
+ 'The event fields are used for context information about the log\nor metric event itself.\n\nA log is defined as an event containing details of something that happened.\nLog events must include the time at which the thing happened. Examples of log\nevents include a process starting on a host, a network packet being sent from\na source to a destination, or a network connection between a client and a server\nbeing initiated or closed. A metric is defined as an event containing one or\nmore numerical measurements and the time at which the measurement was taken.\nExamples of metric events include memory pressure measured on a host and device\ntemperature. See the `event.kind` definition in this section for additional\ndetails about metric and state events.',
+ type: 'group',
+ fields: [
+ {
+ name: 'action',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The action captured by the event.\n\nThis describes the information in the event. It is more specific than `event.category`.\nExamples are `group-add`, `process-started`, `file-created`. The value is\nnormally defined by the implementer.',
+ example: 'user-password-change',
+ },
+ {
+ name: 'category',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'This is one of four ECS Categorization Fields, and indicates the\nsecond level in the ECS category hierarchy.\n\n`event.category` represents the "big buckets" of ECS categories. For example,\nfiltering on `event.category:process` yields all events relating to process\nactivity. This field is closely related to `event.type`, which is used as\na subcategory.\n\nThis field is an array. This will allow proper categorization of some events\nthat fall in multiple categories.',
+ example: 'authentication',
+ },
+ {
+ name: 'code',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Identification code for this event, if one exists.\n\nSome event sources use event codes to identify messages unambiguously, regardless\nof message language or wording adjustments over time. An example of this is\nthe Windows Event ID.',
+ example: 4648,
+ },
+ {
+ name: 'created',
+ level: 'core',
+ type: 'date',
+ description:
+ 'event.created contains the date/time when the event was first\nread by an agent, or by your pipeline.\n\nThis field is distinct from @timestamp in that @timestamp typically contain\nthe time extracted from the original event.\n\nIn most situations, these two timestamps will be slightly different. The difference\ncan be used to calculate the delay between your source generating an event,\nand the time when your agent first processed it. This can be used to monitor\nyour agent or pipeline ability to keep up with your event source.\n\nIn case the two timestamps are identical, @timestamp should be used.',
+ example: '2016-05-23T08:05:34.857Z',
+ },
+ {
+ name: 'dataset',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the dataset.\n\nIf an event source publishes more than one type of log or events (e.g. access\nlog, error log), the dataset is used to specify which one the event comes\nfrom.\n\nIt is recommended but not required to start the dataset name with the module\nname, followed by a dot, then the dataset name.',
+ example: 'apache.access',
+ },
+ {
+ name: 'duration',
+ level: 'core',
+ type: 'long',
+ format: 'duration',
+ input_format: 'nanoseconds',
+ output_format: 'asMilliseconds',
+ output_precision: 1,
+ description:
+ 'Duration of the event in nanoseconds.\n\nIf event.start and event.end are known this value should be the difference\nbetween the end and start time.',
+ },
+ {
+ name: 'end',
+ level: 'extended',
+ type: 'date',
+ description:
+ 'event.end contains the date when the event ended or when the activity\nwas last observed.',
+ },
+ {
+ name: 'hash',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Hash (perhaps logstash fingerprint) of raw field to be able to\ndemonstrate log integrity.',
+ example: '123456789012345678901234567890ABCD',
+ },
+ {
+ name: 'id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique ID to describe the event.',
+ example: '8a4f500d',
+ },
+ {
+ name: 'ingested',
+ level: 'core',
+ type: 'date',
+ description:
+ 'Timestamp when an event arrived in the central data store.\n\nThis is different from `@timestamp`, which is when the event originally occurred. It is\nalso different from `event.created`, which is meant to capture the first time\nan agent saw the event.\n\nIn normal conditions, assuming no tampering, the timestamps should chronologically\nlook like this: `@timestamp` < `event.created` < `event.ingested`.',
+ example: '2016-05-23T08:05:35.101Z',
+ default_field: false,
+ },
+ {
+ name: 'kind',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'This is one of four ECS Categorization Fields, and indicates the\nhighest level in the ECS category hierarchy.\n\n`event.kind` gives high-level information about what type of information the\nevent contains, without being specific to the contents of the event. For example,\nvalues of this field distinguish alert events from metric events.\n\nThe value of this field can be used to inform how these kinds of events should\nbe handled. They may warrant different retention, different access control,\nit may also help understand whether the data coming in at a regular interval\nor not.',
+ example: 'alert',
+ },
+ {
+ name: 'module',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the module this data is coming from.\n\nIf your monitoring agent supports the concept of modules or plugins to process\nevents of a given source (e.g. Apache logs), `event.module` should contain\nthe name of this module.',
+ example: 'apache',
+ },
+ {
+ name: 'original',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Raw text message of entire event. Used to demonstrate log integrity.\n\nThis field is not indexed and doc_values are disabled. It cannot be searched,\nbut it can be retrieved from `_source`.',
+ example:
+ 'Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100|\nworm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232',
+ },
+ {
+ name: 'outcome',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'This is one of four ECS Categorization Fields, and indicates the\nlowest level in the ECS category hierarchy.\n\n`event.outcome` simply denotes whether the event represents a success or a\nfailure from the perspective of the entity that produced the event.\n\nNote that when a single transaction is described in multiple events, each\nevent may populate different values of `event.outcome`, according to their\nperspective.\n\nAlso note that in the case of a compound event (a single event that contains\nmultiple logical events), this field should be populated with the value that\nbest captures the overall success or failure from the perspective of the event\nproducer.\n\nFurther note that not all events will have an associated outcome. For example,\nthis field is generally not populated for metric events, events with `event.type:info`,\nor any events for which an outcome does not make logical sense.',
+ example: 'success',
+ },
+ {
+ name: 'provider',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Source of the event.\n\nEvent transports such as Syslog or the Windows Event Log typically mention\nthe source of an event. It can be the name of the software that generated\nthe event (e.g. Sysmon, httpd), or of a subsystem of the operating system\n(kernel, Microsoft-Windows-Security-Auditing).',
+ example: 'kernel',
+ },
+ {
+ name: 'reference',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Reference URL linking to additional information about this event.\n\nThis URL links to a static definition of the this event. Alert events, indicated\nby `event.kind:alert`, are a common use case for this field.',
+ example: 'https://system.vendor.com/event/#0001234',
+ default_field: false,
+ },
+ {
+ name: 'risk_score',
+ level: 'core',
+ type: 'float',
+ description:
+ "Risk score or priority of the event (e.g. security solutions).\nUse your system's original value here.",
+ },
+ {
+ name: 'risk_score_norm',
+ level: 'extended',
+ type: 'float',
+ description:
+ 'Normalized risk score or priority of the event, on a scale of\n0 to 100.\n\nThis is mainly useful if you use more than one system that assigns risk scores,\nand you want to see a normalized value across all systems.',
+ },
+ {
+ name: 'sequence',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description:
+ 'Sequence number of the event.\n\nThe sequence number is a value published by some event sources, to make the\nexact ordering of events unambiguous, regardless of the timestamp precision.',
+ },
+ {
+ name: 'severity',
+ level: 'core',
+ type: 'long',
+ format: 'string',
+ description:
+ 'The numeric severity of the event according to your event source.\n\nWhat the different severity values mean can be different between sources and\nuse cases. It is up to the implementer to make sure severities are consistent\nacross events from the same source.\n\nThe Syslog severity belongs in `log.syslog.severity.code`. `event.severity`\nis meant to represent the severity according to the event source (e.g. firewall,\nIDS). If the event source does not publish its own severity, you may optionally\ncopy the `log.syslog.severity.code` to `event.severity`.',
+ example: 7,
+ },
+ {
+ name: 'start',
+ level: 'extended',
+ type: 'date',
+ description:
+ 'event.start contains the date when the event started or when the\nactivity was first observed.',
+ },
+ {
+ name: 'timezone',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'This field should be populated when the event timestamp does\nnot include timezone information already (e.g. default Syslog timestamps).\nIt is optional otherwise.\n\nAcceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"),\nabbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").',
+ },
+ {
+ name: 'type',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'This is one of four ECS Categorization Fields, and indicates the\nthird level in the ECS category hierarchy.\n\n`event.type` represents a categorization "sub-bucket" that, when used along\nwith the `event.category` field values, enables filtering events down to a\nlevel appropriate for single visualization.\n\nThis field is an array. This will allow proper categorization of some events\nthat fall in multiple event types.',
+ },
+ {
+ name: 'url',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'URL linking to an external system to continue investigation of\nthis event.\n\nThis URL links to another system where in-depth investigation of the specific\noccurence of this event can take place. Alert events, indicated by `event.kind:alert`,\nare a common use case for this field.',
+ example: 'https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe',
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'file',
+ title: 'File',
group: 2,
- level: 'extended',
- name: 'event.end',
- required: false,
- type: 'date',
- },
- 'event.hash': {
description:
- 'Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.',
- example: '123456789012345678901234567890ABCD',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'event.hash',
- required: false,
- type: 'keyword',
- },
- 'event.id': {
- description: 'Unique ID to describe the event.',
- example: '8a4f500d',
- footnote: '',
+ 'A file is defined as a set of information that has been created\non, or has existed on a filesystem.\n\nFile objects can be associated with host events, network events, and/or file\nevents (e.g., those produced by File Integrity Monitoring [FIM] products or\nservices). File fields provide details about the affected file associated with\nthe event or metric.',
+ type: 'group',
+ fields: [
+ {
+ name: 'accessed',
+ level: 'extended',
+ type: 'date',
+ description:
+ 'Last time the file was accessed.\n\nNote that not all filesystems keep track of access time.',
+ },
+ {
+ name: 'attributes',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Array of file attributes.\n\nAttributes names will vary by platform. Here is a non-exhaustive list of values\nthat are expected in this field: archive, compressed, directory, encrypted,\nexecute, hidden, read, readonly, system, write.',
+ example: '["readonly", "system"]',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.exists',
+ level: 'core',
+ type: 'boolean',
+ description: 'Boolean to capture if a signature is present.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.status',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Additional information about the certificate status.\n\nThis is useful for logging cryptographic errors with the certificate validity\nor trust status. Leave unpopulated if the validity or trust of the certificate\nwas unchecked.',
+ example: 'ERROR_UNTRUSTED_ROOT',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.subject_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Subject name of the code signer',
+ example: 'Microsoft Corporation',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.trusted',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Stores the trust status of the certificate chain.\n\nValidating the trust of the certificate chain may be complicated, and this\nfield should only be populated by tools that actively check the status.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.valid',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Boolean to capture if the digital signature is verified against\nthe binary content.\n\nLeave unpopulated if a certificate was unchecked.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'created',
+ level: 'extended',
+ type: 'date',
+ description:
+ 'File creation time.\n\nNote that not all filesystems store the creation time.',
+ },
+ {
+ name: 'ctime',
+ level: 'extended',
+ type: 'date',
+ description:
+ 'Last time the file attributes or metadata changed.\n\nNote that changes to the file content will update `mtime`. This implies `ctime`\nwill be adjusted at the same time, since `mtime` is an attribute of the file.',
+ },
+ {
+ name: 'device',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Device that is the source of the file.',
+ example: 'sda',
+ },
+ {
+ name: 'directory',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Directory where the file is located. It should include the drive\nletter, when appropriate.',
+ example: '/home/alice',
+ },
+ {
+ name: 'drive_letter',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1,
+ description:
+ 'Drive letter where the file is located. This field is only relevant\non Windows.\n\nThe value should be uppercase, and not include the colon.',
+ example: 'C',
+ default_field: false,
+ },
+ {
+ name: 'extension',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'File extension.',
+ example: 'png',
+ },
+ {
+ name: 'gid',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Primary group ID (GID) of the file.',
+ example: '1001',
+ },
+ {
+ name: 'group',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Primary group name of the file.',
+ example: 'alice',
+ },
+ {
+ name: 'hash.md5',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'MD5 hash.',
+ },
+ {
+ name: 'hash.sha1',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA1 hash.',
+ },
+ {
+ name: 'hash.sha256',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA256 hash.',
+ },
+ {
+ name: 'hash.sha512',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA512 hash.',
+ },
+ {
+ name: 'inode',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Inode representing the file in the filesystem.',
+ example: '256383',
+ },
+ {
+ name: 'mime_type',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'MIME type should identify the format of the file or stream of bytes\nusing https://www.iana.org/assignments/media-types/media-types.xhtml[IANA\nofficial types], where possible. When more than one type is applicable, the\nmost specific type should be used.',
+ default_field: false,
+ },
+ {
+ name: 'mode',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Mode of the file in octal representation.',
+ example: '0640',
+ },
+ {
+ name: 'mtime',
+ level: 'extended',
+ type: 'date',
+ description: 'Last time the file content was modified.',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the file including the extension, without the directory.',
+ example: 'example.png',
+ },
+ {
+ name: 'owner',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: "File owner's username.",
+ example: 'alice',
+ },
+ {
+ name: 'path',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description:
+ 'Full path to the file, including the file name. It should include\nthe drive letter, when appropriate.',
+ example: '/home/alice/example.png',
+ },
+ {
+ name: 'pe.architecture',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'CPU architecture target for the file.',
+ example: 'x64',
+ default_field: false,
+ },
+ {
+ name: 'pe.company',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal company name of the file, provided at compile-time.',
+ example: 'Microsoft Corporation',
+ default_field: false,
+ },
+ {
+ name: 'pe.description',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal description of the file, provided at compile-time.',
+ example: 'Paint',
+ default_field: false,
+ },
+ {
+ name: 'pe.file_version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal version of the file, provided at compile-time.',
+ example: '6.3.9600.17415',
+ default_field: false,
+ },
+ {
+ name: 'pe.imphash',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A hash of the imports in a PE file. An imphash -- or import hash\n-- can be used to fingerprint binaries even after recompilation or other code-level\ntransformations have occurred, which would change more traditional hash values.\n\nLearn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.',
+ example: '0c6803c4e922103c4dca5963aad36ddf',
+ default_field: false,
+ },
+ {
+ name: 'pe.original_file_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal name of the file, provided at compile-time.',
+ example: 'MSPAINT.EXE',
+ default_field: false,
+ },
+ {
+ name: 'pe.product',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal product name of the file, provided at compile-time.',
+ example: 'Microsoft® Windows® Operating System',
+ default_field: false,
+ },
+ {
+ name: 'size',
+ level: 'extended',
+ type: 'long',
+ description: 'File size in bytes.\n\nOnly relevant when `file.type` is "file".',
+ example: 16384,
+ },
+ {
+ name: 'target_path',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Target path for symlinks.',
+ },
+ {
+ name: 'type',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'File type (file, dir, or symlink).',
+ example: 'file',
+ },
+ {
+ name: 'uid',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The user ID (UID) or security identifier (SID) of the file owner.',
+ example: '1001',
+ },
+ ],
+ },
+ {
+ name: 'geo',
+ title: 'Geo',
group: 2,
- level: 'core',
- name: 'event.id',
- required: false,
- type: 'keyword',
- },
- 'event.kind': {
description:
- 'The kind of the event.\nThis gives information about what type of information the event contains, without being specific to the contents of the event. Examples are `event`, `state`, `alarm`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution.',
- example: 'state',
- footnote: '',
+ 'Geo fields can carry data about a specific location related to an\nevent.\n\nThis geolocation information can be derived from techniques such as Geo IP,\nor be user-supplied.',
+ type: 'group',
+ fields: [
+ {
+ name: 'city_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
+ },
+ {
+ name: 'continent_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
+ },
+ {
+ name: 'country_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
+ },
+ {
+ name: 'country_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
+ },
+ {
+ name: 'location',
+ level: 'core',
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
+ },
+ {
+ name: 'region_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
+ },
+ {
+ name: 'region_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
+ },
+ ],
+ },
+ {
+ name: 'group',
+ title: 'Group',
group: 2,
- level: 'extended',
- name: 'event.kind',
- required: false,
- type: 'keyword',
- },
- 'event.module': {
description:
- 'Name of the module this data is coming from.\nThis information is coming from the modules used in Beats or Logstash.',
- example: 'mysql',
- footnote: '',
+ 'The group fields are meant to represent groups that are relevant\nto the event.',
+ type: 'group',
+ fields: [
+ {
+ name: 'domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the group.',
+ },
+ ],
+ },
+ {
+ name: 'hash',
+ title: 'Hash',
group: 2,
- level: 'core',
- name: 'event.module',
- required: false,
- type: 'keyword',
- },
- 'event.original': {
description:
- 'Raw text message of entire event. Used to demonstrate log integrity.\nThis field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`.',
- example:
- 'Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232',
- footnote: '',
+ 'The hash fields represent different hash algorithms and their values.\n\nField names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for\nother hashes by lowercasing the hash algorithm name and using underscore separators\nas appropriate (snake case, e.g. sha3_512).',
+ type: 'group',
+ fields: [
+ {
+ name: 'md5',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'MD5 hash.',
+ },
+ {
+ name: 'sha1',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA1 hash.',
+ },
+ {
+ name: 'sha256',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA256 hash.',
+ },
+ {
+ name: 'sha512',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA512 hash.',
+ },
+ ],
+ },
+ {
+ name: 'host',
+ title: 'Host',
group: 2,
- level: 'core',
- name: 'event.original',
- required: false,
- type: '(not indexed)',
- },
- 'event.outcome': {
description:
- 'The outcome of the event.\nIf the event describes an action, this fields contains the outcome of that action. Examples outcomes are `success` and `failure`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution.',
- example: 'success',
- footnote: '',
+ 'A host is defined as a general computing instance.\n\nECS host.* fields should be populated with details about the host on which the\nevent happened, or from which the measurement was taken. Host types include\nhardware, virtual machines, Docker containers, and Kubernetes nodes.',
+ type: 'group',
+ fields: [
+ {
+ name: 'architecture',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system architecture.',
+ example: 'x86_64',
+ },
+ {
+ name: 'domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the domain of which the host is a member.\n\nFor example, on Windows this could be the host Active Directory domain\nor NetBIOS domain name. For Linux this could be the domain of the host\nLDAP provider.',
+ example: 'CONTOSO',
+ default_field: false,
+ },
+ {
+ name: 'geo.city_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
+ },
+ {
+ name: 'geo.continent_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
+ },
+ {
+ name: 'geo.country_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
+ },
+ {
+ name: 'geo.country_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
+ },
+ {
+ name: 'geo.location',
+ level: 'core',
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
+ },
+ {
+ name: 'geo.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
+ },
+ {
+ name: 'geo.region_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
+ },
+ {
+ name: 'geo.region_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
+ },
+ {
+ name: 'hostname',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Hostname of the host.\n\nIt normally contains what the `hostname` command returns on the host machine.',
+ },
+ {
+ name: 'id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique host id.\n\nAs hostname is not always unique, use values that are meaningful in your environment.\n\nExample: The current usage of `beat.name`.',
+ },
+ {
+ name: 'ip',
+ level: 'core',
+ type: 'ip',
+ description: 'Host ip addresses.',
+ },
+ {
+ name: 'mac',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Host mac addresses.',
+ },
+ {
+ name: 'name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the host.\n\nIt can contain what `hostname` returns on Unix systems, the fully qualified\ndomain name, or a name specified by the user. The sender decides which value\nto use.',
+ },
+ {
+ name: 'os.family',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'OS family (such as redhat, debian, freebsd, windows).',
+ example: 'debian',
+ },
+ {
+ name: 'os.full',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Operating system name, including the version or code name.',
+ example: 'Mac OS Mojave',
+ },
+ {
+ name: 'os.kernel',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system kernel version as a raw string.',
+ example: '4.4.0-112-generic',
+ },
+ {
+ name: 'os.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Operating system name, without the version.',
+ example: 'Mac OS X',
+ },
+ {
+ name: 'os.platform',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system platform (such centos, ubuntu, windows).',
+ example: 'darwin',
+ },
+ {
+ name: 'os.version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system version as a raw string.',
+ example: '10.14.1',
+ },
+ {
+ name: 'type',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Type of host.\n\nFor Cloud providers this can be the machine type like `t2.medium`. If vm,\nthis could be the container, for example, or other information meaningful\nin your environment.',
+ },
+ {
+ name: 'uptime',
+ level: 'extended',
+ type: 'long',
+ description: 'Seconds the host has been up.',
+ example: 1325,
+ },
+ {
+ name: 'user.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the user is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'user.email',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'User email address.',
+ },
+ {
+ name: 'user.full_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: "User's full name, if available.",
+ example: 'Albert Einstein',
+ },
+ {
+ name: 'user.group.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'user.group.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
+ },
+ {
+ name: 'user.group.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the group.',
+ },
+ {
+ name: 'user.hash',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique user hash to correlate information for a user in anonymized\nform.\n\nUseful if `user.id` or `user.name` contain confidential information and cannot\nbe used.',
+ },
+ {
+ name: 'user.id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier of the user.',
+ },
+ {
+ name: 'user.name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Short name or login of the user.',
+ example: 'albert',
+ },
+ ],
+ },
+ {
+ name: 'http',
+ title: 'HTTP',
group: 2,
- level: 'extended',
- name: 'event.outcome',
- required: false,
- type: 'keyword',
- },
- 'event.risk_score': {
description:
- "Risk score or priority of the event (e.g. security solutions). Use your system's original value here.",
- example: '',
- footnote: '',
+ 'Fields related to HTTP activity. Use the `url` field set to store\nthe url of the request.',
+ type: 'group',
+ fields: [
+ {
+ name: 'request.body.bytes',
+ level: 'extended',
+ type: 'long',
+ format: 'bytes',
+ description: 'Size in bytes of the request body.',
+ example: 887,
+ },
+ {
+ name: 'request.body.content',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'The full HTTP request body.',
+ example: 'Hello world',
+ },
+ {
+ name: 'request.bytes',
+ level: 'extended',
+ type: 'long',
+ format: 'bytes',
+ description: 'Total size in bytes of the request (body and headers).',
+ example: 1437,
+ },
+ {
+ name: 'request.method',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'HTTP request method.\n\nThe field value must be normalized to lowercase for querying. See the documentation\nsection "Implementing ECS".',
+ example: 'get, post, put',
+ },
+ {
+ name: 'request.referrer',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Referrer for this HTTP request.',
+ example: 'https://blog.example.com/',
+ },
+ {
+ name: 'response.body.bytes',
+ level: 'extended',
+ type: 'long',
+ format: 'bytes',
+ description: 'Size in bytes of the response body.',
+ example: 887,
+ },
+ {
+ name: 'response.body.content',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'The full HTTP response body.',
+ example: 'Hello world',
+ },
+ {
+ name: 'response.bytes',
+ level: 'extended',
+ type: 'long',
+ format: 'bytes',
+ description: 'Total size in bytes of the response (body and headers).',
+ example: 1437,
+ },
+ {
+ name: 'response.status_code',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: 'HTTP response status code.',
+ example: 404,
+ },
+ {
+ name: 'version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'HTTP version.',
+ example: 1.1,
+ },
+ ],
+ },
+ {
+ name: 'interface',
+ title: 'Interface',
group: 2,
- level: 'core',
- name: 'event.risk_score',
- required: false,
- type: 'float',
- },
- 'event.risk_score_norm': {
description:
- 'Normalized risk score or priority of the event, on a scale of 0 to 100.\nThis is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.',
- example: '',
- footnote: '',
+ 'The interface fields are used to record ingress and egress interface\ninformation when reported by an observer (e.g. firewall, router, load balancer)\nin the context of the observer handling a network connection. In the case of\na single observer interface (e.g. network sensor on a span port) only the observer.ingress\ninformation should be populated.',
+ type: 'group',
+ fields: [
+ {
+ name: 'alias',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Interface alias as reported by the system, typically used in firewall\nimplementations for e.g. inside, outside, or dmz logical interface naming.',
+ example: 'outside',
+ default_field: false,
+ },
+ {
+ name: 'id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Interface ID as reported by an observer (typically SNMP interface\nID).',
+ example: 10,
+ default_field: false,
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Interface name as reported by the system.',
+ example: 'eth0',
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'log',
+ title: 'Log',
group: 2,
- level: 'extended',
- name: 'event.risk_score_norm',
- required: false,
- type: 'float',
- },
- 'event.severity': {
description:
- "Severity describes the severity of the event. What the different severity values mean can very different between use cases. It's up to the implementer to make sure severities are consistent across events.",
- example: '7',
- footnote: '',
+ 'Details about the event logging mechanism or logging transport.\n\nThe log.* fields are typically populated with details about the logging mechanism\nused to create and/or transport the event. For example, syslog details belong\nunder `log.syslog.*`.\n\nThe details specific to your event source are typically not logged under `log.*`,\nbut rather in `event.*` or in other ECS fields.',
+ type: 'group',
+ fields: [
+ {
+ name: 'file.path',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ "Full path to the log file this event came from, including the\nfile name. It should include the drive letter, when appropriate.\n\nIf the event wasn't read from a log file, do not populate this field.",
+ example: '/var/log/fun-times.log',
+ default_field: false,
+ },
+ {
+ name: 'level',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Original log level of the log event.\n\nIf the source of the event provides a log level or textual severity, this\nis the one that goes in `log.level`. If your source does not specify one,\nyou may put your event transport severity here (e.g. Syslog severity).\n\nSome examples are `warn`, `err`, `i`, `informational`.',
+ example: 'error',
+ },
+ {
+ name: 'logger',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The name of the logger inside an application. This is usually the\nname of the class which initialized the logger, or can be a custom name.',
+ example: 'org.elasticsearch.bootstrap.Bootstrap',
+ },
+ {
+ name: 'origin.file.line',
+ level: 'extended',
+ type: 'integer',
+ description:
+ 'The line number of the file containing the source code which originated\nthe log event.',
+ example: 42,
+ },
+ {
+ name: 'origin.file.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The name of the file containing the source code which originated\nthe log event.\n\nNote that this field is not meant to capture the log file. The correct field\nto capture the log file is `log.file.path`.',
+ example: 'Bootstrap.java',
+ },
+ {
+ name: 'origin.function',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The name of the function or method which originated the log event.',
+ example: 'init',
+ },
+ {
+ name: 'original',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'This is the original log message and contains the full log message\nbefore splitting it up in multiple parts.\n\nIn contrast to the `message` field which can contain an extracted part of\nthe log message, this field contains the original, full log message. It can\nhave already some modifications applied like encoding or new lines removed\nto clean up the log message.\n\nThis field is not indexed and doc_values are disabled so it cannot be queried\nbut the value can be retrieved from `_source`.',
+ example: 'Sep 19 08:26:10 localhost My log',
+ },
+ {
+ name: 'syslog',
+ level: 'extended',
+ type: 'object',
+ object_type: 'keyword',
+ description:
+ 'The Syslog metadata of the event, if the event was transmitted\nvia Syslog. Please see RFCs 5424 or 3164.',
+ },
+ {
+ name: 'syslog.facility.code',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description:
+ 'The Syslog numeric facility of the log event, if available.\n\nAccording to RFCs 5424 and 3164, this value should be an integer between 0\nand 23.',
+ example: 23,
+ },
+ {
+ name: 'syslog.facility.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The Syslog text-based facility of the log event, if available.',
+ example: 'local7',
+ },
+ {
+ name: 'syslog.priority',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description:
+ 'Syslog numeric priority of the event, if available.\n\nAccording to RFCs 5424 and 3164, the priority is 8 * facility + severity.\nThis number is therefore expected to contain a value between 0 and 191.',
+ example: 135,
+ },
+ {
+ name: 'syslog.severity.code',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'The Syslog numeric severity of the log event, if available.\n\nIf the event source publishing via Syslog provides a different numeric severity\nvalue (e.g. firewall, IDS), your source numeric severity should go to `event.severity`.\nIf the event source does not specify a distinct severity, you can optionally\ncopy the Syslog severity to `event.severity`.',
+ example: 3,
+ },
+ {
+ name: 'syslog.severity.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The Syslog numeric severity of the log event, if available.\n\nIf the event source publishing via Syslog provides a different severity value\n(e.g. firewall, IDS), your source text severity should go to `log.level`.\nIf the event source does not specify a distinct severity, you can optionally\ncopy the Syslog severity to `log.level`.',
+ example: 'Error',
+ },
+ ],
+ },
+ {
+ name: 'network',
+ title: 'Network',
group: 2,
- level: 'core',
- name: 'event.severity',
- required: false,
- type: 'long',
- },
- 'event.start': {
description:
- 'event.start contains the date when the event started or when the activity was first observed.',
- example: '',
- footnote: '',
+ 'The network is defined as the communication path over which a host\nor network event happens.\n\nThe network.* fields should be populated with details about the network activity\nassociated with an event.',
+ type: 'group',
+ fields: [
+ {
+ name: 'application',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A name given to an application level protocol. This can be arbitrarily\nassigned for things like microservices, but also apply to things like skype,\nicq, facebook, twitter. This would be used in situations where the vendor\nor service can be decoded such as from the source/dest IP owners, ports, or\nwire format.\n\nThe field value must be normalized to lowercase for querying. See the documentation\nsection "Implementing ECS".',
+ example: 'aim',
+ },
+ {
+ name: 'bytes',
+ level: 'core',
+ type: 'long',
+ format: 'bytes',
+ description:
+ 'Total bytes transferred in both directions.\n\nIf `source.bytes` and `destination.bytes` are known, `network.bytes` is their\nsum.',
+ example: 368,
+ },
+ {
+ name: 'community_id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A hash of source and destination IPs and ports, as well as the\nprotocol used in a communication. This is a tool-agnostic standard to identify\nflows.\n\nLearn more at https://github.com/corelight/community-id-spec.',
+ example: '1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=',
+ },
+ {
+ name: 'direction',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ "Direction of the network traffic.\nRecommended values are:\n * inbound\n * outbound\n * internal\n * external\n * unknown\n\nWhen mapping events from a host-based monitoring context, populate this field from the host's point of view.\nWhen mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter.",
+ example: 'inbound',
+ },
+ {
+ name: 'forwarded_ip',
+ level: 'core',
+ type: 'ip',
+ description: 'Host IP address when the source IP address is the proxy.',
+ example: '192.1.1.2',
+ },
+ {
+ name: 'iana_number',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml).\nStandardized list of protocols. This aligns well with NetFlow and sFlow related\nlogs which use the IANA Protocol Number.',
+ example: 6,
+ },
+ {
+ name: 'inner',
+ level: 'extended',
+ type: 'object',
+ object_type: 'keyword',
+ description:
+ 'Network.inner fields are added in addition to network.vlan fields\nto describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed\nfields include vlan.id and vlan.name. Inner vlan fields are typically used\nwhen sending traffic with multiple 802.1q encapsulations to a network sensor\n(e.g. Zeek, Wireshark.)',
+ default_field: false,
+ },
+ {
+ name: 'inner.vlan.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'VLAN ID as reported by the observer.',
+ example: 10,
+ default_field: false,
+ },
+ {
+ name: 'inner.vlan.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Optional VLAN name as reported by the observer.',
+ example: 'outside',
+ default_field: false,
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name given by operators to sections of their network.',
+ example: 'Guest Wifi',
+ },
+ {
+ name: 'packets',
+ level: 'core',
+ type: 'long',
+ description:
+ 'Total packets transferred in both directions.\n\nIf `source.packets` and `destination.packets` are known, `network.packets`\nis their sum.',
+ example: 24,
+ },
+ {
+ name: 'protocol',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'L7 Network protocol name. ex. http, lumberjack, transport protocol.\n\nThe field value must be normalized to lowercase for querying. See the documentation\nsection "Implementing ECS".',
+ example: 'http',
+ },
+ {
+ name: 'transport',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Same as network.iana_number, but instead using the Keyword name\nof the transport layer (udp, tcp, ipv6-icmp, etc.)\n\nThe field value must be normalized to lowercase for querying. See the documentation\nsection "Implementing ECS".',
+ example: 'tcp',
+ },
+ {
+ name: 'type',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'In the OSI Model this would be the Network Layer. ipv4, ipv6,\nipsec, pim, etc\n\nThe field value must be normalized to lowercase for querying. See the documentation\nsection "Implementing ECS".',
+ example: 'ipv4',
+ },
+ {
+ name: 'vlan.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'VLAN ID as reported by the observer.',
+ example: 10,
+ default_field: false,
+ },
+ {
+ name: 'vlan.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Optional VLAN name as reported by the observer.',
+ example: 'outside',
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'observer',
+ title: 'Observer',
group: 2,
- level: 'extended',
- name: 'event.start',
- required: false,
- type: 'date',
- },
- 'event.timezone': {
description:
- 'This field should be populated when the event\'s timestamp does not include timezone information already (e.g. default Syslog timestamps). It\'s optional otherwise.\nAcceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").',
- example: '',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'event.timezone',
- required: false,
- type: 'keyword',
- },
- 'event.type': {
- description: 'Reserved for future usage.\nPlease avoid using this field for user data.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'event.type',
- required: false,
- type: 'keyword',
- },
- },
- group: 2,
- name: 'event',
- title: 'Event',
- type: 'group',
- },
- file: {
- description:
- 'A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.\n',
- fields: {
- 'file.ctime': {
- description: 'Last time file metadata changed.',
- example: '',
- footnote: '',
+ 'An observer is defined as a special network, security, or application\ndevice used to detect, observe, or create network, security, or application-related\nevents and metrics.\n\nThis could be a custom hardware appliance or a server that has been configured\nto run special network, security, or application software. Examples include\nfirewalls, web proxies, intrusion detection/prevention systems, network monitoring\nsensors, web application firewalls, data loss prevention systems, and APM servers.\nThe observer.* fields shall be populated with details of the system, if any,\nthat detects, observes and/or creates a network, security, or application event\nor metric. Message queues and ETL components used in processing events or metrics\nare not considered observers in ECS.',
+ type: 'group',
+ fields: [
+ {
+ name: 'egress',
+ level: 'extended',
+ type: 'object',
+ object_type: 'keyword',
+ description:
+ 'Observer.egress holds information like interface number and name,\nvlan, and zone information to classify egress traffic. Single armed monitoring\nsuch as a network sensor on a span port should only use observer.ingress\nto categorize traffic.',
+ default_field: false,
+ },
+ {
+ name: 'egress.interface.alias',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Interface alias as reported by the system, typically used in firewall\nimplementations for e.g. inside, outside, or dmz logical interface naming.',
+ example: 'outside',
+ default_field: false,
+ },
+ {
+ name: 'egress.interface.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Interface ID as reported by an observer (typically SNMP interface\nID).',
+ example: 10,
+ default_field: false,
+ },
+ {
+ name: 'egress.interface.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Interface name as reported by the system.',
+ example: 'eth0',
+ default_field: false,
+ },
+ {
+ name: 'egress.vlan.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'VLAN ID as reported by the observer.',
+ example: 10,
+ default_field: false,
+ },
+ {
+ name: 'egress.vlan.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Optional VLAN name as reported by the observer.',
+ example: 'outside',
+ default_field: false,
+ },
+ {
+ name: 'egress.zone',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Network zone of outbound traffic as reported by the observer to\ncategorize the destination area of egress traffic, e.g. Internal, External,\nDMZ, HR, Legal, etc.',
+ example: 'Public_Internet',
+ default_field: false,
+ },
+ {
+ name: 'geo.city_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
+ },
+ {
+ name: 'geo.continent_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
+ },
+ {
+ name: 'geo.country_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
+ },
+ {
+ name: 'geo.country_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
+ },
+ {
+ name: 'geo.location',
+ level: 'core',
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
+ },
+ {
+ name: 'geo.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
+ },
+ {
+ name: 'geo.region_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
+ },
+ {
+ name: 'geo.region_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
+ },
+ {
+ name: 'hostname',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Hostname of the observer.',
+ },
+ {
+ name: 'ingress',
+ level: 'extended',
+ type: 'object',
+ object_type: 'keyword',
+ description:
+ 'Observer.ingress holds information like interface number and name,\nvlan, and zone information to classify ingress traffic. Single armed monitoring\nsuch as a network sensor on a span port should only use observer.ingress\nto categorize traffic.',
+ default_field: false,
+ },
+ {
+ name: 'ingress.interface.alias',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Interface alias as reported by the system, typically used in firewall\nimplementations for e.g. inside, outside, or dmz logical interface naming.',
+ example: 'outside',
+ default_field: false,
+ },
+ {
+ name: 'ingress.interface.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Interface ID as reported by an observer (typically SNMP interface\nID).',
+ example: 10,
+ default_field: false,
+ },
+ {
+ name: 'ingress.interface.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Interface name as reported by the system.',
+ example: 'eth0',
+ default_field: false,
+ },
+ {
+ name: 'ingress.vlan.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'VLAN ID as reported by the observer.',
+ example: 10,
+ default_field: false,
+ },
+ {
+ name: 'ingress.vlan.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Optional VLAN name as reported by the observer.',
+ example: 'outside',
+ default_field: false,
+ },
+ {
+ name: 'ingress.zone',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Network zone of incoming traffic as reported by the observer to\ncategorize the source area of ingress traffic. e.g. internal, External, DMZ,\nHR, Legal, etc.',
+ example: 'DMZ',
+ default_field: false,
+ },
+ {
+ name: 'ip',
+ level: 'core',
+ type: 'ip',
+ description: 'IP addresses of the observer.',
+ },
+ {
+ name: 'mac',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'MAC addresses of the observer',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Custom name of the observer.\n\nThis is a name that can be given to an observer. This can be helpful for example\nif multiple firewalls of the same model are used in an organization.\n\nIf no custom name is needed, the field can be left empty.',
+ example: '1_proxySG',
+ },
+ {
+ name: 'os.family',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'OS family (such as redhat, debian, freebsd, windows).',
+ example: 'debian',
+ },
+ {
+ name: 'os.full',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Operating system name, including the version or code name.',
+ example: 'Mac OS Mojave',
+ },
+ {
+ name: 'os.kernel',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system kernel version as a raw string.',
+ example: '4.4.0-112-generic',
+ },
+ {
+ name: 'os.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Operating system name, without the version.',
+ example: 'Mac OS X',
+ },
+ {
+ name: 'os.platform',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system platform (such centos, ubuntu, windows).',
+ example: 'darwin',
+ },
+ {
+ name: 'os.version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system version as a raw string.',
+ example: '10.14.1',
+ },
+ {
+ name: 'product',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The product name of the observer.',
+ example: 's200',
+ },
+ {
+ name: 'serial_number',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Observer serial number.',
+ },
+ {
+ name: 'type',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The type of the observer the data is coming from.\n\nThere is no predefined list of observer types. Some examples are `forwarder`,\n`firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.',
+ example: 'firewall',
+ },
+ {
+ name: 'vendor',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Vendor name of the observer.',
+ example: 'Symantec',
+ },
+ {
+ name: 'version',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Observer version.',
+ },
+ ],
+ },
+ {
+ name: 'organization',
+ title: 'Organization',
group: 2,
- level: 'extended',
- name: 'file.ctime',
- required: false,
- type: 'date',
- },
- 'file.device': {
- description: 'Device that is the source of the file.',
- example: '',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'file.device',
- required: false,
- type: 'keyword',
- },
- 'file.extension': {
- description: 'File extension.\nThis should allow easy filtering by file extensions.',
- example: 'png',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'file.extension',
- required: false,
- type: 'keyword',
- },
- 'file.gid': {
- description: 'Primary group ID (GID) of the file.',
- example: '',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'file.gid',
- required: false,
- type: 'keyword',
- },
- 'file.group': {
- description: 'Primary group name of the file.',
- example: '',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'file.group',
- required: false,
- type: 'keyword',
- },
- 'file.inode': {
- description: 'Inode representing the file in the filesystem.',
- example: '',
- footnote: '',
+ description:
+ 'The organization fields enrich data with information about the company\nor entity the data is associated with.\n\nThese fields help you arrange or filter data stored in an index by one or multiple\norganizations.',
+ type: 'group',
+ fields: [
+ {
+ name: 'id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the organization.',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Organization name.',
+ },
+ ],
+ },
+ {
+ name: 'os',
+ title: 'Operating System',
+ group: 2,
+ description: 'The OS fields contain information about the operating system.',
+ type: 'group',
+ fields: [
+ {
+ name: 'family',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'OS family (such as redhat, debian, freebsd, windows).',
+ example: 'debian',
+ },
+ {
+ name: 'full',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Operating system name, including the version or code name.',
+ example: 'Mac OS Mojave',
+ },
+ {
+ name: 'kernel',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system kernel version as a raw string.',
+ example: '4.4.0-112-generic',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Operating system name, without the version.',
+ example: 'Mac OS X',
+ },
+ {
+ name: 'platform',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system platform (such centos, ubuntu, windows).',
+ example: 'darwin',
+ },
+ {
+ name: 'version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system version as a raw string.',
+ example: '10.14.1',
+ },
+ ],
+ },
+ {
+ name: 'package',
+ title: 'Package',
group: 2,
- level: 'extended',
- name: 'file.inode',
- required: false,
- type: 'keyword',
- },
- 'file.mode': {
- description: 'Mode of the file in octal representation.',
- example: '416',
- footnote: '',
+ description:
+ 'These fields contain information about an installed software package.\nIt contains general information about a package, such as name, version or size.\nIt also contains installation details, such as time or location.',
+ type: 'group',
+ fields: [
+ {
+ name: 'architecture',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Package architecture.',
+ example: 'x86_64',
+ },
+ {
+ name: 'build_version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Additional information about the build version of the installed\npackage.\n\nFor example use the commit SHA of a non-released package.',
+ example: '36f4f7e89dd61b0988b12ee000b98966867710cd',
+ default_field: false,
+ },
+ {
+ name: 'checksum',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Checksum of the installed package for verification.',
+ example: '68b329da9893e34099c7d8ad5cb9c940',
+ },
+ {
+ name: 'description',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Description of the package.',
+ example:
+ 'Open source programming language to build simple/reliable/efficient\nsoftware.',
+ },
+ {
+ name: 'install_scope',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Indicating how the package was installed, e.g. user-local, global.',
+ example: 'global',
+ },
+ {
+ name: 'installed',
+ level: 'extended',
+ type: 'date',
+ description: 'Time when package was installed.',
+ },
+ {
+ name: 'license',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'License under which the package was released.\n\nUse a short name, e.g. the license identifier from SPDX License List where\npossible (https://spdx.org/licenses/).',
+ example: 'Apache License 2.0',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Package name',
+ example: 'go',
+ },
+ {
+ name: 'path',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Path where the package is installed.',
+ example: '/usr/local/Cellar/go/1.12.9/',
+ },
+ {
+ name: 'reference',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Home page or reference URL of the software in this package, if\navailable.',
+ example: 'https://golang.org',
+ default_field: false,
+ },
+ {
+ name: 'size',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: 'Package size in bytes.',
+ example: 62231,
+ },
+ {
+ name: 'type',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Type of package.\n\nThis should contain the package file type, rather than the package manager\nname. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.',
+ example: 'rpm',
+ default_field: false,
+ },
+ {
+ name: 'version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Package version',
+ example: '1.12.9',
+ },
+ ],
+ },
+ {
+ name: 'pe',
+ title: 'PE Header',
+ group: 2,
+ description: 'These fields contain Windows Portable Executable (PE) metadata.',
+ type: 'group',
+ fields: [
+ {
+ name: 'architecture',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'CPU architecture target for the file.',
+ example: 'x64',
+ default_field: false,
+ },
+ {
+ name: 'company',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal company name of the file, provided at compile-time.',
+ example: 'Microsoft Corporation',
+ default_field: false,
+ },
+ {
+ name: 'description',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal description of the file, provided at compile-time.',
+ example: 'Paint',
+ default_field: false,
+ },
+ {
+ name: 'file_version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal version of the file, provided at compile-time.',
+ example: '6.3.9600.17415',
+ default_field: false,
+ },
+ {
+ name: 'imphash',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A hash of the imports in a PE file. An imphash -- or import hash\n-- can be used to fingerprint binaries even after recompilation or other code-level\ntransformations have occurred, which would change more traditional hash values.\n\nLearn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.',
+ example: '0c6803c4e922103c4dca5963aad36ddf',
+ default_field: false,
+ },
+ {
+ name: 'original_file_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal name of the file, provided at compile-time.',
+ example: 'MSPAINT.EXE',
+ default_field: false,
+ },
+ {
+ name: 'product',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal product name of the file, provided at compile-time.',
+ example: 'Microsoft® Windows® Operating System',
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'process',
+ title: 'Process',
group: 2,
- level: 'extended',
- name: 'file.mode',
- required: false,
- type: 'keyword',
- },
- 'file.mtime': {
- description: 'Last time file content was modified.',
- example: '',
- footnote: '',
+ description:
+ 'These fields contain information about a process.\n\nThese fields can help you correlate metrics information with a process id/name\nfrom a log message. The `process.pid` often stays in the metric itself and\nis copied to the global field for correlation.',
+ type: 'group',
+ fields: [
+ {
+ name: 'args',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.',
+ example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'],
+ },
+ {
+ name: 'args_count',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'Length of the process.args array.\n\nThis field can be useful for querying or performing bucket analysis on how\nmany arguments were provided to start a process. More arguments may be an\nindication of suspicious activity.',
+ example: 4,
+ default_field: false,
+ },
+ {
+ name: 'code_signature.exists',
+ level: 'core',
+ type: 'boolean',
+ description: 'Boolean to capture if a signature is present.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.status',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Additional information about the certificate status.\n\nThis is useful for logging cryptographic errors with the certificate validity\nor trust status. Leave unpopulated if the validity or trust of the certificate\nwas unchecked.',
+ example: 'ERROR_UNTRUSTED_ROOT',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.subject_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Subject name of the code signer',
+ example: 'Microsoft Corporation',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.trusted',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Stores the trust status of the certificate chain.\n\nValidating the trust of the certificate chain may be complicated, and this\nfield should only be populated by tools that actively check the status.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.valid',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Boolean to capture if the digital signature is verified against\nthe binary content.\n\nLeave unpopulated if a certificate was unchecked.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'command_line',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ },
+ ],
+ description:
+ 'Full command line that started the process, including the absolute\npath to the executable, and all arguments.\n\nSome arguments may be filtered to protect sensitive information.',
+ example: '/usr/bin/ssh -l user 10.0.0.16',
+ default_field: false,
+ },
+ {
+ name: 'entity_id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique identifier for the process.\n\nThe implementation of this is specified by the data source, but some examples\nof what could be used here are a process-generated UUID, Sysmon Process GUIDs,\nor a hash of some uniquely identifying components of a process.\n\nConstructing a globally unique identifier is a common practice to mitigate\nPID reuse as well as to identify a specific process over time, across multiple\nmonitored hosts.',
+ example: 'c2c455d9f99375d',
+ default_field: false,
+ },
+ {
+ name: 'executable',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Absolute path to the process executable.',
+ example: '/usr/bin/ssh',
+ },
+ {
+ name: 'exit_code',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'The exit code of the process, if this is a termination event.\n\nThe field should be absent if there is no exit code for the event (e.g. process\nstart).',
+ example: 137,
+ default_field: false,
+ },
+ {
+ name: 'hash.md5',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'MD5 hash.',
+ },
+ {
+ name: 'hash.sha1',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA1 hash.',
+ },
+ {
+ name: 'hash.sha256',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA256 hash.',
+ },
+ {
+ name: 'hash.sha512',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA512 hash.',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Process name.\n\nSometimes called program name or similar.',
+ example: 'ssh',
+ },
+ {
+ name: 'parent.args',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Array of process arguments.\n\nMay be filtered to protect sensitive information.',
+ example: ['ssh', '-l', 'user', '10.0.0.16'],
+ default_field: false,
+ },
+ {
+ name: 'parent.args_count',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'Length of the process.args array.\n\nThis field can be useful for querying or performing bucket analysis on how\nmany arguments were provided to start a process. More arguments may be an\nindication of suspicious activity.',
+ example: 4,
+ default_field: false,
+ },
+ {
+ name: 'parent.code_signature.exists',
+ level: 'core',
+ type: 'boolean',
+ description: 'Boolean to capture if a signature is present.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'parent.code_signature.status',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Additional information about the certificate status.\n\nThis is useful for logging cryptographic errors with the certificate validity\nor trust status. Leave unpopulated if the validity or trust of the certificate\nwas unchecked.',
+ example: 'ERROR_UNTRUSTED_ROOT',
+ default_field: false,
+ },
+ {
+ name: 'parent.code_signature.subject_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Subject name of the code signer',
+ example: 'Microsoft Corporation',
+ default_field: false,
+ },
+ {
+ name: 'parent.code_signature.trusted',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Stores the trust status of the certificate chain.\n\nValidating the trust of the certificate chain may be complicated, and this\nfield should only be populated by tools that actively check the status.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'parent.code_signature.valid',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Boolean to capture if the digital signature is verified against\nthe binary content.\n\nLeave unpopulated if a certificate was unchecked.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'parent.command_line',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ },
+ ],
+ description:
+ 'Full command line that started the process, including the absolute\npath to the executable, and all arguments.\n\nSome arguments may be filtered to protect sensitive information.',
+ example: '/usr/bin/ssh -l user 10.0.0.16',
+ default_field: false,
+ },
+ {
+ name: 'parent.entity_id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique identifier for the process.\n\nThe implementation of this is specified by the data source, but some examples\nof what could be used here are a process-generated UUID, Sysmon Process GUIDs,\nor a hash of some uniquely identifying components of a process.\n\nConstructing a globally unique identifier is a common practice to mitigate\nPID reuse as well as to identify a specific process over time, across multiple\nmonitored hosts.',
+ example: 'c2c455d9f99375d',
+ default_field: false,
+ },
+ {
+ name: 'parent.executable',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ },
+ ],
+ description: 'Absolute path to the process executable.',
+ example: '/usr/bin/ssh',
+ default_field: false,
+ },
+ {
+ name: 'parent.exit_code',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'The exit code of the process, if this is a termination event.\n\nThe field should be absent if there is no exit code for the event (e.g. process\nstart).',
+ example: 137,
+ default_field: false,
+ },
+ {
+ name: 'parent.hash.md5',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'MD5 hash.',
+ default_field: false,
+ },
+ {
+ name: 'parent.hash.sha1',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA1 hash.',
+ default_field: false,
+ },
+ {
+ name: 'parent.hash.sha256',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA256 hash.',
+ default_field: false,
+ },
+ {
+ name: 'parent.hash.sha512',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA512 hash.',
+ default_field: false,
+ },
+ {
+ name: 'parent.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ },
+ ],
+ description: 'Process name.\n\nSometimes called program name or similar.',
+ example: 'ssh',
+ default_field: false,
+ },
+ {
+ name: 'parent.pgid',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: 'Identifier of the group of processes the process belongs to.',
+ default_field: false,
+ },
+ {
+ name: 'parent.pid',
+ level: 'core',
+ type: 'long',
+ format: 'string',
+ description: 'Process id.',
+ example: 4242,
+ default_field: false,
+ },
+ {
+ name: 'parent.ppid',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: "Parent process' pid.",
+ example: 4241,
+ default_field: false,
+ },
+ {
+ name: 'parent.start',
+ level: 'extended',
+ type: 'date',
+ description: 'The time the process started.',
+ example: '2016-05-23T08:05:34.853Z',
+ default_field: false,
+ },
+ {
+ name: 'parent.thread.id',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: 'Thread ID.',
+ example: 4242,
+ default_field: false,
+ },
+ {
+ name: 'parent.thread.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Thread name.',
+ example: 'thread-0',
+ default_field: false,
+ },
+ {
+ name: 'parent.title',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ },
+ ],
+ description:
+ 'Process title.\n\nThe proctitle, some times the same as process name. Can also be different:\nfor example a browser setting its title to the web page currently opened.',
+ default_field: false,
+ },
+ {
+ name: 'parent.uptime',
+ level: 'extended',
+ type: 'long',
+ description: 'Seconds the process has been up.',
+ example: 1325,
+ default_field: false,
+ },
+ {
+ name: 'parent.working_directory',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ },
+ ],
+ description: 'The working directory of the process.',
+ example: '/home/alice',
+ default_field: false,
+ },
+ {
+ name: 'pe.architecture',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'CPU architecture target for the file.',
+ example: 'x64',
+ default_field: false,
+ },
+ {
+ name: 'pe.company',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal company name of the file, provided at compile-time.',
+ example: 'Microsoft Corporation',
+ default_field: false,
+ },
+ {
+ name: 'pe.description',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal description of the file, provided at compile-time.',
+ example: 'Paint',
+ default_field: false,
+ },
+ {
+ name: 'pe.file_version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal version of the file, provided at compile-time.',
+ example: '6.3.9600.17415',
+ default_field: false,
+ },
+ {
+ name: 'pe.imphash',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A hash of the imports in a PE file. An imphash -- or import hash\n-- can be used to fingerprint binaries even after recompilation or other code-level\ntransformations have occurred, which would change more traditional hash values.\n\nLearn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.',
+ example: '0c6803c4e922103c4dca5963aad36ddf',
+ default_field: false,
+ },
+ {
+ name: 'pe.original_file_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal name of the file, provided at compile-time.',
+ example: 'MSPAINT.EXE',
+ default_field: false,
+ },
+ {
+ name: 'pe.product',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal product name of the file, provided at compile-time.',
+ example: 'Microsoft® Windows® Operating System',
+ default_field: false,
+ },
+ {
+ name: 'pgid',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: 'Identifier of the group of processes the process belongs to.',
+ },
+ {
+ name: 'pid',
+ level: 'core',
+ type: 'long',
+ format: 'string',
+ description: 'Process id.',
+ example: 4242,
+ },
+ {
+ name: 'ppid',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: "Parent process' pid.",
+ example: 4241,
+ },
+ {
+ name: 'start',
+ level: 'extended',
+ type: 'date',
+ description: 'The time the process started.',
+ example: '2016-05-23T08:05:34.853Z',
+ },
+ {
+ name: 'thread.id',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: 'Thread ID.',
+ example: 4242,
+ },
+ {
+ name: 'thread.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Thread name.',
+ example: 'thread-0',
+ },
+ {
+ name: 'title',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description:
+ 'Process title.\n\nThe proctitle, some times the same as process name. Can also be different:\nfor example a browser setting its title to the web page currently opened.',
+ },
+ {
+ name: 'uptime',
+ level: 'extended',
+ type: 'long',
+ description: 'Seconds the process has been up.',
+ example: 1325,
+ },
+ {
+ name: 'working_directory',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'The working directory of the process.',
+ example: '/home/alice',
+ },
+ ],
+ },
+ {
+ name: 'registry',
+ title: 'Registry',
+ group: 2,
+ description: 'Fields related to Windows Registry operations.',
+ type: 'group',
+ fields: [
+ {
+ name: 'data.bytes',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Original bytes written with base64 encoding.\n\nFor Windows registry operations, such as SetValueEx and RegQueryValueEx, this\ncorresponds to the data pointed by `lp_data`. This is optional but provides\nbetter recoverability and should be populated for REG_BINARY encoded values.',
+ example: 'ZQBuAC0AVQBTAAAAZQBuAAAAAAA=',
+ default_field: false,
+ },
+ {
+ name: 'data.strings',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Content when writing string types.\n\nPopulated as an array when writing string data to the registry. For single\nstring registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with\none string. For sequences of string with REG_MULTI_SZ, this array will be\nvariable length. For numeric data, such as REG_DWORD and REG_QWORD, this should\nbe populated with the decimal representation (e.g `"1"`).',
+ example: '["C:\\rta\\red_ttp\\bin\\myapp.exe"]',
+ default_field: false,
+ },
+ {
+ name: 'data.type',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Standard registry type for encoding contents',
+ example: 'REG_SZ',
+ default_field: false,
+ },
+ {
+ name: 'hive',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Abbreviated name for the hive.',
+ example: 'HKLM',
+ default_field: false,
+ },
+ {
+ name: 'key',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Hive-relative path of keys.',
+ example:
+ 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe',
+ default_field: false,
+ },
+ {
+ name: 'path',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Full path, including hive, key and value',
+ example:
+ 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution\nOptions\\winword.exe\\Debugger',
+ default_field: false,
+ },
+ {
+ name: 'value',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the value written.',
+ example: 'Debugger',
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'related',
+ title: 'Related',
group: 2,
- level: 'extended',
- name: 'file.mtime',
- required: false,
- type: 'date',
- },
- 'file.owner': {
- description: "File owner's username.",
- example: '',
- footnote: '',
+ description:
+ 'This field set is meant to facilitate pivoting around a piece of\ndata.\n\nSome pieces of information can be seen in many places in an ECS event. To facilitate\nsearching for them, store an array of all seen values to their corresponding\nfield in `related.`.\n\nA concrete example is IP addresses, which can be under host, observer, source,\ndestination, client, server, and network.forwarded_ip. If you append all IPs\nto `related.ip`, you can then search for a given IP trivially, no matter where\nit appeared, by querying `related.ip:192.0.2.15`.',
+ type: 'group',
+ fields: [
+ {
+ name: 'hash',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ "All the hashes seen on your event. Populating this field, then\nusing it to search for hashes can help in situations where you're unsure what\nthe hash algorithm is (and therefore which key name to search).",
+ default_field: false,
+ },
+ {
+ name: 'ip',
+ level: 'extended',
+ type: 'ip',
+ description: 'All of the IPs seen on your event.',
+ },
+ {
+ name: 'user',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'All the user names seen on your event.',
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'rule',
+ title: 'Rule',
group: 2,
- level: 'extended',
- name: 'file.owner',
- required: false,
- type: 'keyword',
- },
- 'file.path': {
- description: 'Path to the file.',
- example: '',
- footnote: '',
+ description:
+ 'Rule fields are used to capture the specifics of any observer or\nagent rules that generate alerts or other notable events.\n\nExamples of data sources that would populate the rule fields include: network\nadmission control platforms, network or host IDS/IPS, network firewalls, web\napplication firewalls, url filters, endpoint detection and response (EDR) systems,\netc.',
+ type: 'group',
+ fields: [
+ {
+ name: 'author',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name, organization, or pseudonym of the author or authors who created\nthe rule used to generate this event.',
+ example: ['Star-Lord'],
+ default_field: false,
+ },
+ {
+ name: 'category',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A categorization value keyword used by the entity using the rule\nfor detection of this event.',
+ example: 'Attempted Information Leak',
+ default_field: false,
+ },
+ {
+ name: 'description',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The description of the rule generating the event.',
+ example: 'Block requests to public DNS over HTTPS / TLS protocols',
+ default_field: false,
+ },
+ {
+ name: 'id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A rule ID that is unique within the scope of an agent, observer,\nor other entity using the rule for detection of this event.',
+ example: 101,
+ default_field: false,
+ },
+ {
+ name: 'license',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the license under which the rule used to generate this\nevent is made available.',
+ example: 'Apache 2.0',
+ default_field: false,
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The name of the rule or signature generating the event.',
+ example: 'BLOCK_DNS_over_TLS',
+ default_field: false,
+ },
+ {
+ name: 'reference',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Reference URL to additional information about the rule used to\ngenerate this event.\n\nThe URL can point to the vendor documentation about the rule. If that is\nnot available, it can also be a link to a more general page describing this\ntype of alert.',
+ example: 'https://en.wikipedia.org/wiki/DNS_over_TLS',
+ default_field: false,
+ },
+ {
+ name: 'ruleset',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the ruleset, policy, group, or parent category in which\nthe rule used to generate this event is a member.',
+ example: 'Standard_Protocol_Filters',
+ default_field: false,
+ },
+ {
+ name: 'uuid',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A rule ID that is unique within the scope of a set or group of\nagents, observers, or other entities using the rule for detection of this\nevent.',
+ example: 1100110011,
+ default_field: false,
+ },
+ {
+ name: 'version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The version / revision of the rule being used for analysis.',
+ example: 1.1,
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'search',
+ title: 'Search',
group: 2,
- level: 'extended',
- name: 'file.path',
- required: false,
- type: 'keyword',
- },
- 'file.size': {
- description: 'File size in bytes (field is only added when `type` is `file`).',
- example: '',
- footnote: '',
+ description:
+ 'The Search fields describe information about a search request event:\nquery or pagination. The fields that should be used with this field set include:\n`event.action` to describe the search action (e.g. `search.query`, `search.page`,\netc.), `event.duration` to describe the duration of a search request, `@timestamp`\nto record the event original timestamp and optionally the `source` fields\nto record context information such as `user.id` or `geo`.',
+ type: 'group',
+ fields: [
+ {
+ name: 'query.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'An opaque query identifier. This identifier needs to be unique\nto a user query, and all subsequent events (pagination, clicks) need to have\nthe same query identifier.',
+ example: '2dc15175-de0d-44db-86d8-8a99f41b7a11',
+ default_field: false,
+ },
+ {
+ name: 'query.page',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'For search results that support pagination, this represents the\ncurrent page being requested. Initial search requests are `1` while subsequent\npage requests are incremental.',
+ example: 1,
+ default_field: false,
+ },
+ {
+ name: 'query.value',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 4096,
+ description:
+ 'The query string being searched on. This field is not analyzed\nand should not be pre-processed in any way in the event (e.g. normalization\nlist lowercasing). This is useful for search use-cases that use a one- box\nstyle search interface. Other interfaces will have to rely on additional custom\nfields or labels to represent things like filters applied, extra parameters,\nuser context, etc.',
+ example: 'where does the rain in Spain mainly fall',
+ default_field: false,
+ },
+ {
+ name: 'results.ids',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ "A list of opaque document IDs representing the results that were\nshown to the user. This is effectively the impression list and it's size should\nbe equal to `results.size`. This field can be empty when there are no results\nto return.",
+ example: ['user:82375akja9f', 'issue:2782630'],
+ default_field: false,
+ },
+ {
+ name: 'results.size',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'The size of the result set displayed to the user. This should be\nequivalent to the length of the results in `results.ids`. This is also known\nas the page size or limit.',
+ example: 10,
+ default_field: false,
+ },
+ {
+ name: 'results.total',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'The total number of matches for this query. This number is always\ngreater than or equal to `results.size`. This is the `hits.total` field in\nthe query response.',
+ example: 134509,
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'server',
+ title: 'Server',
group: 2,
- level: 'extended',
- name: 'file.size',
- required: false,
- type: 'long',
- },
- 'file.target_path': {
- description: 'Target path for symlinks.',
- example: '',
- footnote: '',
+ description:
+ 'A Server is defined as the responder in a network connection for\nevents regarding sessions, connections, or bidirectional flow records.\n\nFor TCP events, the server is the receiver of the initial SYN packet(s) of the\nTCP connection. For other protocols, the server is generally the responder in\nthe network transaction. Some systems actually use the term "responder" to refer\nthe server in TCP connections. The server fields describe details about the\nsystem acting as the server in the network event. Server fields are usually\npopulated in conjunction with client fields. Server fields are generally not\npopulated for packet-level events.\n\nClient / server representations can add semantic context to an exchange, which\nis helpful to visualize the data in certain situations. If your context falls\nin that category, you should still ensure that source and destination are filled\nappropriately.',
+ type: 'group',
+ fields: [
+ {
+ name: 'address',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Some event server addresses are defined ambiguously. The event\nwill sometimes list an IP, a domain or a unix socket. You should always store\nthe raw address in the `.address` field.\n\nThen it should be duplicated to `.ip` or `.domain`, depending on which one\nit is.',
+ },
+ {
+ name: 'as.number',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'Unique number allocated to the autonomous system. The autonomous\nsystem number (ASN) uniquely identifies each network on the Internet.',
+ example: 15169,
+ },
+ {
+ name: 'as.organization.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Organization name.',
+ example: 'Google LLC',
+ },
+ {
+ name: 'bytes',
+ level: 'core',
+ type: 'long',
+ format: 'bytes',
+ description: 'Bytes sent from the server to the client.',
+ example: 184,
+ },
+ {
+ name: 'domain',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Server domain.',
+ },
+ {
+ name: 'geo.city_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
+ },
+ {
+ name: 'geo.continent_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
+ },
+ {
+ name: 'geo.country_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
+ },
+ {
+ name: 'geo.country_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
+ },
+ {
+ name: 'geo.location',
+ level: 'core',
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
+ },
+ {
+ name: 'geo.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
+ },
+ {
+ name: 'geo.region_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
+ },
+ {
+ name: 'geo.region_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
+ },
+ {
+ name: 'ip',
+ level: 'core',
+ type: 'ip',
+ description: 'IP address of the server (IPv4 or IPv6).',
+ },
+ {
+ name: 'mac',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'MAC address of the server.',
+ },
+ {
+ name: 'nat.ip',
+ level: 'extended',
+ type: 'ip',
+ description:
+ 'Translated ip of destination based NAT sessions (e.g. internet\nto private DMZ)\n\nTypically used with load balancers, firewalls, or routers.',
+ },
+ {
+ name: 'nat.port',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description:
+ 'Translated port of destination based NAT sessions (e.g. internet\nto private DMZ)\n\nTypically used with load balancers, firewalls, or routers.',
+ },
+ {
+ name: 'packets',
+ level: 'core',
+ type: 'long',
+ description: 'Packets sent from the server to the client.',
+ example: 12,
+ },
+ {
+ name: 'port',
+ level: 'core',
+ type: 'long',
+ format: 'string',
+ description: 'Port of the server.',
+ },
+ {
+ name: 'registered_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The highest registered server domain, stripped of the subdomain.\n\nFor example, the registered domain for "foo.google.com" is "google.com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last two labels will not work well for TLDs such as "co.uk".',
+ example: 'google.com',
+ },
+ {
+ name: 'top_level_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The effective top level domain (eTLD), also known as the domain\nsuffix, is the last part of the domain name. For example, the top level domain\nfor google.com is "com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last label will not work well for effective TLDs such as "co.uk".',
+ example: 'co.uk',
+ },
+ {
+ name: 'user.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the user is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'user.email',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'User email address.',
+ },
+ {
+ name: 'user.full_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: "User's full name, if available.",
+ example: 'Albert Einstein',
+ },
+ {
+ name: 'user.group.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'user.group.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
+ },
+ {
+ name: 'user.group.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the group.',
+ },
+ {
+ name: 'user.hash',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique user hash to correlate information for a user in anonymized\nform.\n\nUseful if `user.id` or `user.name` contain confidential information and cannot\nbe used.',
+ },
+ {
+ name: 'user.id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier of the user.',
+ },
+ {
+ name: 'user.name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Short name or login of the user.',
+ example: 'albert',
+ },
+ ],
+ },
+ {
+ name: 'service',
+ title: 'Service',
group: 2,
- level: 'extended',
- name: 'file.target_path',
- required: false,
- type: 'keyword',
- },
- 'file.type': {
- description: 'File type (file, dir, or symlink).',
- example: '',
- footnote: '',
+ description:
+ 'The service fields describe the service for or from which the data\nwas collected.\n\nThese fields help you find and correlate logs for a specific service and version.',
+ type: 'group',
+ fields: [
+ {
+ name: 'ephemeral_id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Ephemeral identifier of this service (if one exists).\n\nThis id normally changes across restarts, but `service.id` does not.',
+ example: '8a4f500f',
+ },
+ {
+ name: 'id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique identifier of the running service. If the service is comprised\nof many nodes, the `service.id` should be the same for all nodes.\n\nThis id should uniquely identify the service. This makes it possible to correlate\nlogs and metrics for one specific service, no matter which particular node\nemitted the event.\n\nNote that if you need to see the events from one specific host of the service,\nyou should filter on that `host.name` or `host.id` instead.',
+ example: 'd37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6',
+ },
+ {
+ name: 'name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the service data is collected from.\n\nThe name of the service is normally user given. This allows for distributed\nservices that run on multiple hosts to correlate the related instances based\non the name.\n\nIn the case of Elasticsearch the `service.name` could contain the cluster\nname. For Beats the `service.name` is by default a copy of the `service.type`\nfield if no name is specified.',
+ example: 'elasticsearch-metrics',
+ },
+ {
+ name: 'node.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of a service node.\n\nThis allows for two nodes of the same service running on the same host to\nbe differentiated. Therefore, `service.node.name` should typically be unique\nacross nodes of a given service.\n\nIn the case of Elasticsearch, the `service.node.name` could contain the unique\nnode name within the Elasticsearch cluster. In cases where the service does not\nhave the concept of a node name, the host name or container name can be used\nto distinguish running instances that make up this service. If those do not\nprovide uniqueness (e.g. multiple instances of the service running on the\nsame host) - the node name can be manually set.',
+ example: 'instance-0000000016',
+ },
+ {
+ name: 'state',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Current state of the service.',
+ },
+ {
+ name: 'type',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The type of the service data is collected from.\n\nThe type can be used to group and correlate logs and metrics from one service\ntype.\n\nExample: If logs or metrics are collected from Elasticsearch, `service.type`\nwould be `elasticsearch`.',
+ example: 'elasticsearch',
+ },
+ {
+ name: 'version',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Version of the service the data was collected from.\n\nThis allows to look at a data set only for a specific version of a service.',
+ example: '3.2.4',
+ },
+ ],
+ },
+ {
+ name: 'source',
+ title: 'Source',
group: 2,
- level: 'extended',
- name: 'file.type',
- required: false,
- type: 'keyword',
- },
- 'file.uid': {
- description: 'The user ID (UID) or security identifier (SID) of the file owner.',
- example: '',
- footnote: '',
+ description:
+ 'Source fields describe details about the source of a packet/event.\n\nSource fields are usually populated in conjunction with destination fields.',
+ type: 'group',
+ fields: [
+ {
+ name: 'address',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Some event source addresses are defined ambiguously. The event\nwill sometimes list an IP, a domain or a unix socket. You should always store\nthe raw address in the `.address` field.\n\nThen it should be duplicated to `.ip` or `.domain`, depending on which one\nit is.',
+ },
+ {
+ name: 'as.number',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'Unique number allocated to the autonomous system. The autonomous\nsystem number (ASN) uniquely identifies each network on the Internet.',
+ example: 15169,
+ },
+ {
+ name: 'as.organization.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Organization name.',
+ example: 'Google LLC',
+ },
+ {
+ name: 'bytes',
+ level: 'core',
+ type: 'long',
+ format: 'bytes',
+ description: 'Bytes sent from the source to the destination.',
+ example: 184,
+ },
+ {
+ name: 'domain',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Source domain.',
+ },
+ {
+ name: 'geo.city_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
+ },
+ {
+ name: 'geo.continent_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
+ },
+ {
+ name: 'geo.country_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
+ },
+ {
+ name: 'geo.country_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
+ },
+ {
+ name: 'geo.location',
+ level: 'core',
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
+ },
+ {
+ name: 'geo.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
+ },
+ {
+ name: 'geo.region_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
+ },
+ {
+ name: 'geo.region_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
+ },
+ {
+ name: 'ip',
+ level: 'core',
+ type: 'ip',
+ description: 'IP address of the source (IPv4 or IPv6).',
+ },
+ {
+ name: 'mac',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'MAC address of the source.',
+ },
+ {
+ name: 'nat.ip',
+ level: 'extended',
+ type: 'ip',
+ description:
+ 'Translated ip of source based NAT sessions (e.g. internal client\nto internet)\n\nTypically connections traversing load balancers, firewalls, or routers.',
+ },
+ {
+ name: 'nat.port',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description:
+ 'Translated port of source based NAT sessions. (e.g. internal client\nto internet)\n\nTypically used with load balancers, firewalls, or routers.',
+ },
+ {
+ name: 'packets',
+ level: 'core',
+ type: 'long',
+ description: 'Packets sent from the source to the destination.',
+ example: 12,
+ },
+ {
+ name: 'port',
+ level: 'core',
+ type: 'long',
+ format: 'string',
+ description: 'Port of the source.',
+ },
+ {
+ name: 'registered_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The highest registered source domain, stripped of the subdomain.\n\nFor example, the registered domain for "foo.google.com" is "google.com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last two labels will not work well for TLDs such as "co.uk".',
+ example: 'google.com',
+ },
+ {
+ name: 'top_level_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The effective top level domain (eTLD), also known as the domain\nsuffix, is the last part of the domain name. For example, the top level domain\nfor google.com is "com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last label will not work well for effective TLDs such as "co.uk".',
+ example: 'co.uk',
+ },
+ {
+ name: 'user.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the user is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'user.email',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'User email address.',
+ },
+ {
+ name: 'user.full_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: "User's full name, if available.",
+ example: 'Albert Einstein',
+ },
+ {
+ name: 'user.group.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'user.group.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
+ },
+ {
+ name: 'user.group.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the group.',
+ },
+ {
+ name: 'user.hash',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique user hash to correlate information for a user in anonymized\nform.\n\nUseful if `user.id` or `user.name` contain confidential information and cannot\nbe used.',
+ },
+ {
+ name: 'user.id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier of the user.',
+ },
+ {
+ name: 'user.name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Short name or login of the user.',
+ example: 'albert',
+ },
+ ],
+ },
+ {
+ name: 'threat',
+ title: 'Threat',
group: 2,
- level: 'extended',
- name: 'file.uid',
- required: false,
- type: 'keyword',
- },
- },
- group: 2,
- name: 'file',
- title: 'File',
- type: 'group',
- },
- geo: {
- description:
- 'Geo fields can carry data about a specific location related to an event or geo information derived from an IP field.\n',
- fields: {
- 'geo.city_name': {
- description: 'City name.',
- example: 'Montreal',
- footnote: '',
+ description:
+ 'Fields to classify events and alerts according to a threat taxonomy\nsuch as the Mitre ATT&CK framework.\n\nThese fields are for users to classify alerts from all of their sources (e.g.\nIDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to\ncapture the high level category of the threat (e.g. "impact"). The threat.technique.*\nfields are meant to capture which kind of approach is used by this detected\nthreat, to accomplish the goal (e.g. "endpoint denial of service").',
+ type: 'group',
+ fields: [
+ {
+ name: 'framework',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the threat framework used to further categorize and classify\nthe tactic and technique of the reported threat. Framework classification\ncan be provided by detecting systems, evaluated at ingest time, or retrospectively\ntagged to events.',
+ example: 'MITRE ATT&CK',
+ },
+ {
+ name: 'tactic.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The id of tactic used by this threat. You can use the Mitre ATT&CK\nMatrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/\n)',
+ example: 'TA0040',
+ },
+ {
+ name: 'tactic.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the type of tactic used by this threat. You can use the\nMitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/\n)',
+ example: 'impact',
+ },
+ {
+ name: 'tactic.reference',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The reference url of tactic used by this threat. You can use the\nMitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/\n)',
+ example: 'https://attack.mitre.org/tactics/TA0040/',
+ },
+ {
+ name: 'technique.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The id of technique used by this tactic. You can use the Mitre\nATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/\n)',
+ example: 'T1499',
+ },
+ {
+ name: 'technique.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description:
+ 'The name of technique used by this tactic. You can use the Mitre\nATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/\n)',
+ example: 'endpoint denial of service',
+ },
+ {
+ name: 'technique.reference',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The reference url of technique used by this tactic. You can use\nthe Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/\n)',
+ example: 'https://attack.mitre.org/techniques/T1499/',
+ },
+ ],
+ },
+ {
+ name: 'tls',
+ title: 'TLS',
group: 2,
- level: 'core',
- name: 'geo.city_name',
- required: false,
- type: 'keyword',
- },
- 'geo.continent_name': {
- description: 'Name of the continent.',
- example: 'North America',
- footnote: '',
+ description:
+ 'Fields related to a TLS connection. These fields focus on the TLS\nprotocol itself and intentionally avoids in-depth analysis of the related x.509\ncertificate files.',
+ type: 'group',
+ fields: [
+ {
+ name: 'cipher',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'String indicating the cipher used during the current connection.',
+ example: 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
+ default_field: false,
+ },
+ {
+ name: 'client.certificate',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'PEM-encoded stand-alone certificate offered by the client. This\nis usually mutually-exclusive of `client.certificate_chain` since this value\nalso exists in that list.',
+ example: 'MII...',
+ default_field: false,
+ },
+ {
+ name: 'client.certificate_chain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Array of PEM-encoded certificates that make up the certificate\nchain offered by the client. This is usually mutually-exclusive of `client.certificate`\nsince that value should be the first certificate in the chain.',
+ example: ['MII...', 'MII...'],
+ default_field: false,
+ },
+ {
+ name: 'client.hash.md5',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Certificate fingerprint using the MD5 digest of DER-encoded version\nof certificate offered by the client. For consistency with other hash values,\nthis value should be formatted as an uppercase hash.',
+ example: '0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC',
+ default_field: false,
+ },
+ {
+ name: 'client.hash.sha1',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Certificate fingerprint using the SHA1 digest of DER-encoded version\nof certificate offered by the client. For consistency with other hash values,\nthis value should be formatted as an uppercase hash.',
+ example: '9E393D93138888D288266C2D915214D1D1CCEB2A',
+ default_field: false,
+ },
+ {
+ name: 'client.hash.sha256',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Certificate fingerprint using the SHA256 digest of DER-encoded\nversion of certificate offered by the client. For consistency with other hash\nvalues, this value should be formatted as an uppercase hash.',
+ example: '0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0',
+ default_field: false,
+ },
+ {
+ name: 'client.issuer',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Distinguished name of subject of the issuer of the x.509 certificate\npresented by the client.',
+ example: 'CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com',
+ default_field: false,
+ },
+ {
+ name: 'client.ja3',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A hash that identifies clients based on how they perform an SSL/TLS\nhandshake.',
+ example: 'd4e5b18d6b55c71272893221c96ba240',
+ default_field: false,
+ },
+ {
+ name: 'client.not_after',
+ level: 'extended',
+ type: 'date',
+ description:
+ 'Date/Time indicating when client certificate is no longer considered\nvalid.',
+ example: '2021-01-01T00:00:00.000Z',
+ default_field: false,
+ },
+ {
+ name: 'client.not_before',
+ level: 'extended',
+ type: 'date',
+ description: 'Date/Time indicating when client certificate is first considered\nvalid.',
+ example: '1970-01-01T00:00:00.000Z',
+ default_field: false,
+ },
+ {
+ name: 'client.server_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Also called an SNI, this tells the server which hostname to which\nthe client is attempting to connect. When this value is available, it should\nget copied to `destination.domain`.',
+ example: 'www.elastic.co',
+ default_field: false,
+ },
+ {
+ name: 'client.subject',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Distinguished name of subject of the x.509 certificate presented\nby the client.',
+ example: 'CN=myclient, OU=Documentation Team, DC=mydomain, DC=com',
+ default_field: false,
+ },
+ {
+ name: 'client.supported_ciphers',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Array of ciphers offered by the client during the client hello.',
+ example: [
+ 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
+ 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
+ '...',
+ ],
+ default_field: false,
+ },
+ {
+ name: 'curve',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'String indicating the curve used for the given cipher, when applicable.',
+ example: 'secp256r1',
+ default_field: false,
+ },
+ {
+ name: 'established',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Boolean flag indicating if the TLS negotiation was successful and\ntransitioned to an encrypted tunnel.',
+ default_field: false,
+ },
+ {
+ name: 'next_protocol',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'String indicating the protocol being tunneled. Per the values in\nthe IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids),\nthis string should be lower case.',
+ example: 'http/1.1',
+ default_field: false,
+ },
+ {
+ name: 'resumed',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Boolean flag indicating if this TLS connection was resumed from\nan existing TLS negotiation.',
+ default_field: false,
+ },
+ {
+ name: 'server.certificate',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'PEM-encoded stand-alone certificate offered by the server. This\nis usually mutually-exclusive of `server.certificate_chain` since this value\nalso exists in that list.',
+ example: 'MII...',
+ default_field: false,
+ },
+ {
+ name: 'server.certificate_chain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Array of PEM-encoded certificates that make up the certificate\nchain offered by the server. This is usually mutually-exclusive of `server.certificate`\nsince that value should be the first certificate in the chain.',
+ example: ['MII...', 'MII...'],
+ default_field: false,
+ },
+ {
+ name: 'server.hash.md5',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Certificate fingerprint using the MD5 digest of DER-encoded version\nof certificate offered by the server. For consistency with other hash values,\nthis value should be formatted as an uppercase hash.',
+ example: '0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC',
+ default_field: false,
+ },
+ {
+ name: 'server.hash.sha1',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Certificate fingerprint using the SHA1 digest of DER-encoded version\nof certificate offered by the server. For consistency with other hash values,\nthis value should be formatted as an uppercase hash.',
+ example: '9E393D93138888D288266C2D915214D1D1CCEB2A',
+ default_field: false,
+ },
+ {
+ name: 'server.hash.sha256',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Certificate fingerprint using the SHA256 digest of DER-encoded\nversion of certificate offered by the server. For consistency with other hash\nvalues, this value should be formatted as an uppercase hash.',
+ example: '0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0',
+ default_field: false,
+ },
+ {
+ name: 'server.issuer',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Subject of the issuer of the x.509 certificate presented by the\nserver.',
+ example: 'CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com',
+ default_field: false,
+ },
+ {
+ name: 'server.ja3s',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A hash that identifies servers based on how they perform an SSL/TLS\nhandshake.',
+ example: '394441ab65754e2207b1e1b457b3641d',
+ default_field: false,
+ },
+ {
+ name: 'server.not_after',
+ level: 'extended',
+ type: 'date',
+ description:
+ 'Timestamp indicating when server certificate is no longer considered\nvalid.',
+ example: '2021-01-01T00:00:00.000Z',
+ default_field: false,
+ },
+ {
+ name: 'server.not_before',
+ level: 'extended',
+ type: 'date',
+ description: 'Timestamp indicating when server certificate is first considered\nvalid.',
+ example: '1970-01-01T00:00:00.000Z',
+ default_field: false,
+ },
+ {
+ name: 'server.subject',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Subject of the x.509 certificate presented by the server.',
+ example: 'CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com',
+ default_field: false,
+ },
+ {
+ name: 'version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Numeric part of the version parsed from the original string.',
+ example: '1.2',
+ default_field: false,
+ },
+ {
+ name: 'version_protocol',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Normalized lowercase protocol name parsed from original string.',
+ example: 'tls',
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'tracing',
+ title: 'Tracing',
group: 2,
- level: 'core',
- name: 'geo.continent_name',
- required: false,
- type: 'keyword',
- },
- 'geo.country_iso_code': {
- description: 'Country ISO code.',
- example: 'CA',
- footnote: '',
+ description:
+ 'Distributed tracing makes it possible to analyze performance throughout\na microservice architecture all in one view. This is accomplished by tracing\nall of the requests - from the initial web request in the front-end service\n- to queries made through multiple back-end services.',
+ type: 'group',
+ fields: [
+ {
+ name: 'trace.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique identifier of the trace.\n\nA trace groups multiple events like transactions that belong together. For\nexample, a user request handled by multiple inter-connected services.',
+ example: '4bf92f3577b34da6a3ce929d0e0e4736',
+ },
+ {
+ name: 'transaction.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique identifier of the transaction.\n\nA transaction is the highest level of work measured within a service, such\nas a request to a server.',
+ example: '00f067aa0ba902b7',
+ },
+ ],
+ },
+ {
+ name: 'url',
+ title: 'URL',
group: 2,
- level: 'core',
- name: 'geo.country_iso_code',
- required: false,
- type: 'keyword',
- },
- 'geo.country_name': {
- description: 'Country name.',
- example: 'Canada',
- footnote: '',
+ description:
+ 'URL fields provide support for complete or partial URLs, and supports\nthe breaking down into scheme, domain, path, and so on.',
+ type: 'group',
+ fields: [
+ {
+ name: 'domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Domain of the url, such as "www.elastic.co".\n\nIn some cases a URL may refer to an IP and/or port directly, without a domain\nname. In this case, the IP address would go to the `domain` field.',
+ example: 'www.elastic.co',
+ },
+ {
+ name: 'extension',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The field contains the file extension from the original request\nurl.\n\nThe file extension is only set if it exists, as not every url has a file extension.\n\nThe leading period must not be included. For example, the value must be "png",\nnot ".png".',
+ example: 'png',
+ },
+ {
+ name: 'fragment',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Portion of the url after the `#`, such as "top".\n\nThe `#` is not part of the fragment.',
+ },
+ {
+ name: 'full',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description:
+ 'If full URLs are important to your use case, they should be stored\nin `url.full`, whether this field is reconstructed or present in the event\nsource.',
+ example: 'https://www.elastic.co:443/search?q=elasticsearch#top',
+ },
+ {
+ name: 'original',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description:
+ 'Unmodified original url as seen in the event source.\n\nNote that in network monitoring, the observed URL may be a full URL, whereas\nin access logs, the URL is often just represented as a path.\n\nThis field is meant to represent the URL as it was observed, complete or not.',
+ example:
+ 'https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch',
+ },
+ {
+ name: 'password',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Password of the request.',
+ },
+ {
+ name: 'path',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Path of the request, such as "/search".',
+ },
+ {
+ name: 'port',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: 'Port of the request, such as 443.',
+ example: 443,
+ },
+ {
+ name: 'query',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The query field describes the query string of the request, such\nas "q=elasticsearch".\n\nThe `?` is excluded from the query string. If a URL contains no `?`, there\nis no query field. If there is a `?` but no query, the query field exists\nwith an empty string. The `exists` query can be used to differentiate between\nthe two cases.',
+ },
+ {
+ name: 'registered_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The highest registered url domain, stripped of the subdomain.\n\nFor example, the registered domain for "foo.google.com" is "google.com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last two labels will not work well for TLDs such as "co.uk".',
+ example: 'google.com',
+ },
+ {
+ name: 'scheme',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Scheme of the request, such as "https".\n\nNote: The `:` is not part of the scheme.',
+ example: 'https',
+ },
+ {
+ name: 'top_level_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The effective top level domain (eTLD), also known as the domain\nsuffix, is the last part of the domain name. For example, the top level domain\nfor google.com is "com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last label will not work well for effective TLDs such as "co.uk".',
+ example: 'co.uk',
+ },
+ {
+ name: 'username',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Username of the request.',
+ },
+ ],
+ },
+ {
+ name: 'user',
+ title: 'User',
group: 2,
- level: 'core',
- name: 'geo.country_name',
- required: false,
- type: 'keyword',
- },
- 'geo.location': {
- description: 'Longitude and latitude.',
- example: '{ "lon": -73.614830, "lat": 45.505918 }',
- footnote: '',
+ description:
+ 'The user fields describe information about the user that is relevant\nto the event.\n\nFields can have one entry or multiple entries. If a user has more than one id,\nprovide an array that includes all of them.',
+ type: 'group',
+ fields: [
+ {
+ name: 'domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the user is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'email',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'User email address.',
+ },
+ {
+ name: 'full_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: "User's full name, if available.",
+ example: 'Albert Einstein',
+ },
+ {
+ name: 'group.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'group.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
+ },
+ {
+ name: 'group.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the group.',
+ },
+ {
+ name: 'hash',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique user hash to correlate information for a user in anonymized\nform.\n\nUseful if `user.id` or `user.name` contain confidential information and cannot\nbe used.',
+ },
+ {
+ name: 'id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier of the user.',
+ },
+ {
+ name: 'name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Short name or login of the user.',
+ example: 'albert',
+ },
+ ],
+ },
+ {
+ name: 'user_agent',
+ title: 'User agent',
group: 2,
- level: 'core',
- name: 'geo.location',
- required: false,
- type: 'geo_point',
- },
- 'geo.name': {
description:
- 'User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation.',
- example: 'boston-dc',
- footnote: '',
+ 'The user_agent fields normally come from a browser request.\n\nThey often show up in web service logs coming from the parsed user agent string.',
+ type: 'group',
+ fields: [
+ {
+ name: 'device.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the device.',
+ example: 'iPhone',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the user agent.',
+ example: 'Safari',
+ },
+ {
+ name: 'original',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ },
+ ],
+ description: 'Unparsed user_agent string.',
+ example:
+ 'Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15\n(KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1',
+ },
+ {
+ name: 'os.family',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'OS family (such as redhat, debian, freebsd, windows).',
+ example: 'debian',
+ },
+ {
+ name: 'os.full',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Operating system name, including the version or code name.',
+ example: 'Mac OS Mojave',
+ },
+ {
+ name: 'os.kernel',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system kernel version as a raw string.',
+ example: '4.4.0-112-generic',
+ },
+ {
+ name: 'os.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Operating system name, without the version.',
+ example: 'Mac OS X',
+ },
+ {
+ name: 'os.platform',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system platform (such centos, ubuntu, windows).',
+ example: 'darwin',
+ },
+ {
+ name: 'os.version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system version as a raw string.',
+ example: '10.14.1',
+ },
+ {
+ name: 'version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Version of the user agent.',
+ example: 12,
+ },
+ ],
+ },
+ {
+ name: 'vlan',
+ title: 'VLAN',
group: 2,
- level: 'extended',
- name: 'geo.name',
- required: false,
- type: 'keyword',
- },
- 'geo.region_iso_code': {
- description: 'Region ISO code.',
- example: 'CA-QC',
- footnote: '',
+ description:
+ 'The VLAN fields are used to identify 802.1q tag(s) of a packet,\nas well as ingress and egress VLAN associations of an observer in relation to\na specific packet or connection.\n\nNetwork.vlan fields are used to record a single VLAN tag, or the outer tag in\nthe case of q-in-q encapsulations, for a packet or connection as observed, typically\nprovided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic.\n\nNetwork.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple\n802.1q encapsulations) as observed, typically provided by a network sensor (e.g.\nZeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should\nonly be used in addition to network.vlan fields to indicate q-in-q tagging.\n\nObserver.ingress and observer.egress VLAN values are used to record observer\nspecific information when observer events contain discrete ingress and egress\nVLAN information, typically provided by firewalls, routers, or load balancers.',
+ type: 'group',
+ fields: [
+ {
+ name: 'id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'VLAN ID as reported by the observer.',
+ example: 10,
+ default_field: false,
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Optional VLAN name as reported by the observer.',
+ example: 'outside',
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'vulnerability',
+ title: 'Vulnerability',
group: 2,
- level: 'core',
- name: 'geo.region_iso_code',
- required: false,
- type: 'keyword',
- },
- 'geo.region_name': {
- description: 'Region name.',
- example: 'Quebec',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'geo.region_name',
- required: false,
- type: 'keyword',
- },
- },
- group: 2,
- name: 'geo',
- title: 'Geo',
- type: 'group',
- },
- group: {
- description: 'The group fields are meant to represent groups that are relevant to the event.\n',
- fields: {
- 'group.id': {
- description: 'Unique identifier for the group on the system/platform.',
- example: '',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'group.id',
- required: false,
- type: 'keyword',
- },
- 'group.name': {
- description: 'Name of the group.',
- example: '',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'group.name',
- required: false,
- type: 'keyword',
- },
- },
- group: 2,
- name: 'group',
- title: 'Group',
- type: 'group',
- },
- host: {
- description:
- 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or on which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.\n',
- fields: {
- 'host.architecture': {
- description: 'Operating system architecture.',
- example: 'x86_64',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'host.architecture',
- required: false,
- type: 'keyword',
- },
- 'host.hostname': {
- description:
- 'Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'host.hostname',
- required: false,
- type: 'keyword',
- },
- 'host.id': {
- description:
- 'Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'host.id',
- required: false,
- type: 'keyword',
- },
- 'host.ip': {
- description: 'Host ip address.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'host.ip',
- required: false,
- type: 'ip',
- },
- 'host.mac': {
- description: 'Host mac address.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'host.mac',
- required: false,
- type: 'keyword',
- },
- 'host.name': {
- description:
- 'Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'host.name',
- required: false,
- type: 'keyword',
- },
- 'host.type': {
- description:
- 'Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'host.type',
- required: false,
- type: 'keyword',
- },
- },
- group: 2,
- name: 'host',
- title: 'Host',
- type: 'group',
- },
- http: {
- description: 'Fields related to HTTP activity.\n',
- fields: {
- 'http.request.method': {
- description: 'Http request method.',
- example: 'GET, POST, PUT',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'http.request.method',
- required: false,
- type: 'keyword',
- },
- 'http.request.referrer': {
- description: 'Referrer for this HTTP request.',
- example: 'https://blog.example.com/',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'http.request.referrer',
- required: false,
- type: 'keyword',
- },
- 'http.response.body': {
- description: 'The full http response body.',
- example: 'Hello world',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'http.response.body',
- required: false,
- type: 'keyword',
- },
- 'http.response.status_code': {
- description: 'Http response status code.',
- example: '404',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'http.response.status_code',
- required: false,
- type: 'long',
- },
- 'http.version': {
- description: 'Http version.',
- example: '1.1',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'http.version',
- required: false,
- type: 'keyword',
- },
- },
- group: 2,
- name: 'http',
- title: 'HTTP',
- type: 'group',
- },
- log: {
- description: 'Fields which are specific to log events.\n',
- fields: {
- 'log.level': {
- description: 'Log level of the log event.\nSome examples are `WARN`, `ERR`, `INFO`.',
- example: 'ERR',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'log.level',
- required: false,
- type: 'keyword',
- },
- 'log.original': {
- description:
- "This is the original log message and contains the full log message before splitting it up in multiple parts.\nIn contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message.\nThis field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`.",
- example: 'Sep 19 08:26:10 localhost My log',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'log.original',
- required: false,
- type: '(not indexed)',
- },
- },
- group: 2,
- name: 'log',
- title: 'Log',
- type: 'group',
- },
- network: {
- description:
- 'The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event.\n',
- fields: {
- 'network.application': {
- description:
- 'A name given to an application. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format.',
- example: 'AIM',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'network.application',
- required: false,
- type: 'keyword',
- },
- 'network.bytes': {
- description:
- 'Total bytes transferred in both directions.\nIf `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.',
- example: '368',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'network.bytes',
- required: false,
- type: 'long',
- },
- 'network.community_id': {
- description:
- 'A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows.\nLearn more at https://github.com/corelight/community-id-spec.',
- example: '1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'network.community_id',
- required: false,
- type: 'keyword',
- },
- 'network.direction': {
- description:
- "Direction of the network traffic.\nRecommended values are:\n * inbound\n * outbound\n * internal\n * external\n * unknown\n\nWhen mapping events from a host-based monitoring context, populate this field from the host's point of view.\nWhen mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter.",
- example: 'inbound',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'network.direction',
- required: false,
- type: 'keyword',
- },
- 'network.forwarded_ip': {
- description: 'Host IP address when the source IP address is the proxy.',
- example: '192.1.1.2',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'network.forwarded_ip',
- required: false,
- type: 'ip',
- },
- 'network.iana_number': {
- description:
- 'IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.',
- example: '6',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'network.iana_number',
- required: false,
- type: 'keyword',
- },
- 'network.name': {
- description: 'Name given by operators to sections of their network.',
- example: 'Guest Wifi',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'network.name',
- required: false,
- type: 'keyword',
- },
- 'network.packets': {
- description:
- 'Total packets transferred in both directions.\nIf `source.packets` and `destination.packets` are known, `network.packets` is their sum.',
- example: '24',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'network.packets',
- required: false,
- type: 'long',
- },
- 'network.protocol': {
- description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol',
- example: 'http',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'network.protocol',
- required: false,
- type: 'keyword',
- },
- 'network.transport': {
- description:
- 'Same as network.iana_number, but instead using the Keyword name of the transport layer (UDP, TCP, IPv6-ICMP, etc.)',
- example: 'TCP',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'network.transport',
- required: false,
- type: 'keyword',
- },
- 'network.type': {
- description:
- 'In the OSI Model this would be the Network Layer. IPv4, IPv6, IPSec, PIM, etc',
- example: 'IPv4',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'network.type',
- required: false,
- type: 'keyword',
- },
- },
- group: 2,
- name: 'network',
- title: 'Network',
- type: 'group',
- },
- observer: {
- description:
- 'An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. \n',
- fields: {
- 'observer.hostname': {
- description: 'Hostname of the observer.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'observer.hostname',
- required: false,
- type: 'keyword',
- },
- 'observer.ip': {
- description: 'IP address of the observer.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'observer.ip',
- required: false,
- type: 'ip',
- },
- 'observer.mac': {
- description: 'MAC address of the observer',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'observer.mac',
- required: false,
- type: 'keyword',
- },
- 'observer.serial_number': {
- description: 'Observer serial number.',
- example: '',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'observer.serial_number',
- required: false,
- type: 'keyword',
- },
- 'observer.type': {
- description:
- 'The type of the observer the data is coming from.\nThere is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.',
- example: 'firewall',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'observer.type',
- required: false,
- type: 'keyword',
- },
- 'observer.vendor': {
- description: 'observer vendor information.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'observer.vendor',
- required: false,
- type: 'keyword',
- },
- 'observer.version': {
- description: 'Observer version.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'observer.version',
- required: false,
- type: 'keyword',
- },
- },
- group: 2,
- name: 'observer',
- title: 'Observer',
- type: 'group',
- },
- organization: {
- description:
- 'The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations.\n',
- fields: {
- 'organization.id': {
- description: 'Unique identifier for the organization.',
- example: '',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'organization.id',
- required: false,
- type: 'keyword',
- },
- 'organization.name': {
- description: 'Organization name.',
- example: '',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'organization.name',
- required: false,
- type: 'keyword',
- },
- },
- group: 2,
- name: 'organization',
- title: 'Organization',
- type: 'group',
- },
- os: {
- description: 'The OS fields contain information about the operating system.\n',
- fields: {
- 'os.family': {
- description: 'OS family (such as redhat, debian, freebsd, windows).',
- example: 'debian',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'os.family',
- required: false,
- type: 'keyword',
- },
- 'os.kernel': {
- description: 'Operating system kernel version as a raw string.',
- example: '4.4.0-112-generic',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'os.kernel',
- required: false,
- type: 'keyword',
- },
- 'os.name': {
- description: 'Operating system name.',
- example: 'Mac OS X',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'os.name',
- required: false,
- type: 'keyword',
- },
- 'os.platform': {
- description: 'Operating system platform (such centos, ubuntu, windows).',
- example: 'darwin',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'os.platform',
- required: false,
- type: 'keyword',
- },
- 'os.version': {
- description: 'Operating system version as a raw string.',
- example: '10.12.6-rc2',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'os.version',
- required: false,
- type: 'keyword',
- },
- },
- group: 2,
- name: 'os',
- title: 'Operating System',
- type: 'group',
- },
- process: {
- description:
- 'These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation.\n',
- fields: {
- 'process.args': {
- description: 'Process arguments.\nMay be filtered to protect sensitive information.',
- example: "['ssh', '-l', 'user', '10.0.0.16']",
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'process.args',
- required: false,
- type: 'keyword',
- },
- 'process.executable': {
- description: 'Absolute path to the process executable.',
- example: '/usr/bin/ssh',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'process.executable',
- required: false,
- type: 'keyword',
- },
- 'process.name': {
- description: 'Process name.\nSometimes called program name or similar.',
- example: 'ssh',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'process.name',
- required: false,
- type: 'keyword',
- },
- 'process.pid': {
- description: 'Process id.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'process.pid',
- required: false,
- type: 'long',
- },
- 'process.ppid': {
- description: 'Process parent id.',
- example: '',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'process.ppid',
- required: false,
- type: 'long',
- },
- 'process.start': {
- description: 'The time the process started.',
- example: '2016-05-23T08:05:34.853Z',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'process.start',
- required: false,
- type: 'date',
- },
- 'process.thread.id': {
- description: 'Thread ID.',
- example: '4242',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'process.thread.id',
- required: false,
- type: 'long',
- },
- 'process.title': {
description:
- 'Process title.\nThe proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.',
- example: '',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'process.title',
- required: false,
- type: 'keyword',
- },
- 'process.working_directory': {
- description: 'The working directory of the process.',
- example: '/home/alice',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'process.working_directory',
- required: false,
- type: 'keyword',
- },
- },
- group: 2,
- name: 'process',
- title: 'Process',
- type: 'group',
- },
- related: {
- description:
- 'This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in ECS. To facilitate searching for them, append values to their corresponding field in `related.`. A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:a.b.c.d`.\n',
- fields: {
- 'related.ip': {
- description: 'All of the IPs seen on your event.',
- example: '',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'related.ip',
- required: false,
- type: 'ip',
- },
- },
- group: 2,
- name: 'related',
- title: 'Related',
- type: 'group',
- },
- server: {
- description:
- 'A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events.\n',
- fields: {
- 'server.bytes': {
- description: 'Bytes sent from the server to the client.',
- example: '184',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'server.bytes',
- required: false,
- type: 'long',
- },
- 'server.domain': {
- description: 'Server domain.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'server.domain',
- required: false,
- type: 'keyword',
- },
- 'server.ip': {
- description: 'IP address of the server.\nCan be one or multiple IPv4 or IPv6 addresses.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'server.ip',
- required: false,
- type: 'ip',
- },
- 'server.mac': {
- description: 'MAC address of the server.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'server.mac',
- required: false,
- type: 'keyword',
- },
- 'server.packets': {
- description: 'Packets sent from the server to the client.',
- example: '12',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'server.packets',
- required: false,
- type: 'long',
- },
- 'server.port': {
- description: 'Port of the server.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'server.port',
- required: false,
- type: 'long',
- },
- },
- group: 2,
- name: 'server',
- title: 'Server',
- type: 'group',
- },
- service: {
- description:
- 'The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version.\n',
- fields: {
- 'service.ephemeral_id': {
- description:
- 'Ephemeral identifier of this service (if one exists).\nThis id normally changes across restarts, but `service.id` does not.',
- example: '8a4f500f',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'service.ephemeral_id',
- required: false,
- type: 'keyword',
- },
- 'service.id': {
- description:
- 'Unique identifier of the running service.\nThis id should uniquely identify this service. This makes it possible to correlate logs and metrics for one specific service.\nExample: If you are experiencing issues with one redis instance, you can filter on that id to see metrics and logs for that single instance.',
- example: 'd37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'service.id',
- required: false,
- type: 'keyword',
- },
- 'service.name': {
- description:
- 'Name of the service data is collected from.\nThe name of the service is normally user given. This allows if two instances of the same service are running on the same machine they can be differentiated by the `service.name`.\nAlso it allows for distributed services that run on multiple hosts to correlate the related instances based on the name.\nIn the case of Elasticsearch the service.name could contain the cluster name. For Beats the service.name is by default a copy of the `service.type` field if no name is specified.',
- example: 'elasticsearch-metrics',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'service.name',
- required: false,
- type: 'keyword',
- },
- 'service.state': {
- description: 'Current state of the service.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'service.state',
- required: false,
- type: 'keyword',
- },
- 'service.type': {
- description:
- 'The type of the service data is collected from.\nThe type can be used to group and correlate logs and metrics from one service type.\nExample: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.',
- example: 'elasticsearch',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'service.type',
- required: false,
- type: 'keyword',
- },
- 'service.version': {
- description:
- 'Version of the service the data was collected from.\nThis allows to look at a data set only for a specific version of a service.',
- example: '3.2.4',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'service.version',
- required: false,
- type: 'keyword',
- },
- },
- group: 2,
- name: 'service',
- title: 'Service',
- type: 'group',
- },
- source: {
- description:
- 'Source fields describe details about the source of a packet/event. Source fields are usually populated in conjunction with destination fields.\n',
- fields: {
- 'source.bytes': {
- description: 'Bytes sent from the source to the destination.',
- example: '184',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'source.bytes',
- required: false,
- type: 'long',
- },
- 'source.domain': {
- description: 'Source domain.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'source.domain',
- required: false,
- type: 'keyword',
- },
- 'source.ip': {
- description: 'IP address of the source.\nCan be one or multiple IPv4 or IPv6 addresses.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'source.ip',
- required: false,
- type: 'ip',
- },
- 'source.mac': {
- description: 'MAC address of the source.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'source.mac',
- required: false,
- type: 'keyword',
- },
- 'source.packets': {
- description: 'Packets sent from the source to the destination.',
- example: '12',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'source.packets',
- required: false,
- type: 'long',
- },
- 'source.port': {
- description: 'Port of the source.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'source.port',
- required: false,
- type: 'long',
- },
- },
- group: 2,
- name: 'source',
- title: 'Source',
- type: 'group',
- },
- url: {
- description: 'URL fields provide a complete URL, with scheme, host, and path.\n',
- fields: {
- 'url.domain': {
- description:
- 'Domain of the request, such as "www.elastic.co".\nIn some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.',
- example: 'www.elastic.co',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'url.domain',
- required: false,
- type: 'keyword',
- },
- 'url.fragment': {
- description:
- 'Portion of the url after the `#`, such as "top".\nThe `#` is not part of the fragment.',
- example: '',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'url.fragment',
- required: false,
- type: 'keyword',
- },
- 'url.full': {
- description:
- 'If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.',
- example: 'https://www.elastic.co:443/search?q=elasticsearch#top',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'url.full',
- required: false,
- type: 'keyword',
- },
- 'url.original': {
- description:
- 'Unmodified original url as seen in the event source.\nNote that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.\nThis field is meant to represent the URL as it was observed, complete or not.',
- example: 'https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'url.original',
- required: false,
- type: 'keyword',
- },
- 'url.password': {
- description: 'Password of the request.',
- example: '',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'url.password',
- required: false,
- type: 'keyword',
- },
- 'url.path': {
- description: 'Path of the request, such as "/search".',
- example: '',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'url.path',
- required: false,
- type: 'keyword',
- },
- 'url.port': {
- description: 'Port of the request, such as 443.',
- example: '443',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'url.port',
- required: false,
- type: 'integer',
- },
- 'url.query': {
- description:
- 'The query field describes the query string of the request, such as "q=elasticsearch".\nThe `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.',
- example: '',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'url.query',
- required: false,
- type: 'keyword',
- },
- 'url.scheme': {
- description:
- 'Scheme of the request, such as "https".\nNote: The `:` is not part of the scheme.',
- example: 'https',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'url.scheme',
- required: false,
- type: 'keyword',
- },
- 'url.username': {
- description: 'Username of the request.',
- example: '',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'url.username',
- required: false,
- type: 'keyword',
- },
- },
- group: 2,
- name: 'url',
- title: 'URL',
- type: 'group',
- },
- user: {
- description:
- 'The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.\n',
- fields: {
- 'user.email': {
- description: 'User email address.',
- example: '',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'user.email',
- required: false,
- type: 'keyword',
- },
- 'user.full_name': {
- description: "User's full name, if available.",
- example: 'Albert Einstein',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'user.full_name',
- required: false,
- type: 'keyword',
- },
- 'user.group': {
- description:
- 'Group the user is a part of. This field can contain a list of groups, if necessary.',
- example: '',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'user.group',
- required: false,
- type: 'keyword',
- },
- 'user.hash': {
- description:
- 'Unique user hash to correlate information for a user in anonymized form.\nUseful if `user.id` or `user.name` contain confidential information and cannot be used.',
- example: '',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'user.hash',
- required: false,
- type: 'keyword',
- },
- 'user.id': {
- description: 'One or multiple unique identifiers of the user.',
- example: '',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'user.id',
- required: false,
- type: 'keyword',
- },
- 'user.name': {
- description: 'Short name or login of the user.',
- example: 'albert',
- footnote: '',
- group: 2,
- level: 'core',
- name: 'user.name',
- required: false,
- type: 'keyword',
- },
- },
- group: 2,
- name: 'user',
- title: 'User',
- type: 'group',
- },
- user_agent: {
- description:
- 'The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.\n',
- fields: {
- 'user_agent.device.name': {
- description: 'Name of the device.',
- example: 'iPhone',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'user_agent.device.name',
- required: false,
- type: 'keyword',
- },
- 'user_agent.name': {
- description: 'Name of the user agent.',
- example: 'Safari',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'user_agent.name',
- required: false,
- type: 'keyword',
- },
- 'user_agent.original': {
- description: 'Unparsed version of the user_agent.',
- example:
- 'Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'user_agent.original',
- required: false,
- type: '(not indexed)',
- },
- 'user_agent.version': {
- description: 'Version of the user agent.',
- example: '12.0',
- footnote: '',
- group: 2,
- level: 'extended',
- name: 'user_agent.version',
- required: false,
- type: 'keyword',
- },
- },
- group: 2,
- name: 'user_agent',
- title: 'User agent',
- type: 'group',
+ 'The vulnerability fields describe information about a vulnerability\nthat is relevant to an event.',
+ type: 'group',
+ fields: [
+ {
+ name: 'category',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The type of system or architecture that the vulnerability affects.\nThese may be platform-specific (for example, Debian or SUSE) or general (for\nexample, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys\nvulnerability categories])\n\nThis field must be an array.',
+ example: '["Firewall"]',
+ default_field: false,
+ },
+ {
+ name: 'classification',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The classification of the vulnerability scoring system. For example\n(https://www.first.org/cvss/)',
+ example: 'CVSS',
+ default_field: false,
+ },
+ {
+ name: 'description',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ },
+ ],
+ description:
+ 'The description of the vulnerability that provides additional context\nof the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common\nVulnerabilities and Exposure CVE description])',
+ example: 'In macOS before 2.12.6, there is a vulnerability in the RPC...',
+ default_field: false,
+ },
+ {
+ name: 'enumeration',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The type of identifier used for this vulnerability. For example\n(https://cve.mitre.org/about/)',
+ example: 'CVE',
+ default_field: false,
+ },
+ {
+ name: 'id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The identification (ID) is the number portion of a vulnerability\nentry. It includes a unique identification number for the vulnerability. For\nexample (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities\nand Exposure CVE ID]',
+ example: 'CVE-2019-00001',
+ default_field: false,
+ },
+ {
+ name: 'reference',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A resource that provides additional information, context, and mitigations\nfor the identified vulnerability.',
+ example: 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111',
+ default_field: false,
+ },
+ {
+ name: 'report_id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The report or scan identification number.',
+ example: 20191018.0001,
+ default_field: false,
+ },
+ {
+ name: 'scanner.vendor',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The name of the vulnerability scanner vendor.',
+ example: 'Tenable',
+ default_field: false,
+ },
+ {
+ name: 'score.base',
+ level: 'extended',
+ type: 'float',
+ description:
+ 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\n\nBase scores cover an assessment for exploitability metrics (attack vector,\ncomplexity, privileges, and user interaction), impact metrics (confidentiality,\nintegrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)',
+ example: 5.5,
+ default_field: false,
+ },
+ {
+ name: 'score.environmental',
+ level: 'extended',
+ type: 'float',
+ description:
+ 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\n\nEnvironmental scores cover an assessment for any modified Base metrics, confidentiality,\nintegrity, and availability requirements. For example (https://www.first.org/cvss/specification-document)',
+ example: 5.5,
+ default_field: false,
+ },
+ {
+ name: 'score.temporal',
+ level: 'extended',
+ type: 'float',
+ description:
+ 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\n\nTemporal scores cover an assessment for code maturity, remediation level,\nand confidence. For example (https://www.first.org/cvss/specification-document)',
+ default_field: false,
+ },
+ {
+ name: 'score.version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The National Vulnerability Database (NVD) provides qualitative\nseverity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score\nranges in addition to the severity ratings for CVSS v3.0 as they are defined\nin the CVSS v3.0 specification.\n\nCVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit\norganization, whose mission is to help computer security incident response\nteams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)',
+ example: 2,
+ default_field: false,
+ },
+ {
+ name: 'severity',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The severity of the vulnerability can help with metrics and internal\nprioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)',
+ example: 'Critical',
+ default_field: false,
+ },
+ ],
+ },
+ ],
},
-};
+];
diff --git a/x-pack/legacy/plugins/siem/server/utils/beat_schema/8.0.0/filebeat.ts b/x-pack/legacy/plugins/siem/server/utils/beat_schema/8.0.0/filebeat.ts
index a5877f6c34b8f2..3b8c92ebba2694 100644
--- a/x-pack/legacy/plugins/siem/server/utils/beat_schema/8.0.0/filebeat.ts
+++ b/x-pack/legacy/plugins/siem/server/utils/beat_schema/8.0.0/filebeat.ts
@@ -15,91 +15,129 @@ export const filebeatSchema: Schema = [
{
key: 'ecs',
title: 'ECS',
- description: 'ECS fields.',
+ description: 'ECS Fields.',
fields: [
{
name: '@timestamp',
- type: 'date',
level: 'core',
required: true,
- example: '2016-05-23T08:05:34.853Z',
+ type: 'date',
description:
- 'Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.',
- },
- {
- name: 'tags',
- level: 'core',
- type: 'keyword',
- example: '["production", "env2"]',
- description: 'List of keywords used to tag each event.',
+ 'Date/time when the event originated.\n\nThis is the date/time extracted from the event, typically representing when\nthe event was generated by the source.\n\nIf the event source has no original timestamp, this value is typically populated\nby the first time the event was received by the pipeline.\n\nRequired field for all events.',
+ example: '2016-05-23T08:05:34.853Z',
},
{
name: 'labels',
level: 'core',
type: 'object',
- example: {
- env: 'production',
- application: 'foo-bar',
- },
+ object_type: 'keyword',
description:
- 'Key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels.',
+ 'Custom key/value pairs.\n\nCan be used to add meta information to events. Should not contain nested objects.\nAll values are stored as keyword.\n\nExample: `docker` and `k8s` labels.',
+ example: '{"application": "foo-bar", "env": "production"}',
},
{
name: 'message',
level: 'core',
type: 'text',
- example: 'Hello World',
description:
- 'For log events the message field contains the log message. In other use cases the message field can be used to concatenate different values which are then freely searchable. If multiple messages exist, they can be combined into one message.',
+ 'For log events the message field contains the log message, optimized\nfor viewing in a log viewer.\n\nFor structured logs without an original message field, other fields can be concatenated\nto form a human-readable summary of the event.\n\nIf multiple messages exist, they can be combined into one message.',
+ example: 'Hello World',
+ },
+ {
+ name: 'tags',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'List of keywords used to tag each event.',
+ example: '["production", "env2"]',
},
{
name: 'agent',
title: 'Agent',
group: 2,
description:
- 'The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.',
+ 'The agent fields contain the data about the software entity, if\nany, that collects, detects, or observes events on a host, or takes measurements\non a host.\n\nExamples include Beats. Agents may also run on observers. ECS agent.* fields\nshall be populated with details of the agent running on the host or observer\nwhere the event happened or the measurement was taken.',
footnote:
- 'Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it is the agent running in the app/service. The agent information does not change if data is sent through queuing systems like Kafka, Redis, or processing systems such as Logstash or APM Server.',
+ 'Examples: In the case of Beats for logs, the agent.name is filebeat.\nFor APM, it is the agent running in the app/service. The agent information does\nnot change if data is sent through queuing systems like Kafka, Redis, or processing\nsystems such as Logstash or APM Server.',
type: 'group',
fields: [
{
- name: 'version',
+ name: 'ephemeral_id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Ephemeral identifier of this agent (if one exists).\n\nThis id normally changes across restarts, but `agent.id` does not.',
+ example: '8a4f500f',
+ },
+ {
+ name: 'id',
level: 'core',
type: 'keyword',
- description: 'Version of the agent.',
- example: '6.0.0-rc2',
+ ignore_above: 1024,
+ description:
+ 'Unique identifier of this agent (if one exists).\n\nExample: For Beats this would be beat.id.',
+ example: '8a4f500d',
},
{
name: 'name',
level: 'core',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.',
+ 'Custom name of the agent.\n\nThis is a name that can be given to an agent. This can be helpful if for example\ntwo Filebeat instances are running on the same host but a human readable separation\nis needed on which Filebeat instance data is coming from.\n\nIf no name is given, the name is often left empty.',
example: 'foo',
},
{
name: 'type',
level: 'core',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Type of the agent. The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.',
+ 'Type of the agent.\n\nThe agent type stays always the same and should be given by the agent used.\nIn case of Filebeat the agent would always be Filebeat also if two Filebeat\ninstances are run on the same machine.',
example: 'filebeat',
},
{
- name: 'id',
+ name: 'version',
level: 'core',
type: 'keyword',
+ ignore_above: 1024,
+ description: 'Version of the agent.',
+ example: '6.0.0-rc2',
+ },
+ ],
+ },
+ {
+ name: 'as',
+ title: 'Autonomous System',
+ group: 2,
+ description:
+ 'An autonomous system (AS) is a collection of connected Internet Protocol\n(IP) routing prefixes under the control of one or more network operators on\nbehalf of a single administrative entity or domain that presents a common, clearly\ndefined routing policy to the internet.',
+ type: 'group',
+ fields: [
+ {
+ name: 'number',
+ level: 'extended',
+ type: 'long',
description:
- 'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.',
- example: '8a4f500d',
+ 'Unique number allocated to the autonomous system. The autonomous\nsystem number (ASN) uniquely identifies each network on the Internet.',
+ example: 15169,
},
{
- name: 'ephemeral_id',
+ name: 'organization.name',
level: 'extended',
type: 'keyword',
- description:
- 'Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not.',
- example: '8a4f500f',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Organization name.',
+ example: 'Google LLC',
},
],
},
@@ -108,7183 +146,18212 @@ export const filebeatSchema: Schema = [
title: 'Client',
group: 2,
description:
- 'A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.',
+ 'A client is defined as the initiator of a network connection for\nevents regarding sessions, connections, or bidirectional flow records.\n\nFor TCP events, the client is the initiator of the TCP connection that sends\nthe SYN packet(s). For other protocols, the client is generally the initiator\nor requestor in the network transaction. Some systems use the term "originator"\nto refer the client in TCP connections. The client fields describe details about\nthe system acting as the client in the network event. Client fields are usually\npopulated in conjunction with server fields. Client fields are generally not\npopulated for packet-level events.\n\nClient / server representations can add semantic context to an exchange, which\nis helpful to visualize the data in certain situations. If your context falls\nin that category, you should still ensure that source and destination are filled\nappropriately.',
type: 'group',
fields: [
{
name: 'address',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.',
+ 'Some event client addresses are defined ambiguously. The event\nwill sometimes list an IP, a domain or a unix socket. You should always store\nthe raw address in the `.address` field.\n\nThen it should be duplicated to `.ip` or `.domain`, depending on which one\nit is.',
},
{
- name: 'ip',
- level: 'core',
- type: 'ip',
- description: 'IP address of the client. Can be one or multiple IPv4 or IPv6 addresses.',
+ name: 'as.number',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'Unique number allocated to the autonomous system. The autonomous\nsystem number (ASN) uniquely identifies each network on the Internet.',
+ example: 15169,
},
{
- name: 'port',
+ name: 'as.organization.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Organization name.',
+ example: 'Google LLC',
+ },
+ {
+ name: 'bytes',
level: 'core',
type: 'long',
- description: 'Port of the client.',
+ format: 'bytes',
+ description: 'Bytes sent from the client to the server.',
+ example: 184,
},
{
- name: 'mac',
+ name: 'domain',
level: 'core',
type: 'keyword',
- description: 'MAC address of the client.',
+ ignore_above: 1024,
+ description: 'Client domain.',
},
{
- name: 'domain',
+ name: 'geo.city_name',
level: 'core',
type: 'keyword',
- description: 'Client domain.',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
},
{
- name: 'bytes',
+ name: 'geo.continent_name',
level: 'core',
- type: 'long',
- format: 'bytes',
- example: 184,
- description: 'Bytes sent from the client to the server.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
},
{
- name: 'packets',
+ name: 'geo.country_iso_code',
level: 'core',
- type: 'long',
- example: 12,
- description: 'Packets sent from the client to the server.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
},
{
- name: 'geo',
- title: 'Geo',
- group: 2,
- description:
- 'Geo fields can carry data about a specific location related to an event or geo information derived from an IP field.',
- type: 'group',
- fields: [
- {
- name: 'location',
- level: 'core',
- type: 'geo_point',
- description: 'Longitude and latitude.',
- example: '{ "lon": -73.614830, "lat": 45.505918 }',
- },
- {
- name: 'continent_name',
- level: 'core',
- type: 'keyword',
- description: 'Name of the continent.',
- example: 'North America',
- },
- {
- name: 'country_name',
- level: 'core',
- type: 'keyword',
- description: 'Country name.',
- example: 'Canada',
- },
- {
- name: 'region_name',
- level: 'core',
- type: 'keyword',
- description: 'Region name.',
- example: 'Quebec',
- },
- {
- name: 'city_name',
- level: 'core',
- type: 'keyword',
- description: 'City name.',
- example: 'Montreal',
- },
- {
- name: 'country_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Country ISO code.',
- example: 'CA',
- },
- {
- name: 'region_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Region ISO code.',
- example: 'CA-QC',
- },
- {
- name: 'name',
- level: 'extended',
- type: 'keyword',
- description:
- 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.',
- example: 'boston-dc',
- },
- ],
+ name: 'geo.country_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
},
- ],
- },
- {
- name: 'cloud',
- title: 'Cloud',
- group: 2,
- description: 'Fields related to the cloud or infrastructure the events are coming from.',
- footnote:
- 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.',
- type: 'group',
- fields: [
{
- name: 'provider',
+ name: 'geo.location',
+ level: 'core',
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
+ },
+ {
+ name: 'geo.name',
level: 'extended',
- example: 'ec2',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Name of the cloud provider. Example values are ec2, gce, or digitalocean.',
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
},
{
- name: 'availability_zone',
- level: 'extended',
- example: 'us-east-1c',
+ name: 'geo.region_iso_code',
+ level: 'core',
type: 'keyword',
- description: 'Availability zone in which this host is running.',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
},
{
- name: 'region',
- level: 'extended',
+ name: 'geo.region_name',
+ level: 'core',
type: 'keyword',
- example: 'us-east-1',
- description: 'Region in which this host is running.',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
},
{
- name: 'instance.id',
- level: 'extended',
+ name: 'ip',
+ level: 'core',
+ type: 'ip',
+ description:
+ 'IP address of the client.\n\nCan be one or multiple IPv4 or IPv6 addresses.',
+ },
+ {
+ name: 'mac',
+ level: 'core',
type: 'keyword',
- example: 'i-1234567890abcdef0',
- description: 'Instance ID of the host machine.',
+ ignore_above: 1024,
+ description: 'MAC address of the client.',
},
{
- name: 'instance.name',
+ name: 'nat.ip',
level: 'extended',
- type: 'keyword',
- description: 'Instance name of the host machine.',
+ type: 'ip',
+ description:
+ 'Translated IP of source based NAT sessions (e.g. internal client\nto internet).\n\nTypically connections traversing load balancers, firewalls, or routers.',
},
{
- name: 'machine.type',
+ name: 'nat.port',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description:
+ 'Translated port of source based NAT sessions (e.g. internal client\nto internet).\n\nTypically connections traversing load balancers, firewalls, or routers.',
+ },
+ {
+ name: 'packets',
+ level: 'core',
+ type: 'long',
+ description: 'Packets sent from the client to the server.',
+ example: 12,
+ },
+ {
+ name: 'port',
+ level: 'core',
+ type: 'long',
+ format: 'string',
+ description: 'Port of the client.',
+ },
+ {
+ name: 'registered_domain',
level: 'extended',
type: 'keyword',
- example: 't2.medium',
- description: 'Machine type of the host machine.',
+ ignore_above: 1024,
+ description:
+ 'The highest registered client domain, stripped of the subdomain.\n\nFor example, the registered domain for "foo.google.com" is "google.com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last two labels will not work well for TLDs such as "co.uk".',
+ example: 'google.com',
},
{
- name: 'account.id',
+ name: 'top_level_domain',
level: 'extended',
type: 'keyword',
- example: 666777888999,
+ ignore_above: 1024,
description:
- 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.',
+ 'The effective top level domain (eTLD), also known as the domain\nsuffix, is the last part of the domain name. For example, the top level domain\nfor google.com is "com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last label will not work well for effective TLDs such as "co.uk".',
+ example: 'co.uk',
},
- ],
- },
- {
- name: 'container',
- title: 'Container',
- group: 2,
- description:
- 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.',
- type: 'group',
- fields: [
{
- name: 'runtime',
+ name: 'user.domain',
level: 'extended',
type: 'keyword',
- description: 'Runtime managing this container.',
- example: 'docker',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the user is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
},
{
- name: 'id',
- level: 'core',
+ name: 'user.email',
+ level: 'extended',
type: 'keyword',
- description: 'Unique container id.',
+ ignore_above: 1024,
+ description: 'User email address.',
},
{
- name: 'image.name',
+ name: 'user.full_name',
level: 'extended',
type: 'keyword',
- description: 'Name of the image the container was built on.',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: "User's full name, if available.",
+ example: 'Albert Einstein',
},
{
- name: 'image.tag',
+ name: 'user.group.domain',
level: 'extended',
type: 'keyword',
- description: 'Container image tag.',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
},
{
- name: 'name',
+ name: 'user.group.id',
level: 'extended',
type: 'keyword',
- description: 'Container name.',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
},
{
- name: 'labels',
+ name: 'user.group.name',
level: 'extended',
- type: 'object',
- object_type: 'keyword',
- description: 'Image labels.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the group.',
},
- ],
- },
- {
- name: 'destination',
- title: 'Destination',
- group: 2,
- description:
- 'Destination fields describe details about the destination of a packet/event. Destination fields are usually populated in conjunction with source fields.',
- type: 'group',
- fields: [
{
- name: 'address',
+ name: 'user.hash',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.',
+ 'Unique user hash to correlate information for a user in anonymized\nform.\n\nUseful if `user.id` or `user.name` contain confidential information and cannot\nbe used.',
},
{
- name: 'ip',
+ name: 'user.id',
level: 'core',
- type: 'ip',
- description:
- 'IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifiers of the user.',
},
{
- name: 'port',
+ name: 'user.name',
level: 'core',
- type: 'long',
- description: 'Port of the destination.',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Short name or login of the user.',
+ example: 'albert',
},
+ ],
+ },
+ {
+ name: 'cloud',
+ title: 'Cloud',
+ group: 2,
+ description: 'Fields related to the cloud or infrastructure the events are coming\nfrom.',
+ footnote:
+ 'Examples: If Metricbeat is running on an EC2 host and fetches data\nfrom its host, the cloud info contains the data about this machine. If Metricbeat\nruns on a remote machine outside the cloud and fetches data from a service running\nin the cloud, the field contains cloud data from the machine the service is\nrunning on.',
+ type: 'group',
+ fields: [
{
- name: 'mac',
- level: 'core',
+ name: 'account.id',
+ level: 'extended',
type: 'keyword',
- description: 'MAC address of the destination.',
+ ignore_above: 1024,
+ description:
+ 'The cloud account or organization id used to identify different\nentities in a multi-tenant environment.\n\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier.',
+ example: 666777888999,
},
{
- name: 'domain',
- level: 'core',
+ name: 'availability_zone',
+ level: 'extended',
type: 'keyword',
- description: 'Destination domain.',
+ ignore_above: 1024,
+ description: 'Availability zone in which this host is running.',
+ example: 'us-east-1c',
},
{
- name: 'bytes',
- level: 'core',
- type: 'long',
- format: 'bytes',
- example: 184,
- description: 'Bytes sent from the destination to the source.',
+ name: 'instance.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Instance ID of the host machine.',
+ example: 'i-1234567890abcdef0',
},
{
- name: 'packets',
- level: 'core',
- type: 'long',
- example: 12,
- description: 'Packets sent from the destination to the source.',
+ name: 'instance.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Instance name of the host machine.',
+ },
+ {
+ name: 'machine.type',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Machine type of the host machine.',
+ example: 't2.medium',
},
{
- name: 'geo',
- title: 'Geo',
- group: 2,
+ name: 'provider',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
description:
- 'Geo fields can carry data about a specific location related to an event or geo information derived from an IP field.',
- type: 'group',
- fields: [
- {
- name: 'location',
- level: 'core',
- type: 'geo_point',
- description: 'Longitude and latitude.',
- example: '{ "lon": -73.614830, "lat": 45.505918 }',
- },
- {
- name: 'continent_name',
- level: 'core',
- type: 'keyword',
- description: 'Name of the continent.',
- example: 'North America',
- },
- {
- name: 'country_name',
- level: 'core',
- type: 'keyword',
- description: 'Country name.',
- example: 'Canada',
- },
- {
- name: 'region_name',
- level: 'core',
- type: 'keyword',
- description: 'Region name.',
- example: 'Quebec',
- },
- {
- name: 'city_name',
- level: 'core',
- type: 'keyword',
- description: 'City name.',
- example: 'Montreal',
- },
- {
- name: 'country_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Country ISO code.',
- example: 'CA',
- },
- {
- name: 'region_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Region ISO code.',
- example: 'CA-QC',
- },
- {
- name: 'name',
- level: 'extended',
- type: 'keyword',
- description:
- 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.',
- example: 'boston-dc',
- },
- ],
+ 'Name of the cloud provider. Example values are aws, azure, gcp,\nor digitalocean.',
+ example: 'aws',
+ },
+ {
+ name: 'region',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region in which this host is running.',
+ example: 'us-east-1',
},
],
},
{
- name: 'ecs',
- title: 'ECS',
+ name: 'code_signature',
+ title: 'Code Signature',
group: 2,
- description: 'Meta-information specific to ECS.',
+ description: 'These fields contain information about binary code signatures.',
type: 'group',
fields: [
{
- name: 'version',
+ name: 'exists',
level: 'core',
+ type: 'boolean',
+ description: 'Boolean to capture if a signature is present.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'status',
+ level: 'extended',
type: 'keyword',
- required: true,
+ ignore_above: 1024,
+ description:
+ 'Additional information about the certificate status.\n\nThis is useful for logging cryptographic errors with the certificate validity\nor trust status. Leave unpopulated if the validity or trust of the certificate\nwas unchecked.',
+ example: 'ERROR_UNTRUSTED_ROOT',
+ default_field: false,
+ },
+ {
+ name: 'subject_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Subject name of the code signer',
+ example: 'Microsoft Corporation',
+ default_field: false,
+ },
+ {
+ name: 'trusted',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Stores the trust status of the certificate chain.\n\nValidating the trust of the certificate chain may be complicated, and this\nfield should only be populated by tools that actively check the status.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'valid',
+ level: 'extended',
+ type: 'boolean',
description:
- 'ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. The current version is 1.0.0-beta2 .',
- example: '1.0.0-beta2',
+ 'Boolean to capture if the digital signature is verified against\nthe binary content.\n\nLeave unpopulated if a certificate was unchecked.',
+ example: 'true',
+ default_field: false,
},
],
},
{
- name: 'error',
- title: 'Error',
+ name: 'container',
+ title: 'Container',
group: 2,
description:
- 'These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error.',
+ 'Container fields are used for meta information about the specific\ncontainer that is the source of information.\n\nThese fields help correlate data based containers from any runtime.',
type: 'group',
fields: [
{
name: 'id',
level: 'core',
type: 'keyword',
- description: 'Unique identifier for the error.',
+ ignore_above: 1024,
+ description: 'Unique container id.',
},
{
- name: 'message',
- level: 'core',
- type: 'text',
- description: 'Error message.',
+ name: 'image.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the image the container was built on.',
},
{
- name: 'code',
- level: 'core',
+ name: 'image.tag',
+ level: 'extended',
type: 'keyword',
- description: 'Error code describing the error.',
+ ignore_above: 1024,
+ description: 'Container image tags.',
+ },
+ {
+ name: 'labels',
+ level: 'extended',
+ type: 'object',
+ object_type: 'keyword',
+ description: 'Image labels.',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Container name.',
+ },
+ {
+ name: 'runtime',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Runtime managing this container.',
+ example: 'docker',
},
],
},
{
- name: 'event',
- title: 'Event',
+ name: 'destination',
+ title: 'Destination',
group: 2,
description:
- 'The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host.',
+ 'Destination fields describe details about the destination of a packet/event.\n\nDestination fields are usually populated in conjunction with source fields.',
type: 'group',
fields: [
{
- name: 'id',
- level: 'core',
+ name: 'address',
+ level: 'extended',
type: 'keyword',
- description: 'Unique ID to describe the event.',
- example: '8a4f500d',
+ ignore_above: 1024,
+ description:
+ 'Some event destination addresses are defined ambiguously. The\nevent will sometimes list an IP, a domain or a unix socket. You should always\nstore the raw address in the `.address` field.\n\nThen it should be duplicated to `.ip` or `.domain`, depending on which one\nit is.',
},
{
- name: 'kind',
+ name: 'as.number',
level: 'extended',
- type: 'keyword',
+ type: 'long',
description:
- 'The kind of the event. This gives information about what type of information the event contains, without being specific to the contents of the event. Examples are `event`, `state`, `alarm`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution.',
- example: 'state',
+ 'Unique number allocated to the autonomous system. The autonomous\nsystem number (ASN) uniquely identifies each network on the Internet.',
+ example: 15169,
},
{
- name: 'category',
- level: 'core',
+ name: 'as.organization.name',
+ level: 'extended',
type: 'keyword',
- description:
- 'Event category. This contains high-level information about the contents of the event. It is more generic than `event.action`, in the sense that typically a category contains multiple actions. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution.',
- example: 'user-management',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Organization name.',
+ example: 'Google LLC',
},
{
- name: 'action',
+ name: 'bytes',
level: 'core',
- type: 'keyword',
- description:
- 'The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.',
- example: 'user-password-change',
+ type: 'long',
+ format: 'bytes',
+ description: 'Bytes sent from the destination to the source.',
+ example: 184,
},
{
- name: 'outcome',
- level: 'extended',
+ name: 'domain',
+ level: 'core',
type: 'keyword',
- description:
- 'The outcome of the event. If the event describes an action, this fields contains the outcome of that action. Examples outcomes are `success` and `failure`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution.',
- example: 'success',
+ ignore_above: 1024,
+ description: 'Destination domain.',
},
{
- name: 'type',
+ name: 'geo.city_name',
level: 'core',
type: 'keyword',
- description: 'Reserved for future usage. Please avoid using this field for user data.',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
},
{
- name: 'module',
+ name: 'geo.continent_name',
level: 'core',
type: 'keyword',
- description:
- 'Name of the module this data is coming from. This information is coming from the modules used in Beats or Logstash.',
- example: 'mysql',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
},
{
- name: 'dataset',
+ name: 'geo.country_iso_code',
level: 'core',
type: 'keyword',
- description:
- 'Name of the dataset. The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name.',
- example: 'stats',
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
},
{
- name: 'severity',
+ name: 'geo.country_name',
level: 'core',
- type: 'long',
- example: '7',
- description:
- "Severity describes the severity of the event. What the different severity values mean can very different between use cases. It's up to the implementer to make sure severities are consistent across events. ",
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
},
{
- name: 'original',
+ name: 'geo.location',
level: 'core',
- type: 'keyword',
- example:
- 'Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232',
- description:
- 'Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`.',
- index: false,
- doc_values: false,
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
},
{
- name: 'hash',
+ name: 'geo.name',
level: 'extended',
type: 'keyword',
- example: '123456789012345678901234567890ABCD',
+ ignore_above: 1024,
description:
- 'Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.',
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
},
{
- name: 'duration',
+ name: 'geo.region_iso_code',
level: 'core',
- type: 'long',
- format: 'duration',
- input_format: 'nanoseconds',
- description:
- 'Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
},
{
- name: 'timezone',
- level: 'extended',
+ name: 'geo.region_name',
+ level: 'core',
type: 'keyword',
- description:
- 'This field should be populated when the event\'s timestamp does not include timezone information already (e.g. default Syslog timestamps). It\'s optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
},
{
- name: 'created',
+ name: 'ip',
level: 'core',
- type: 'date',
+ type: 'ip',
description:
- 'event.created contains the date when the event was created. This timestamp is distinct from @timestamp in that @timestamp contains the processed timestamp. For logs these two timestamps can be different as the timestamp in the log line and when the event is read for example by Filebeat are not identical. `@timestamp` must contain the timestamp extracted from the log line, event.created when the log line is read. The same could apply to package capturing where @timestamp contains the timestamp extracted from the network package and event.created when the event was created. In case the two timestamps are identical, @timestamp should be used.',
+ 'IP address of the destination.\n\nCan be one or multiple IPv4 or IPv6 addresses.',
},
{
- name: 'start',
+ name: 'mac',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'MAC address of the destination.',
+ },
+ {
+ name: 'nat.ip',
level: 'extended',
- type: 'date',
+ type: 'ip',
description:
- 'event.start contains the date when the event started or when the activity was first observed.',
+ 'Translated ip of destination based NAT sessions (e.g. internet\nto private DMZ)\n\nTypically used with load balancers, firewalls, or routers.',
},
{
- name: 'end',
+ name: 'nat.port',
level: 'extended',
- type: 'date',
+ type: 'long',
+ format: 'string',
description:
- 'event.end contains the date when the event ended or when the activity was last observed.',
+ 'Port the source session is translated to by NAT Device.\n\nTypically used with load balancers, firewalls, or routers.',
},
{
- name: 'risk_score',
+ name: 'packets',
level: 'core',
- type: 'float',
- description:
- "Risk score or priority of the event (e.g. security solutions). Use your system's original value here. ",
+ type: 'long',
+ description: 'Packets sent from the destination to the source.',
+ example: 12,
},
{
- name: 'risk_score_norm',
+ name: 'port',
+ level: 'core',
+ type: 'long',
+ format: 'string',
+ description: 'Port of the destination.',
+ },
+ {
+ name: 'registered_domain',
level: 'extended',
- type: 'float',
+ type: 'keyword',
+ ignore_above: 1024,
description:
- 'Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.',
+ 'The highest registered destination domain, stripped of the subdomain.\n\nFor example, the registered domain for "foo.google.com" is "google.com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last two labels will not work well for TLDs such as "co.uk".',
+ example: 'google.com',
},
- ],
- },
- {
- name: 'file',
- group: 2,
- title: 'File',
- description:
- 'A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.',
- type: 'group',
- fields: [
{
- name: 'path',
+ name: 'top_level_domain',
level: 'extended',
type: 'keyword',
- description: 'Path to the file.',
+ ignore_above: 1024,
+ description:
+ 'The effective top level domain (eTLD), also known as the domain\nsuffix, is the last part of the domain name. For example, the top level domain\nfor google.com is "com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last label will not work well for effective TLDs such as "co.uk".',
+ example: 'co.uk',
},
{
- name: 'target_path',
+ name: 'user.domain',
level: 'extended',
type: 'keyword',
- description: 'Target path for symlinks.',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the user is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
},
{
- name: 'extension',
+ name: 'user.email',
level: 'extended',
type: 'keyword',
- description: 'File extension. This should allow easy filtering by file extensions.',
- example: 'png',
+ ignore_above: 1024,
+ description: 'User email address.',
},
{
- name: 'type',
+ name: 'user.full_name',
level: 'extended',
type: 'keyword',
- description: 'File type (file, dir, or symlink).',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: "User's full name, if available.",
+ example: 'Albert Einstein',
},
{
- name: 'device',
+ name: 'user.group.domain',
level: 'extended',
type: 'keyword',
- description: 'Device that is the source of the file.',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
},
{
- name: 'inode',
+ name: 'user.group.id',
level: 'extended',
type: 'keyword',
- description: 'Inode representing the file in the filesystem.',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
},
{
- name: 'uid',
+ name: 'user.group.name',
level: 'extended',
type: 'keyword',
- description: 'The user ID (UID) or security identifier (SID) of the file owner.',
+ ignore_above: 1024,
+ description: 'Name of the group.',
},
{
- name: 'owner',
+ name: 'user.hash',
level: 'extended',
type: 'keyword',
- description: "File owner's username.",
+ ignore_above: 1024,
+ description:
+ 'Unique user hash to correlate information for a user in anonymized\nform.\n\nUseful if `user.id` or `user.name` contain confidential information and cannot\nbe used.',
},
{
- name: 'gid',
- level: 'extended',
+ name: 'user.id',
+ level: 'core',
type: 'keyword',
- description: 'Primary group ID (GID) of the file.',
+ ignore_above: 1024,
+ description: 'Unique identifiers of the user.',
},
{
- name: 'group',
- level: 'extended',
+ name: 'user.name',
+ level: 'core',
type: 'keyword',
- description: 'Primary group name of the file.',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Short name or login of the user.',
+ example: 'albert',
+ },
+ ],
+ },
+ {
+ name: 'dll',
+ title: 'DLL',
+ group: 2,
+ description:
+ 'These fields contain information about code libraries dynamically\nloaded into processes.\n\n\nMany operating systems refer to "shared code libraries" with different names,\nbut this field set refers to all of the following:\n\n* Dynamic-link library (`.dll`) commonly used on Windows\n\n* Shared Object (`.so`) commonly used on Unix-like operating systems\n\n* Dynamic library (`.dylib`) commonly used on macOS',
+ type: 'group',
+ fields: [
+ {
+ name: 'code_signature.exists',
+ level: 'core',
+ type: 'boolean',
+ description: 'Boolean to capture if a signature is present.',
+ example: 'true',
+ default_field: false,
},
{
- name: 'mode',
+ name: 'code_signature.status',
level: 'extended',
type: 'keyword',
- example: 416,
- description: 'Mode of the file in octal representation.',
+ ignore_above: 1024,
+ description:
+ 'Additional information about the certificate status.\n\nThis is useful for logging cryptographic errors with the certificate validity\nor trust status. Leave unpopulated if the validity or trust of the certificate\nwas unchecked.',
+ example: 'ERROR_UNTRUSTED_ROOT',
+ default_field: false,
},
{
- name: 'size',
- level: 'extended',
- type: 'long',
- format: 'bytes',
- description: 'File size in bytes (field is only added when `type` is `file`).',
+ name: 'code_signature.subject_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Subject name of the code signer',
+ example: 'Microsoft Corporation',
+ default_field: false,
},
{
- name: 'mtime',
+ name: 'code_signature.trusted',
level: 'extended',
- type: 'date',
- description: 'Last time file content was modified.',
+ type: 'boolean',
+ description:
+ 'Stores the trust status of the certificate chain.\n\nValidating the trust of the certificate chain may be complicated, and this\nfield should only be populated by tools that actively check the status.',
+ example: 'true',
+ default_field: false,
},
{
- name: 'ctime',
+ name: 'code_signature.valid',
level: 'extended',
- type: 'date',
- description: 'Last time file metadata changed.',
+ type: 'boolean',
+ description:
+ 'Boolean to capture if the digital signature is verified against\nthe binary content.\n\nLeave unpopulated if a certificate was unchecked.',
+ example: 'true',
+ default_field: false,
},
- ],
- },
- {
- name: 'group',
- title: 'Group',
- group: 2,
- description:
- 'The group fields are meant to represent groups that are relevant to the event.',
- type: 'group',
- fields: [
{
- name: 'id',
+ name: 'hash.md5',
level: 'extended',
type: 'keyword',
- description: 'Unique identifier for the group on the system/platform.',
+ ignore_above: 1024,
+ description: 'MD5 hash.',
+ default_field: false,
},
{
- name: 'name',
+ name: 'hash.sha1',
level: 'extended',
type: 'keyword',
- description: 'Name of the group.',
+ ignore_above: 1024,
+ description: 'SHA1 hash.',
+ default_field: false,
},
- ],
- },
- {
- name: 'host',
- title: 'Host',
- group: 2,
- description:
- 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or on which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.',
- type: 'group',
- fields: [
{
- name: 'hostname',
- level: 'core',
+ name: 'hash.sha256',
+ level: 'extended',
type: 'keyword',
- description:
- 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.',
+ ignore_above: 1024,
+ description: 'SHA256 hash.',
+ default_field: false,
},
{
- name: 'name',
- level: 'core',
+ name: 'hash.sha512',
+ level: 'extended',
type: 'keyword',
- description:
- 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.',
+ ignore_above: 1024,
+ description: 'SHA512 hash.',
+ default_field: false,
},
{
- name: 'id',
+ name: 'name',
level: 'core',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.',
+ 'Name of the library.\n\nThis generally maps to the name of the file on disk.',
+ example: 'kernel32.dll',
+ default_field: false,
},
{
- name: 'ip',
- level: 'core',
- type: 'ip',
- description: 'Host ip address.',
+ name: 'path',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Full file path of the library.',
+ example: 'C:\\Windows\\System32\\kernel32.dll',
+ default_field: false,
},
{
- name: 'mac',
- level: 'core',
+ name: 'pe.company',
+ level: 'extended',
type: 'keyword',
- description: 'Host mac address.',
+ ignore_above: 1024,
+ description: 'Internal company name of the file, provided at compile-time.',
+ example: 'Microsoft Corporation',
+ default_field: false,
},
{
- name: 'type',
- level: 'core',
+ name: 'pe.description',
+ level: 'extended',
type: 'keyword',
- description:
- 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.',
+ ignore_above: 1024,
+ description: 'Internal description of the file, provided at compile-time.',
+ example: 'Paint',
+ default_field: false,
},
{
- name: 'architecture',
- level: 'core',
+ name: 'pe.file_version',
+ level: 'extended',
type: 'keyword',
- example: 'x86_64',
- description: 'Operating system architecture.',
+ ignore_above: 1024,
+ description: 'Internal version of the file, provided at compile-time.',
+ example: '6.3.9600.17415',
+ default_field: false,
},
{
- name: 'os',
- title: 'Operating System',
- group: 2,
- description: 'The OS fields contain information about the operating system.',
- reusable: {
- top_level: false,
- expected: ['observer', 'host', 'user_agent'],
- },
- type: 'group',
- fields: [
- {
- name: 'platform',
- level: 'extended',
- type: 'keyword',
- description: 'Operating system platform (such centos, ubuntu, windows).',
- example: 'darwin',
- },
- {
- name: 'name',
- level: 'extended',
- type: 'keyword',
- example: 'Mac OS X',
- description: 'Operating system name, without the version.',
- },
- {
- name: 'full',
- level: 'extended',
- type: 'keyword',
- example: 'Mac OS Mojave',
- description: 'Operating system name, including the version or code name.',
- },
- {
- name: 'family',
- level: 'extended',
- type: 'keyword',
- example: 'debian',
- description: 'OS family (such as redhat, debian, freebsd, windows).',
- },
- {
- name: 'version',
- level: 'extended',
- type: 'keyword',
- example: '10.14.1',
- description: 'Operating system version as a raw string.',
- },
- {
- name: 'kernel',
- level: 'extended',
- type: 'keyword',
- example: '4.4.0-112-generic',
- description: 'Operating system kernel version as a raw string.',
- },
- ],
+ name: 'pe.original_file_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal name of the file, provided at compile-time.',
+ example: 'MSPAINT.EXE',
+ default_field: false,
},
{
- name: 'geo',
- title: 'Geo',
- group: 2,
- description:
- 'Geo fields can carry data about a specific location related to an event or geo information derived from an IP field.',
- type: 'group',
- fields: [
- {
- name: 'location',
- level: 'core',
- type: 'geo_point',
- description: 'Longitude and latitude.',
- example: '{ "lon": -73.614830, "lat": 45.505918 }',
- },
- {
- name: 'continent_name',
- level: 'core',
- type: 'keyword',
- description: 'Name of the continent.',
- example: 'North America',
- },
- {
- name: 'country_name',
- level: 'core',
- type: 'keyword',
- description: 'Country name.',
- example: 'Canada',
- },
- {
- name: 'region_name',
- level: 'core',
- type: 'keyword',
- description: 'Region name.',
- example: 'Quebec',
- },
- {
- name: 'city_name',
- level: 'core',
- type: 'keyword',
- description: 'City name.',
- example: 'Montreal',
- },
- {
- name: 'country_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Country ISO code.',
- example: 'CA',
- },
- {
- name: 'region_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Region ISO code.',
- example: 'CA-QC',
- },
- {
- name: 'name',
- level: 'extended',
- type: 'keyword',
- description:
- 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.',
- example: 'boston-dc',
- },
- ],
+ name: 'pe.product',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal product name of the file, provided at compile-time.',
+ example: 'Microsoft® Windows® Operating System',
+ default_field: false,
},
],
},
{
- name: 'http',
- title: 'HTTP',
+ name: 'dns',
+ title: 'DNS',
group: 2,
- description: 'Fields related to HTTP activity.',
+ description:
+ 'Fields describing DNS queries and answers.\n\nDNS events should either represent a single DNS query prior to getting answers\n(`dns.type:query`) or they should represent a full exchange and contain the\nquery details as well as all of the answers that were provided for this query\n(`dns.type:answer`).',
type: 'group',
fields: [
{
- name: 'request.method',
+ name: 'answers',
level: 'extended',
- type: 'keyword',
+ type: 'object',
+ object_type: 'keyword',
description:
- 'Http request method. The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.',
- example: 'get, post, put',
+ 'An array containing an object for each answer section returned\nby the server.\n\nThe main keys that should be present in these objects are defined by ECS.\nRecords that have more information may contain more keys than what ECS defines.\n\nNot all DNS data sources give all details about DNS answers. At minimum, answer\nobjects must contain the `data` key. If more information is available, map\nas much of it to ECS as possible, and add any additional fields to the answer\nobjects as custom fields.',
},
{
- name: 'request.body.content',
+ name: 'answers.class',
level: 'extended',
type: 'keyword',
- description: 'The full http request body.',
- example: 'Hello world',
+ ignore_above: 1024,
+ description: 'The class of DNS data contained in this resource record.',
+ example: 'IN',
},
{
- name: 'request.referrer',
+ name: 'answers.data',
level: 'extended',
type: 'keyword',
- description: 'Referrer for this HTTP request.',
- example: 'https://blog.example.com/',
+ ignore_above: 1024,
+ description:
+ 'The data describing the resource.\n\nThe meaning of this data depends on the type and class of the resource record.',
+ example: '10.10.10.10',
},
{
- name: 'response.status_code',
+ name: 'answers.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The domain name to which this resource record pertains.\n\nIf a chain of CNAME is being resolved, each answer `name` should be the\none that corresponds with the answer `data`. It should not simply be the\noriginal `question.name` repeated.',
+ example: 'www.google.com',
+ },
+ {
+ name: 'answers.ttl',
level: 'extended',
type: 'long',
- description: 'Http response status code.',
- example: 404,
+ description:
+ 'The time interval in seconds that this resource record may be cached\nbefore it should be discarded. Zero values mean that the data should not be\ncached.',
+ example: 180,
},
{
- name: 'response.body.content',
+ name: 'answers.type',
level: 'extended',
type: 'keyword',
- description: 'The full http response body.',
- example: 'Hello world',
+ ignore_above: 1024,
+ description: 'The type of data contained in this resource record.',
+ example: 'CNAME',
},
{
- name: 'version',
+ name: 'header_flags',
level: 'extended',
type: 'keyword',
- description: 'Http version.',
- example: 1.1,
+ ignore_above: 1024,
+ description:
+ 'Array of 2 letter DNS header flags.\n\nExpected values are: AA, TC, RD, RA, AD, CD, DO.',
+ example: ['RD', 'RA'],
},
{
- name: 'request.bytes',
+ name: 'id',
level: 'extended',
- type: 'long',
- format: 'bytes',
- description: 'Total size in bytes of the request (body and headers).',
- example: 1437,
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The DNS packet identifier assigned by the program that generated\nthe query. The identifier is copied to the response.',
+ example: 62111,
},
{
- name: 'request.body.bytes',
+ name: 'op_code',
level: 'extended',
- type: 'long',
- format: 'bytes',
- description: 'Size in bytes of the request body.',
- example: 887,
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The DNS operation code that specifies the kind of query in the\nmessage. This value is set by the originator of a query and copied into the\nresponse.',
+ example: 'QUERY',
},
{
- name: 'response.bytes',
+ name: 'question.class',
level: 'extended',
- type: 'long',
- format: 'bytes',
- description: 'Total size in bytes of the response (body and headers).',
- example: 1437,
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The class of records being queried.',
+ example: 'IN',
},
{
- name: 'response.body.bytes',
+ name: 'question.name',
level: 'extended',
- type: 'long',
- format: 'bytes',
- description: 'Size in bytes of the response body.',
- example: 887,
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The name being queried.\n\nIf the name field contains non-printable characters (below 32 or above 126),\nthose characters should be represented as escaped base 10 integers (\\DDD).\nBack slashes and quotes should be escaped. Tabs, carriage returns, and line\nfeeds should be converted to \\t, \\r, and \\n respectively.',
+ example: 'www.google.com',
+ },
+ {
+ name: 'question.registered_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The highest registered domain, stripped of the subdomain.\n\nFor example, the registered domain for "foo.google.com" is "google.com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last two labels will not work well for TLDs such as "co.uk".',
+ example: 'google.com',
+ },
+ {
+ name: 'question.subdomain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The subdomain is all of the labels under the registered_domain.\n\nIf the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",\nthe subdomain field should contain "sub2.sub1", with no trailing period.',
+ example: 'www',
+ },
+ {
+ name: 'question.top_level_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The effective top level domain (eTLD), also known as the domain\nsuffix, is the last part of the domain name. For example, the top level domain\nfor google.com is "com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last label will not work well for effective TLDs such as "co.uk".',
+ example: 'co.uk',
+ },
+ {
+ name: 'question.type',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The type of record being queried.',
+ example: 'AAAA',
+ },
+ {
+ name: 'resolved_ip',
+ level: 'extended',
+ type: 'ip',
+ description:
+ 'Array containing all IPs seen in `answers.data`.\n\nThe `answers` array can be difficult to use, because of the variety of data\nformats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip`\nmakes it possible to index them as IP addresses, and makes them easier to\nvisualize and query for.',
+ example: ['10.10.10.10', '10.10.10.11'],
+ },
+ {
+ name: 'response_code',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The DNS response code.',
+ example: 'NOERROR',
+ },
+ {
+ name: 'type',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The type of DNS event captured, query or answer.\n\nIf your source of DNS events only gives you DNS queries, you should only create\ndns events of type `dns.type:query`.\n\nIf your source of DNS events gives you answers as well, you should create\none event per query (optionally as soon as the query is seen). And a second\nevent containing all query details as well as an array of answers.',
+ example: 'answer',
},
],
},
{
- name: 'log',
- title: 'Log',
- description: 'Fields which are specific to log events.',
+ name: 'ecs',
+ title: 'ECS',
+ group: 2,
+ description: 'Meta-information specific to ECS.',
type: 'group',
fields: [
{
- name: 'level',
+ name: 'version',
+ level: 'core',
+ required: true,
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'ECS version this event conforms to. `ecs.version` is a required\nfield and must exist in all events.\n\nWhen querying across multiple indices -- which may conform to slightly different\nECS versions -- this field lets integrations adjust to the schema version\nof the events.',
+ example: '1.0.0',
+ },
+ ],
+ },
+ {
+ name: 'error',
+ title: 'Error',
+ group: 2,
+ description:
+ 'These fields can represent errors of any kind.\n\nUse them for errors that happen while fetching events or in cases where the\nevent itself contains an error.',
+ type: 'group',
+ fields: [
+ {
+ name: 'code',
level: 'core',
type: 'keyword',
- description: 'Log level of the log event. Some examples are `WARN`, `ERR`, `INFO`.',
- example: 'ERR',
+ ignore_above: 1024,
+ description: 'Error code describing the error.',
},
{
- name: 'original',
+ name: 'id',
level: 'core',
type: 'keyword',
- example: 'Sep 19 08:26:10 localhost My log',
- index: false,
- doc_values: false,
- description:
- " This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. ",
+ ignore_above: 1024,
+ description: 'Unique identifier for the error.',
+ },
+ {
+ name: 'message',
+ level: 'core',
+ type: 'text',
+ description: 'Error message.',
+ },
+ {
+ name: 'stack_trace',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'The stack trace of this error in plain text.',
+ },
+ {
+ name: 'type',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The type of the error, for example the class name of the exception.',
+ example: 'java.lang.NullPointerException',
},
],
},
{
- name: 'network',
- title: 'Network',
+ name: 'event',
+ title: 'Event',
group: 2,
description:
- 'The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event.',
+ 'The event fields are used for context information about the log\nor metric event itself.\n\nA log is defined as an event containing details of something that happened.\nLog events must include the time at which the thing happened. Examples of log\nevents include a process starting on a host, a network packet being sent from\na source to a destination, or a network connection between a client and a server\nbeing initiated or closed. A metric is defined as an event containing one or\nmore numerical measurements and the time at which the measurement was taken.\nExamples of metric events include memory pressure measured on a host and device\ntemperature. See the `event.kind` definition in this section for additional\ndetails about metric and state events.',
type: 'group',
fields: [
{
- name: 'name',
- level: 'extended',
+ name: 'action',
+ level: 'core',
type: 'keyword',
- description: 'Name given by operators to sections of their network.',
- example: 'Guest Wifi',
+ ignore_above: 1024,
+ description:
+ 'The action captured by the event.\n\nThis describes the information in the event. It is more specific than `event.category`.\nExamples are `group-add`, `process-started`, `file-created`. The value is\nnormally defined by the implementer.',
+ example: 'user-password-change',
},
{
- name: 'type',
+ name: 'category',
level: 'core',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.',
- example: 'ipv4',
+ 'This is one of four ECS Categorization Fields, and indicates the\nsecond level in the ECS category hierarchy.\n\n`event.category` represents the "big buckets" of ECS categories. For example,\nfiltering on `event.category:process` yields all events relating to process\nactivity. This field is closely related to `event.type`, which is used as\na subcategory.\n\nThis field is an array. This will allow proper categorization of some events\nthat fall in multiple categories.',
+ example: 'authentication',
},
{
- name: 'iana_number',
+ name: 'code',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.',
- example: 6,
+ 'Identification code for this event, if one exists.\n\nSome event sources use event codes to identify messages unambiguously, regardless\nof message language or wording adjustments over time. An example of this is\nthe Windows Event ID.',
+ example: 4648,
},
{
- name: 'transport',
+ name: 'created',
+ level: 'core',
+ type: 'date',
+ description:
+ 'event.created contains the date/time when the event was first\nread by an agent, or by your pipeline.\n\nThis field is distinct from @timestamp in that @timestamp typically contain\nthe time extracted from the original event.\n\nIn most situations, these two timestamps will be slightly different. The difference\ncan be used to calculate the delay between your source generating an event,\nand the time when your agent first processed it. This can be used to monitor\nyour agent or pipeline ability to keep up with your event source.\n\nIn case the two timestamps are identical, @timestamp should be used.',
+ example: '2016-05-23T08:05:34.857Z',
+ },
+ {
+ name: 'dataset',
level: 'core',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.',
- example: 'tcp',
+ 'Name of the dataset.\n\nIf an event source publishes more than one type of log or events (e.g. access\nlog, error log), the dataset is used to specify which one the event comes\nfrom.\n\nIt is recommended but not required to start the dataset name with the module\nname, followed by a dot, then the dataset name.',
+ example: 'apache.access',
},
{
- name: 'application',
+ name: 'duration',
+ level: 'core',
+ type: 'long',
+ format: 'duration',
+ input_format: 'nanoseconds',
+ output_format: 'asMilliseconds',
+ output_precision: 1,
+ description:
+ 'Duration of the event in nanoseconds.\n\nIf event.start and event.end are known this value should be the difference\nbetween the end and start time.',
+ },
+ {
+ name: 'end',
+ level: 'extended',
+ type: 'date',
+ description:
+ 'event.end contains the date when the event ended or when the activity\nwas last observed.',
+ },
+ {
+ name: 'hash',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'A name given to an application. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.',
- example: 'aim',
+ 'Hash (perhaps logstash fingerprint) of raw field to be able to\ndemonstrate log integrity.',
+ example: '123456789012345678901234567890ABCD',
},
{
- name: 'protocol',
+ name: 'id',
level: 'core',
type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique ID to describe the event.',
+ example: '8a4f500d',
+ },
+ {
+ name: 'ingested',
+ level: 'core',
+ type: 'date',
description:
- 'L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.',
- example: 'http',
+ 'Timestamp when an event arrived in the central data store.\n\nThis is different from `@timestamp`, which is when the event originally occurred. It is\nalso different from `event.created`, which is meant to capture the first time\nan agent saw the event.\n\nIn normal conditions, assuming no tampering, the timestamps should chronologically\nlook like this: `@timestamp` < `event.created` < `event.ingested`.',
+ example: '2016-05-23T08:05:35.101Z',
+ default_field: false,
},
{
- name: 'direction',
+ name: 'kind',
level: 'core',
type: 'keyword',
+ ignore_above: 1024,
description:
- "Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. ",
- example: 'inbound',
+ 'This is one of four ECS Categorization Fields, and indicates the\nhighest level in the ECS category hierarchy.\n\n`event.kind` gives high-level information about what type of information the\nevent contains, without being specific to the contents of the event. For example,\nvalues of this field distinguish alert events from metric events.\n\nThe value of this field can be used to inform how these kinds of events should\nbe handled. They may warrant different retention, different access control,\nit may also help understand whether the data coming in at a regular interval\nor not.',
+ example: 'alert',
},
{
- name: 'forwarded_ip',
+ name: 'module',
level: 'core',
- type: 'ip',
- description: 'Host IP address when the source IP address is the proxy.',
- example: '192.1.1.2',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the module this data is coming from.\n\nIf your monitoring agent supports the concept of modules or plugins to process\nevents of a given source (e.g. Apache logs), `event.module` should contain\nthe name of this module.',
+ example: 'apache',
},
{
- name: 'community_id',
+ name: 'original',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Raw text message of entire event. Used to demonstrate log integrity.\n\nThis field is not indexed and doc_values are disabled. It cannot be searched,\nbut it can be retrieved from `_source`.',
+ example:
+ 'Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100|\nworm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232',
+ },
+ {
+ name: 'outcome',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'This is one of four ECS Categorization Fields, and indicates the\nlowest level in the ECS category hierarchy.\n\n`event.outcome` simply denotes whether the event represents a success or a\nfailure from the perspective of the entity that produced the event.\n\nNote that when a single transaction is described in multiple events, each\nevent may populate different values of `event.outcome`, according to their\nperspective.\n\nAlso note that in the case of a compound event (a single event that contains\nmultiple logical events), this field should be populated with the value that\nbest captures the overall success or failure from the perspective of the event\nproducer.\n\nFurther note that not all events will have an associated outcome. For example,\nthis field is generally not populated for metric events, events with `event.type:info`,\nor any events for which an outcome does not make logical sense.',
+ example: 'success',
+ },
+ {
+ name: 'provider',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec.',
- example: '1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=',
+ 'Source of the event.\n\nEvent transports such as Syslog or the Windows Event Log typically mention\nthe source of an event. It can be the name of the software that generated\nthe event (e.g. Sysmon, httpd), or of a subsystem of the operating system\n(kernel, Microsoft-Windows-Security-Auditing).',
+ example: 'kernel',
},
{
- name: 'bytes',
+ name: 'reference',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Reference URL linking to additional information about this event.\n\nThis URL links to a static definition of the this event. Alert events, indicated\nby `event.kind:alert`, are a common use case for this field.',
+ example: 'https://system.vendor.com/event/#0001234',
+ default_field: false,
+ },
+ {
+ name: 'risk_score',
level: 'core',
+ type: 'float',
+ description:
+ "Risk score or priority of the event (e.g. security solutions).\nUse your system's original value here.",
+ },
+ {
+ name: 'risk_score_norm',
+ level: 'extended',
+ type: 'float',
+ description:
+ 'Normalized risk score or priority of the event, on a scale of\n0 to 100.\n\nThis is mainly useful if you use more than one system that assigns risk scores,\nand you want to see a normalized value across all systems.',
+ },
+ {
+ name: 'sequence',
+ level: 'extended',
type: 'long',
- format: 'bytes',
+ format: 'string',
description:
- 'Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.',
- example: 368,
+ 'Sequence number of the event.\n\nThe sequence number is a value published by some event sources, to make the\nexact ordering of events unambiguous, regardless of the timestamp precision.',
},
{
- name: 'packets',
+ name: 'severity',
level: 'core',
type: 'long',
+ format: 'string',
description:
- 'Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum.',
- example: 24,
+ 'The numeric severity of the event according to your event source.\n\nWhat the different severity values mean can be different between sources and\nuse cases. It is up to the implementer to make sure severities are consistent\nacross events from the same source.\n\nThe Syslog severity belongs in `log.syslog.severity.code`. `event.severity`\nis meant to represent the severity according to the event source (e.g. firewall,\nIDS). If the event source does not publish its own severity, you may optionally\ncopy the `log.syslog.severity.code` to `event.severity`.',
+ example: 7,
+ },
+ {
+ name: 'start',
+ level: 'extended',
+ type: 'date',
+ description:
+ 'event.start contains the date when the event started or when the\nactivity was first observed.',
+ },
+ {
+ name: 'timezone',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'This field should be populated when the event timestamp does\nnot include timezone information already (e.g. default Syslog timestamps).\nIt is optional otherwise.\n\nAcceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"),\nabbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").',
+ },
+ {
+ name: 'type',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'This is one of four ECS Categorization Fields, and indicates the\nthird level in the ECS category hierarchy.\n\n`event.type` represents a categorization "sub-bucket" that, when used along\nwith the `event.category` field values, enables filtering events down to a\nlevel appropriate for single visualization.\n\nThis field is an array. This will allow proper categorization of some events\nthat fall in multiple event types.',
+ },
+ {
+ name: 'url',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'URL linking to an external system to continue investigation of\nthis event.\n\nThis URL links to another system where in-depth investigation of the specific\noccurence of this event can take place. Alert events, indicated by `event.kind:alert`,\nare a common use case for this field.',
+ example: 'https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe',
+ default_field: false,
},
],
},
{
- name: 'observer',
- title: 'Observer',
+ name: 'file',
+ title: 'File',
group: 2,
description:
- 'An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS.',
+ 'A file is defined as a set of information that has been created\non, or has existed on a filesystem.\n\nFile objects can be associated with host events, network events, and/or file\nevents (e.g., those produced by File Integrity Monitoring [FIM] products or\nservices). File fields provide details about the affected file associated with\nthe event or metric.',
type: 'group',
fields: [
{
- name: 'mac',
- level: 'core',
- type: 'keyword',
- description: 'MAC address of the observer',
+ name: 'accessed',
+ level: 'extended',
+ type: 'date',
+ description:
+ 'Last time the file was accessed.\n\nNote that not all filesystems keep track of access time.',
},
{
- name: 'ip',
- level: 'core',
- type: 'ip',
- description: 'IP address of the observer.',
+ name: 'attributes',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Array of file attributes.\n\nAttributes names will vary by platform. Here is a non-exhaustive list of values\nthat are expected in this field: archive, compressed, directory, encrypted,\nexecute, hidden, read, readonly, system, write.',
+ example: '["readonly", "system"]',
+ default_field: false,
},
{
- name: 'hostname',
+ name: 'code_signature.exists',
level: 'core',
- type: 'keyword',
- description: 'Hostname of the observer.',
+ type: 'boolean',
+ description: 'Boolean to capture if a signature is present.',
+ example: 'true',
+ default_field: false,
},
{
- name: 'vendor',
- level: 'core',
+ name: 'code_signature.status',
+ level: 'extended',
type: 'keyword',
- description: 'observer vendor information.',
+ ignore_above: 1024,
+ description:
+ 'Additional information about the certificate status.\n\nThis is useful for logging cryptographic errors with the certificate validity\nor trust status. Leave unpopulated if the validity or trust of the certificate\nwas unchecked.',
+ example: 'ERROR_UNTRUSTED_ROOT',
+ default_field: false,
},
{
- name: 'version',
+ name: 'code_signature.subject_name',
level: 'core',
type: 'keyword',
- description: 'Observer version.',
+ ignore_above: 1024,
+ description: 'Subject name of the code signer',
+ example: 'Microsoft Corporation',
+ default_field: false,
},
{
- name: 'serial_number',
+ name: 'code_signature.trusted',
level: 'extended',
- type: 'keyword',
- description: 'Observer serial number.',
- },
- {
- name: 'type',
- level: 'core',
- type: 'keyword',
+ type: 'boolean',
description:
- 'The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.',
- example: 'firewall',
+ 'Stores the trust status of the certificate chain.\n\nValidating the trust of the certificate chain may be complicated, and this\nfield should only be populated by tools that actively check the status.',
+ example: 'true',
+ default_field: false,
},
{
- name: 'os',
- title: 'Operating System',
- group: 2,
- description: 'The OS fields contain information about the operating system.',
- reusable: {
- top_level: false,
- expected: ['observer', 'host', 'user_agent'],
- },
- type: 'group',
- fields: [
- {
- name: 'platform',
- level: 'extended',
- type: 'keyword',
- description: 'Operating system platform (such centos, ubuntu, windows).',
- example: 'darwin',
- },
- {
- name: 'name',
- level: 'extended',
- type: 'keyword',
- example: 'Mac OS X',
- description: 'Operating system name, without the version.',
- },
- {
- name: 'full',
- level: 'extended',
- type: 'keyword',
- example: 'Mac OS Mojave',
- description: 'Operating system name, including the version or code name.',
- },
- {
- name: 'family',
- level: 'extended',
- type: 'keyword',
- example: 'debian',
- description: 'OS family (such as redhat, debian, freebsd, windows).',
- },
- {
- name: 'version',
- level: 'extended',
- type: 'keyword',
- example: '10.14.1',
- description: 'Operating system version as a raw string.',
- },
- {
- name: 'kernel',
- level: 'extended',
- type: 'keyword',
- example: '4.4.0-112-generic',
- description: 'Operating system kernel version as a raw string.',
- },
- ],
+ name: 'code_signature.valid',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Boolean to capture if the digital signature is verified against\nthe binary content.\n\nLeave unpopulated if a certificate was unchecked.',
+ example: 'true',
+ default_field: false,
},
{
- name: 'geo',
- title: 'Geo',
- group: 2,
+ name: 'created',
+ level: 'extended',
+ type: 'date',
description:
- 'Geo fields can carry data about a specific location related to an event or geo information derived from an IP field.',
- type: 'group',
- fields: [
- {
- name: 'location',
- level: 'core',
- type: 'geo_point',
- description: 'Longitude and latitude.',
- example: '{ "lon": -73.614830, "lat": 45.505918 }',
- },
- {
- name: 'continent_name',
- level: 'core',
- type: 'keyword',
- description: 'Name of the continent.',
- example: 'North America',
- },
- {
- name: 'country_name',
- level: 'core',
- type: 'keyword',
- description: 'Country name.',
- example: 'Canada',
- },
- {
- name: 'region_name',
- level: 'core',
- type: 'keyword',
- description: 'Region name.',
- example: 'Quebec',
- },
- {
- name: 'city_name',
- level: 'core',
- type: 'keyword',
- description: 'City name.',
- example: 'Montreal',
- },
- {
- name: 'country_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Country ISO code.',
- example: 'CA',
- },
- {
- name: 'region_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Region ISO code.',
- example: 'CA-QC',
- },
- {
- name: 'name',
- level: 'extended',
- type: 'keyword',
- description:
- 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.',
- example: 'boston-dc',
- },
- ],
+ 'File creation time.\n\nNote that not all filesystems store the creation time.',
},
- ],
- },
- {
- name: 'organization',
- title: 'Organization',
- group: 2,
- description:
- 'The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations.',
- type: 'group',
- fields: [
{
- name: 'name',
+ name: 'ctime',
+ level: 'extended',
+ type: 'date',
+ description:
+ 'Last time the file attributes or metadata changed.\n\nNote that changes to the file content will update `mtime`. This implies `ctime`\nwill be adjusted at the same time, since `mtime` is an attribute of the file.',
+ },
+ {
+ name: 'device',
level: 'extended',
type: 'keyword',
- description: 'Organization name.',
+ ignore_above: 1024,
+ description: 'Device that is the source of the file.',
+ example: 'sda',
},
{
- name: 'id',
+ name: 'directory',
level: 'extended',
type: 'keyword',
- description: 'Unique identifier for the organization.',
+ ignore_above: 1024,
+ description:
+ 'Directory where the file is located. It should include the drive\nletter, when appropriate.',
+ example: '/home/alice',
},
- ],
- },
- {
- name: 'os',
- title: 'Operating System',
- group: 2,
- description: 'The OS fields contain information about the operating system.',
- reusable: {
- top_level: false,
- expected: ['observer', 'host', 'user_agent'],
- },
- type: 'group',
- fields: [
{
- name: 'platform',
+ name: 'drive_letter',
level: 'extended',
type: 'keyword',
- description: 'Operating system platform (such centos, ubuntu, windows).',
- example: 'darwin',
+ ignore_above: 1,
+ description:
+ 'Drive letter where the file is located. This field is only relevant\non Windows.\n\nThe value should be uppercase, and not include the colon.',
+ example: 'C',
+ default_field: false,
},
{
- name: 'name',
+ name: 'extension',
level: 'extended',
type: 'keyword',
- example: 'Mac OS X',
- description: 'Operating system name, without the version.',
+ ignore_above: 1024,
+ description: 'File extension.',
+ example: 'png',
},
{
- name: 'full',
+ name: 'gid',
level: 'extended',
type: 'keyword',
- example: 'Mac OS Mojave',
- description: 'Operating system name, including the version or code name.',
+ ignore_above: 1024,
+ description: 'Primary group ID (GID) of the file.',
+ example: '1001',
},
{
- name: 'family',
+ name: 'group',
level: 'extended',
type: 'keyword',
- example: 'debian',
- description: 'OS family (such as redhat, debian, freebsd, windows).',
+ ignore_above: 1024,
+ description: 'Primary group name of the file.',
+ example: 'alice',
},
{
- name: 'version',
+ name: 'hash.md5',
level: 'extended',
type: 'keyword',
- example: '10.14.1',
- description: 'Operating system version as a raw string.',
+ ignore_above: 1024,
+ description: 'MD5 hash.',
},
{
- name: 'kernel',
+ name: 'hash.sha1',
level: 'extended',
type: 'keyword',
- example: '4.4.0-112-generic',
- description: 'Operating system kernel version as a raw string.',
+ ignore_above: 1024,
+ description: 'SHA1 hash.',
},
- ],
- },
- {
- name: 'process',
- title: 'Process',
- group: 2,
- description:
- 'These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation.',
- type: 'group',
- fields: [
{
- name: 'pid',
- level: 'core',
- type: 'long',
- description: 'Process id.',
- example: 'ssh',
+ name: 'hash.sha256',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA256 hash.',
},
{
- name: 'name',
+ name: 'hash.sha512',
level: 'extended',
type: 'keyword',
- description: 'Process name. Sometimes called program name or similar.',
- example: 'ssh',
+ ignore_above: 1024,
+ description: 'SHA512 hash.',
},
{
- name: 'ppid',
+ name: 'inode',
level: 'extended',
- type: 'long',
- description: 'Process parent id.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Inode representing the file in the filesystem.',
+ example: '256383',
},
{
- name: 'args',
+ name: 'mime_type',
level: 'extended',
type: 'keyword',
- description: 'Process arguments. May be filtered to protect sensitive information.',
- example: ['ssh', '-l', 'user', '10.0.0.16'],
+ ignore_above: 1024,
+ description:
+ 'MIME type should identify the format of the file or stream of bytes\nusing https://www.iana.org/assignments/media-types/media-types.xhtml[IANA\nofficial types], where possible. When more than one type is applicable, the\nmost specific type should be used.',
+ default_field: false,
},
{
- name: 'executable',
+ name: 'mode',
level: 'extended',
type: 'keyword',
- description: 'Absolute path to the process executable.',
- example: '/usr/bin/ssh',
+ ignore_above: 1024,
+ description: 'Mode of the file in octal representation.',
+ example: '0640',
},
{
- name: 'title',
+ name: 'mtime',
+ level: 'extended',
+ type: 'date',
+ description: 'Last time the file content was modified.',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the file including the extension, without the directory.',
+ example: 'example.png',
+ },
+ {
+ name: 'owner',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: "File owner's username.",
+ example: 'alice',
+ },
+ {
+ name: 'path',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
description:
- 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.',
+ 'Full path to the file, including the file name. It should include\nthe drive letter, when appropriate.',
+ example: '/home/alice/example.png',
},
{
- name: 'thread.id',
+ name: 'pe.company',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal company name of the file, provided at compile-time.',
+ example: 'Microsoft Corporation',
+ default_field: false,
+ },
+ {
+ name: 'pe.description',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal description of the file, provided at compile-time.',
+ example: 'Paint',
+ default_field: false,
+ },
+ {
+ name: 'pe.file_version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal version of the file, provided at compile-time.',
+ example: '6.3.9600.17415',
+ default_field: false,
+ },
+ {
+ name: 'pe.original_file_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal name of the file, provided at compile-time.',
+ example: 'MSPAINT.EXE',
+ default_field: false,
+ },
+ {
+ name: 'pe.product',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal product name of the file, provided at compile-time.',
+ example: 'Microsoft® Windows® Operating System',
+ default_field: false,
+ },
+ {
+ name: 'size',
level: 'extended',
type: 'long',
- example: 4242,
- description: 'Thread ID.',
+ description: 'File size in bytes.\n\nOnly relevant when `file.type` is "file".',
+ example: 16384,
},
{
- name: 'start',
+ name: 'target_path',
level: 'extended',
- type: 'date',
- example: '2016-05-23T08:05:34.853Z',
- description: 'The time the process started.',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Target path for symlinks.',
},
{
- name: 'working_directory',
+ name: 'type',
level: 'extended',
type: 'keyword',
- example: '/home/alice',
- description: 'The working directory of the process.',
+ ignore_above: 1024,
+ description: 'File type (file, dir, or symlink).',
+ example: 'file',
},
- ],
- },
- {
- name: 'related',
- title: 'Related',
- group: 2,
- description:
- 'This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in ECS. To facilitate searching for them, append values to their corresponding field in `related.`. A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:a.b.c.d`.',
- type: 'group',
- fields: [
{
- name: 'ip',
+ name: 'uid',
level: 'extended',
- type: 'ip',
- description: 'All of the IPs seen on your event.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The user ID (UID) or security identifier (SID) of the file owner.',
+ example: '1001',
},
],
},
{
- name: 'server',
- title: 'Server',
+ name: 'geo',
+ title: 'Geo',
group: 2,
description:
- 'A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.',
+ 'Geo fields can carry data about a specific location related to an\nevent.\n\nThis geolocation information can be derived from techniques such as Geo IP,\nor be user-supplied.',
type: 'group',
fields: [
{
- name: 'address',
- level: 'extended',
+ name: 'city_name',
+ level: 'core',
type: 'keyword',
- description:
- 'Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
},
{
- name: 'ip',
+ name: 'continent_name',
level: 'core',
- type: 'ip',
- description: 'IP address of the server. Can be one or multiple IPv4 or IPv6 addresses.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
},
{
- name: 'port',
+ name: 'country_iso_code',
level: 'core',
- type: 'long',
- description: 'Port of the server.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
},
{
- name: 'mac',
+ name: 'country_name',
level: 'core',
type: 'keyword',
- description: 'MAC address of the server.',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
},
{
- name: 'domain',
+ name: 'location',
level: 'core',
- type: 'keyword',
- description: 'Server domain.',
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
},
{
- name: 'bytes',
- level: 'core',
- type: 'long',
- format: 'bytes',
- example: 184,
- description: 'Bytes sent from the server to the client.',
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
},
{
- name: 'packets',
+ name: 'region_iso_code',
level: 'core',
- type: 'long',
- example: 12,
- description: 'Packets sent from the server to the client.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
},
{
- name: 'geo',
- title: 'Geo',
- group: 2,
- description:
- 'Geo fields can carry data about a specific location related to an event or geo information derived from an IP field.',
- type: 'group',
- fields: [
- {
- name: 'location',
- level: 'core',
- type: 'geo_point',
- description: 'Longitude and latitude.',
- example: '{ "lon": -73.614830, "lat": 45.505918 }',
- },
- {
- name: 'continent_name',
- level: 'core',
- type: 'keyword',
- description: 'Name of the continent.',
- example: 'North America',
- },
- {
- name: 'country_name',
- level: 'core',
- type: 'keyword',
- description: 'Country name.',
- example: 'Canada',
- },
- {
- name: 'region_name',
- level: 'core',
- type: 'keyword',
- description: 'Region name.',
- example: 'Quebec',
- },
- {
- name: 'city_name',
- level: 'core',
- type: 'keyword',
- description: 'City name.',
- example: 'Montreal',
- },
- {
- name: 'country_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Country ISO code.',
- example: 'CA',
- },
- {
- name: 'region_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Region ISO code.',
- example: 'CA-QC',
- },
- {
- name: 'name',
- level: 'extended',
- type: 'keyword',
- description:
- 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.',
- example: 'boston-dc',
- },
- ],
+ name: 'region_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
},
],
},
{
- name: 'service',
- title: 'Service',
+ name: 'group',
+ title: 'Group',
group: 2,
description:
- 'The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version.',
+ 'The group fields are meant to represent groups that are relevant\nto the event.',
type: 'group',
fields: [
{
- name: 'id',
- level: 'core',
+ name: 'domain',
+ level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Unique identifier of the running service. This id should uniquely identify this service. This makes it possible to correlate logs and metrics for one specific service. Example: If you are experiencing issues with one redis instance, you can filter on that id to see metrics and logs for that single instance.',
- example: 'd37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6',
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
},
{
name: 'name',
- level: 'core',
+ level: 'extended',
type: 'keyword',
- example: 'elasticsearch-metrics',
- description:
- 'Name of the service data is collected from. The name of the service is normally user given. This allows if two instances of the same service are running on the same machine they can be differentiated by the `service.name`. Also it allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the service.name could contain the cluster name. For Beats the service.name is by default a copy of the `service.type` field if no name is specified.',
+ ignore_above: 1024,
+ description: 'Name of the group.',
},
+ ],
+ },
+ {
+ name: 'hash',
+ title: 'Hash',
+ group: 2,
+ description:
+ 'The hash fields represent different hash algorithms and their values.\n\nField names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for\nother hashes by lowercasing the hash algorithm name and using underscore separators\nas appropriate (snake case, e.g. sha3_512).',
+ type: 'group',
+ fields: [
{
- name: 'type',
- level: 'core',
+ name: 'md5',
+ level: 'extended',
type: 'keyword',
- example: 'elasticsearch',
- description:
- 'The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.',
+ ignore_above: 1024,
+ description: 'MD5 hash.',
},
{
- name: 'state',
- level: 'core',
+ name: 'sha1',
+ level: 'extended',
type: 'keyword',
- description: 'Current state of the service.',
+ ignore_above: 1024,
+ description: 'SHA1 hash.',
},
{
- name: 'version',
- level: 'core',
+ name: 'sha256',
+ level: 'extended',
type: 'keyword',
- example: '3.2.4',
- description:
- 'Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.',
+ ignore_above: 1024,
+ description: 'SHA256 hash.',
},
{
- name: 'ephemeral_id',
+ name: 'sha512',
level: 'extended',
type: 'keyword',
- description:
- 'Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not.',
- example: '8a4f500f',
+ ignore_above: 1024,
+ description: 'SHA512 hash.',
},
],
},
{
- name: 'source',
- title: 'Source',
+ name: 'host',
+ title: 'Host',
group: 2,
description:
- 'Source fields describe details about the source of a packet/event. Source fields are usually populated in conjunction with destination fields.',
+ 'A host is defined as a general computing instance.\n\nECS host.* fields should be populated with details about the host on which the\nevent happened, or from which the measurement was taken. Host types include\nhardware, virtual machines, Docker containers, and Kubernetes nodes.',
type: 'group',
fields: [
{
- name: 'address',
+ name: 'architecture',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system architecture.',
+ example: 'x86_64',
+ },
+ {
+ name: 'domain',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.',
+ 'Name of the domain of which the host is a member.\n\nFor example, on Windows this could be the host Active Directory domain\nor NetBIOS domain name. For Linux this could be the domain of the host\nLDAP provider.',
+ example: 'CONTOSO',
+ default_field: false,
},
{
- name: 'ip',
+ name: 'geo.city_name',
level: 'core',
- type: 'ip',
- description: 'IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
},
{
- name: 'port',
+ name: 'geo.continent_name',
level: 'core',
- type: 'long',
- description: 'Port of the source.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
},
{
- name: 'mac',
+ name: 'geo.country_iso_code',
level: 'core',
type: 'keyword',
- description: 'MAC address of the source.',
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
},
{
- name: 'domain',
+ name: 'geo.country_name',
level: 'core',
type: 'keyword',
- description: 'Source domain.',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
},
{
- name: 'bytes',
+ name: 'geo.location',
level: 'core',
- type: 'long',
- format: 'bytes',
- example: 184,
- description: 'Bytes sent from the source to the destination.',
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
},
{
- name: 'packets',
+ name: 'geo.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
+ },
+ {
+ name: 'geo.region_iso_code',
level: 'core',
- type: 'long',
- example: 12,
- description: 'Packets sent from the source to the destination.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
},
{
- name: 'geo',
- title: 'Geo',
- group: 2,
- description:
- 'Geo fields can carry data about a specific location related to an event or geo information derived from an IP field.',
- type: 'group',
- fields: [
- {
- name: 'location',
- level: 'core',
- type: 'geo_point',
- description: 'Longitude and latitude.',
- example: '{ "lon": -73.614830, "lat": 45.505918 }',
- },
- {
- name: 'continent_name',
- level: 'core',
- type: 'keyword',
- description: 'Name of the continent.',
- example: 'North America',
- },
- {
- name: 'country_name',
- level: 'core',
- type: 'keyword',
- description: 'Country name.',
- example: 'Canada',
- },
- {
- name: 'region_name',
- level: 'core',
- type: 'keyword',
- description: 'Region name.',
- example: 'Quebec',
- },
- {
- name: 'city_name',
- level: 'core',
- type: 'keyword',
- description: 'City name.',
- example: 'Montreal',
- },
- {
- name: 'country_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Country ISO code.',
- example: 'CA',
- },
- {
- name: 'region_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Region ISO code.',
- example: 'CA-QC',
- },
- {
- name: 'name',
- level: 'extended',
- type: 'keyword',
- description:
- 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.',
- example: 'boston-dc',
- },
- ],
+ name: 'geo.region_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
},
- ],
- },
- {
- name: 'url',
- title: 'URL',
- description: 'URL fields provide a complete URL, with scheme, host, and path.',
- type: 'group',
- fields: [
{
- name: 'original',
- level: 'extended',
+ name: 'hostname',
+ level: 'core',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.',
- example:
- 'https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch',
+ 'Hostname of the host.\n\nIt normally contains what the `hostname` command returns on the host machine.',
},
{
- name: 'full',
- level: 'extended',
+ name: 'id',
+ level: 'core',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.',
- example: 'https://www.elastic.co:443/search?q=elasticsearch#top',
+ 'Unique host id.\n\nAs hostname is not always unique, use values that are meaningful in your environment.\n\nExample: The current usage of `beat.name`.',
},
{
- name: 'scheme',
- level: 'extended',
+ name: 'ip',
+ level: 'core',
+ type: 'ip',
+ description: 'Host ip addresses.',
+ },
+ {
+ name: 'mac',
+ level: 'core',
type: 'keyword',
- description:
- 'Scheme of the request, such as "https". Note: The `:` is not part of the scheme.',
- example: 'https',
+ ignore_above: 1024,
+ description: 'Host mac addresses.',
},
{
- name: 'domain',
- level: 'extended',
+ name: 'name',
+ level: 'core',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Domain of the request, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.',
- example: 'www.elastic.co',
+ 'Name of the host.\n\nIt can contain what `hostname` returns on Unix systems, the fully qualified\ndomain name, or a name specified by the user. The sender decides which value\nto use.',
},
{
- name: 'port',
+ name: 'os.family',
level: 'extended',
- type: 'integer',
- description: 'Port of the request, such as 443.',
- example: 443,
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'OS family (such as redhat, debian, freebsd, windows).',
+ example: 'debian',
},
{
- name: 'path',
+ name: 'os.full',
level: 'extended',
type: 'keyword',
- description: 'Path of the request, such as "/search".',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Operating system name, including the version or code name.',
+ example: 'Mac OS Mojave',
},
{
- name: 'query',
+ name: 'os.kernel',
level: 'extended',
type: 'keyword',
- description:
- 'The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.',
+ ignore_above: 1024,
+ description: 'Operating system kernel version as a raw string.',
+ example: '4.4.0-112-generic',
},
{
- name: 'fragment',
+ name: 'os.name',
level: 'extended',
type: 'keyword',
- description:
- 'Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Operating system name, without the version.',
+ example: 'Mac OS X',
},
{
- name: 'username',
+ name: 'os.platform',
level: 'extended',
type: 'keyword',
- description: 'Username of the request.',
+ ignore_above: 1024,
+ description: 'Operating system platform (such centos, ubuntu, windows).',
+ example: 'darwin',
},
{
- name: 'password',
+ name: 'os.version',
level: 'extended',
type: 'keyword',
- description: 'Password of the request.',
+ ignore_above: 1024,
+ description: 'Operating system version as a raw string.',
+ example: '10.14.1',
},
- ],
- },
- {
- name: 'user',
- title: 'User',
- group: 2,
- description:
- 'The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.',
- reusable: {
- top_level: true,
- expected: ['client', 'destination', 'host', 'server', 'source'],
- },
- type: 'group',
- fields: [
{
- name: 'id',
+ name: 'type',
level: 'core',
type: 'keyword',
- description: 'One or multiple unique identifiers of the user.',
+ ignore_above: 1024,
+ description:
+ 'Type of host.\n\nFor Cloud providers this can be the machine type like `t2.medium`. If vm,\nthis could be the container, for example, or other information meaningful\nin your environment.',
},
{
- name: 'name',
- level: 'core',
- type: 'keyword',
- example: 'albert',
- description: 'Short name or login of the user.',
+ name: 'uptime',
+ level: 'extended',
+ type: 'long',
+ description: 'Seconds the host has been up.',
+ example: 1325,
},
{
- name: 'full_name',
+ name: 'user.domain',
level: 'extended',
type: 'keyword',
- example: 'Albert Einstein',
- description: "User's full name, if available. ",
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the user is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
},
{
- name: 'email',
+ name: 'user.email',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description: 'User email address.',
},
{
- name: 'hash',
+ name: 'user.full_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: "User's full name, if available.",
+ example: 'Albert Einstein',
+ },
+ {
+ name: 'user.group.domain',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.',
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
},
{
- name: 'group',
- title: 'Group',
- group: 2,
+ name: 'user.group.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
+ },
+ {
+ name: 'user.group.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the group.',
+ },
+ {
+ name: 'user.hash',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
description:
- 'The group fields are meant to represent groups that are relevant to the event.',
- type: 'group',
- fields: [
- {
- name: 'id',
- level: 'extended',
- type: 'keyword',
- description: 'Unique identifier for the group on the system/platform.',
- },
+ 'Unique user hash to correlate information for a user in anonymized\nform.\n\nUseful if `user.id` or `user.name` contain confidential information and cannot\nbe used.',
+ },
+ {
+ name: 'user.id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifiers of the user.',
+ },
+ {
+ name: 'user.name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'name',
- level: 'extended',
- type: 'keyword',
- description: 'Name of the group.',
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
},
],
+ description: 'Short name or login of the user.',
+ example: 'albert',
},
],
},
{
- name: 'user_agent',
- title: 'User agent',
+ name: 'http',
+ title: 'HTTP',
group: 2,
description:
- 'The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.',
+ 'Fields related to HTTP activity. Use the `url` field set to store\nthe url of the request.',
type: 'group',
fields: [
{
- name: 'original',
+ name: 'request.body.bytes',
level: 'extended',
- type: 'keyword',
- description: 'Unparsed version of the user_agent.',
- example:
- 'Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1',
+ type: 'long',
+ format: 'bytes',
+ description: 'Size in bytes of the request body.',
+ example: 887,
},
{
- name: 'name',
+ name: 'request.body.content',
level: 'extended',
type: 'keyword',
- example: 'Safari',
- description: 'Name of the user agent.',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'The full HTTP request body.',
+ example: 'Hello world',
},
{
- name: 'version',
+ name: 'request.bytes',
+ level: 'extended',
+ type: 'long',
+ format: 'bytes',
+ description: 'Total size in bytes of the request (body and headers).',
+ example: 1437,
+ },
+ {
+ name: 'request.method',
level: 'extended',
type: 'keyword',
- description: 'Version of the user agent.',
- example: 12,
+ ignore_above: 1024,
+ description:
+ 'HTTP request method.\n\nThe field value must be normalized to lowercase for querying. See the documentation\nsection "Implementing ECS".',
+ example: 'get, post, put',
},
{
- name: 'device.name',
+ name: 'request.referrer',
level: 'extended',
type: 'keyword',
- example: 'iPhone',
- description: 'Name of the device.',
+ ignore_above: 1024,
+ description: 'Referrer for this HTTP request.',
+ example: 'https://blog.example.com/',
},
{
- name: 'os',
- title: 'Operating System',
- group: 2,
- description: 'The OS fields contain information about the operating system.',
- reusable: {
- top_level: false,
- expected: ['observer', 'host', 'user_agent'],
- },
- type: 'group',
- fields: [
- {
- name: 'platform',
- level: 'extended',
- type: 'keyword',
- description: 'Operating system platform (such centos, ubuntu, windows).',
- example: 'darwin',
- },
- {
- name: 'name',
- level: 'extended',
- type: 'keyword',
- example: 'Mac OS X',
- description: 'Operating system name, without the version.',
- },
- {
- name: 'full',
- level: 'extended',
- type: 'keyword',
- example: 'Mac OS Mojave',
- description: 'Operating system name, including the version or code name.',
- },
- {
- name: 'family',
- level: 'extended',
- type: 'keyword',
- example: 'debian',
- description: 'OS family (such as redhat, debian, freebsd, windows).',
- },
- {
- name: 'version',
- level: 'extended',
- type: 'keyword',
- example: '10.14.1',
- description: 'Operating system version as a raw string.',
- },
+ name: 'response.body.bytes',
+ level: 'extended',
+ type: 'long',
+ format: 'bytes',
+ description: 'Size in bytes of the response body.',
+ example: 887,
+ },
+ {
+ name: 'response.body.content',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'kernel',
- level: 'extended',
- type: 'keyword',
- example: '4.4.0-112-generic',
- description: 'Operating system kernel version as a raw string.',
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
},
],
+ description: 'The full HTTP response body.',
+ example: 'Hello world',
+ },
+ {
+ name: 'response.bytes',
+ level: 'extended',
+ type: 'long',
+ format: 'bytes',
+ description: 'Total size in bytes of the response (body and headers).',
+ example: 1437,
+ },
+ {
+ name: 'response.status_code',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: 'HTTP response status code.',
+ example: 404,
+ },
+ {
+ name: 'version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'HTTP version.',
+ example: 1.1,
},
],
},
{
- name: 'agent.hostname',
- type: 'keyword',
- description: 'Hostname of the agent.',
- },
- ],
- },
- {
- key: 'beat',
- title: 'Beat',
- description: 'Contains common beat fields available in all event types.',
- fields: [
- {
- name: 'beat.timezone',
- type: 'alias',
- path: 'event.timezone',
- migration: true,
- },
- {
- name: 'fields',
- type: 'object',
- object_type: 'keyword',
- description: 'Contains user configurable fields.',
- },
- {
- name: 'error',
+ name: 'interface',
+ title: 'Interface',
+ group: 2,
+ description:
+ 'The interface fields are used to record ingress and egress interface\ninformation when reported by an observer (e.g. firewall, router, load balancer)\nin the context of the observer handling a network connection. In the case of\na single observer interface (e.g. network sensor on a span port) only the observer.ingress\ninformation should be populated.',
type: 'group',
- description: 'Error fields containing additional info in case of errors.',
fields: [
{
- name: 'type',
+ name: 'alias',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Interface alias as reported by the system, typically used in firewall\nimplementations for e.g. inside, outside, or dmz logical interface naming.',
+ example: 'outside',
+ default_field: false,
+ },
+ {
+ name: 'id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Interface ID as reported by an observer (typically SNMP interface\nID).',
+ example: 10,
+ default_field: false,
+ },
+ {
+ name: 'name',
+ level: 'extended',
type: 'keyword',
- description: 'Error type.',
+ ignore_above: 1024,
+ description: 'Interface name as reported by the system.',
+ example: 'eth0',
+ default_field: false,
},
],
},
{
- name: 'beat.name',
- type: 'alias',
- path: 'host.name',
- migration: true,
- },
- {
- name: 'beat.hostname',
- type: 'alias',
- path: 'agent.hostname',
- migration: true,
- },
- ],
- },
- {
- key: 'cloud',
- title: 'Cloud provider metadata',
- description: 'Metadata from cloud providers added by the add_cloud_metadata processor.',
- fields: [
- {
- name: 'cloud.project.id',
- example: 'project-x',
- description: 'Name of the project in Google Cloud.',
- },
- {
- name: 'meta.cloud.provider',
- type: 'alias',
- path: 'cloud.provider',
- migration: true,
- },
- {
- name: 'meta.cloud.instance_id',
- type: 'alias',
- path: 'cloud.instance.id',
- migration: true,
- },
- {
- name: 'meta.cloud.instance_name',
- type: 'alias',
- path: 'cloud.instance.name',
- migration: true,
- },
- {
- name: 'meta.cloud.machine_type',
- type: 'alias',
- path: 'cloud.machine.type',
- migration: true,
- },
- {
- name: 'meta.cloud.availability_zone',
- type: 'alias',
- path: 'cloud.availability_zone',
- migration: true,
- },
- {
- name: 'meta.cloud.project_id',
- type: 'alias',
- path: 'cloud.project.id',
- migration: true,
- },
- {
- name: 'meta.cloud.region',
- type: 'alias',
- path: 'cloud.region',
- migration: true,
- },
- ],
- },
- {
- key: 'docker',
- title: 'Docker',
- description: 'Docker stats collected from Docker.',
- short_config: false,
- anchor: 'docker-processor',
- fields: [
- {
- name: 'docker',
+ name: 'log',
+ title: 'Log',
+ group: 2,
+ description:
+ 'Details about the event logging mechanism or logging transport.\n\nThe log.* fields are typically populated with details about the logging mechanism\nused to create and/or transport the event. For example, syslog details belong\nunder `log.syslog.*`.\n\nThe details specific to your event source are typically not logged under `log.*`,\nbut rather in `event.*` or in other ECS fields.',
type: 'group',
fields: [
{
- name: 'container.id',
- type: 'alias',
- path: 'container.id',
- migration: true,
+ name: 'level',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Original log level of the log event.\n\nIf the source of the event provides a log level or textual severity, this\nis the one that goes in `log.level`. If your source does not specify one,\nyou may put your event transport severity here (e.g. Syslog severity).\n\nSome examples are `warn`, `err`, `i`, `informational`.',
+ example: 'error',
},
{
- name: 'container.image',
- type: 'alias',
- path: 'container.image.name',
- migration: true,
+ name: 'logger',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The name of the logger inside an application. This is usually the\nname of the class which initialized the logger, or can be a custom name.',
+ example: 'org.elasticsearch.bootstrap.Bootstrap',
},
{
- name: 'container.name',
- type: 'alias',
- path: 'container.name',
- migration: true,
+ name: 'origin.file.line',
+ level: 'extended',
+ type: 'integer',
+ description:
+ 'The line number of the file containing the source code which originated\nthe log event.',
+ example: 42,
},
{
- name: 'container.labels',
+ name: 'origin.file.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The name of the file containing the source code which originated\nthe log event. Note that this is not the name of the log file.',
+ example: 'Bootstrap.java',
+ },
+ {
+ name: 'origin.function',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The name of the function or method which originated the log event.',
+ example: 'init',
+ },
+ {
+ name: 'original',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'This is the original log message and contains the full log message\nbefore splitting it up in multiple parts.\n\nIn contrast to the `message` field which can contain an extracted part of\nthe log message, this field contains the original, full log message. It can\nhave already some modifications applied like encoding or new lines removed\nto clean up the log message.\n\nThis field is not indexed and doc_values are disabled so it cannot be queried\nbut the value can be retrieved from `_source`.',
+ example: 'Sep 19 08:26:10 localhost My log',
+ },
+ {
+ name: 'syslog',
+ level: 'extended',
type: 'object',
object_type: 'keyword',
- description: 'Image labels.',
+ description:
+ 'The Syslog metadata of the event, if the event was transmitted\nvia Syslog. Please see RFCs 5424 or 3164.',
+ },
+ {
+ name: 'syslog.facility.code',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description:
+ 'The Syslog numeric facility of the log event, if available.\n\nAccording to RFCs 5424 and 3164, this value should be an integer between 0\nand 23.',
+ example: 23,
+ },
+ {
+ name: 'syslog.facility.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The Syslog text-based facility of the log event, if available.',
+ example: 'local7',
+ },
+ {
+ name: 'syslog.priority',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description:
+ 'Syslog numeric priority of the event, if available.\n\nAccording to RFCs 5424 and 3164, the priority is 8 * facility + severity.\nThis number is therefore expected to contain a value between 0 and 191.',
+ example: 135,
+ },
+ {
+ name: 'syslog.severity.code',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'The Syslog numeric severity of the log event, if available.\n\nIf the event source publishing via Syslog provides a different numeric severity\nvalue (e.g. firewall, IDS), your source numeric severity should go to `event.severity`.\nIf the event source does not specify a distinct severity, you can optionally\ncopy the Syslog severity to `event.severity`.',
+ example: 3,
+ },
+ {
+ name: 'syslog.severity.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The Syslog numeric severity of the log event, if available.\n\nIf the event source publishing via Syslog provides a different severity value\n(e.g. firewall, IDS), your source text severity should go to `log.level`.\nIf the event source does not specify a distinct severity, you can optionally\ncopy the Syslog severity to `log.level`.',
+ example: 'Error',
},
],
},
- ],
- },
- {
- key: 'host',
- title: 'Host',
- description: 'Info collected for the host machine.',
- anchor: 'host-processor',
- },
- {
- key: 'kubernetes',
- title: 'Kubernetes',
- description: 'Kubernetes metadata added by the kubernetes processor',
- short_config: false,
- anchor: 'kubernetes-processor',
- fields: [
{
- name: 'kubernetes',
+ name: 'network',
+ title: 'Network',
+ group: 2,
+ description:
+ 'The network is defined as the communication path over which a host\nor network event happens.\n\nThe network.* fields should be populated with details about the network activity\nassociated with an event.',
type: 'group',
fields: [
{
- name: 'pod.name',
+ name: 'application',
+ level: 'extended',
type: 'keyword',
- description: 'Kubernetes pod name',
+ ignore_above: 1024,
+ description:
+ 'A name given to an application level protocol. This can be arbitrarily\nassigned for things like microservices, but also apply to things like skype,\nicq, facebook, twitter. This would be used in situations where the vendor\nor service can be decoded such as from the source/dest IP owners, ports, or\nwire format.\n\nThe field value must be normalized to lowercase for querying. See the documentation\nsection "Implementing ECS".',
+ example: 'aim',
},
{
- name: 'pod.uid',
+ name: 'bytes',
+ level: 'core',
+ type: 'long',
+ format: 'bytes',
+ description:
+ 'Total bytes transferred in both directions.\n\nIf `source.bytes` and `destination.bytes` are known, `network.bytes` is their\nsum.',
+ example: 368,
+ },
+ {
+ name: 'community_id',
+ level: 'extended',
type: 'keyword',
- description: 'Kubernetes Pod UID',
+ ignore_above: 1024,
+ description:
+ 'A hash of source and destination IPs and ports, as well as the\nprotocol used in a communication. This is a tool-agnostic standard to identify\nflows.\n\nLearn more at https://github.com/corelight/community-id-spec.',
+ example: '1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=',
},
{
- name: 'namespace',
+ name: 'direction',
+ level: 'core',
type: 'keyword',
- description: 'Kubernetes namespace',
+ ignore_above: 1024,
+ description:
+ "Direction of the network traffic.\nRecommended values are:\n * inbound\n * outbound\n * internal\n * external\n * unknown\n\nWhen mapping events from a host-based monitoring context, populate this field from the host's point of view.\nWhen mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter.",
+ example: 'inbound',
},
{
- name: 'node.name',
+ name: 'forwarded_ip',
+ level: 'core',
+ type: 'ip',
+ description: 'Host IP address when the source IP address is the proxy.',
+ example: '192.1.1.2',
+ },
+ {
+ name: 'iana_number',
+ level: 'extended',
type: 'keyword',
- description: 'Kubernetes node name',
+ ignore_above: 1024,
+ description:
+ 'IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml).\nStandardized list of protocols. This aligns well with NetFlow and sFlow related\nlogs which use the IANA Protocol Number.',
+ example: 6,
},
{
- name: 'labels',
+ name: 'inner',
+ level: 'extended',
type: 'object',
- description: 'Kubernetes labels map',
+ object_type: 'keyword',
+ description:
+ 'Network.inner fields are added in addition to network.vlan fields\nto describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed\nfields include vlan.id and vlan.name. Inner vlan fields are typically used\nwhen sending traffic with multiple 802.1q encapsulations to a network sensor\n(e.g. Zeek, Wireshark.)',
+ default_field: false,
},
{
- name: 'annotations',
- type: 'object',
- description: 'Kubernetes annotations map',
+ name: 'inner.vlan.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'VLAN ID as reported by the observer.',
+ example: 10,
+ default_field: false,
},
{
- name: 'container.name',
+ name: 'inner.vlan.name',
+ level: 'extended',
type: 'keyword',
- description: 'Kubernetes container name',
+ ignore_above: 1024,
+ description: 'Optional VLAN name as reported by the observer.',
+ example: 'outside',
+ default_field: false,
},
{
- name: 'container.image',
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name given by operators to sections of their network.',
+ example: 'Guest Wifi',
+ },
+ {
+ name: 'packets',
+ level: 'core',
+ type: 'long',
+ description:
+ 'Total packets transferred in both directions.\n\nIf `source.packets` and `destination.packets` are known, `network.packets`\nis their sum.',
+ example: 24,
+ },
+ {
+ name: 'protocol',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'L7 Network protocol name. ex. http, lumberjack, transport protocol.\n\nThe field value must be normalized to lowercase for querying. See the documentation\nsection "Implementing ECS".',
+ example: 'http',
+ },
+ {
+ name: 'transport',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Same as network.iana_number, but instead using the Keyword name\nof the transport layer (udp, tcp, ipv6-icmp, etc.)\n\nThe field value must be normalized to lowercase for querying. See the documentation\nsection "Implementing ECS".',
+ example: 'tcp',
+ },
+ {
+ name: 'type',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'In the OSI Model this would be the Network Layer. ipv4, ipv6,\nipsec, pim, etc\n\nThe field value must be normalized to lowercase for querying. See the documentation\nsection "Implementing ECS".',
+ example: 'ipv4',
+ },
+ {
+ name: 'vlan.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'VLAN ID as reported by the observer.',
+ example: 10,
+ default_field: false,
+ },
+ {
+ name: 'vlan.name',
+ level: 'extended',
type: 'keyword',
- description: 'Kubernetes container image',
+ ignore_above: 1024,
+ description: 'Optional VLAN name as reported by the observer.',
+ example: 'outside',
+ default_field: false,
},
],
},
- ],
- },
- {
- key: 'process',
- title: 'Process',
- description: 'Process metadata fields',
- fields: [
{
- name: 'process',
+ name: 'observer',
+ title: 'Observer',
+ group: 2,
+ description:
+ 'An observer is defined as a special network, security, or application\ndevice used to detect, observe, or create network, security, or application-related\nevents and metrics.\n\nThis could be a custom hardware appliance or a server that has been configured\nto run special network, security, or application software. Examples include\nfirewalls, web proxies, intrusion detection/prevention systems, network monitoring\nsensors, web application firewalls, data loss prevention systems, and APM servers.\nThe observer.* fields shall be populated with details of the system, if any,\nthat detects, observes and/or creates a network, security, or application event\nor metric. Message queues and ETL components used in processing events or metrics\nare not considered observers in ECS.',
type: 'group',
fields: [
{
- name: 'exe',
- type: 'alias',
- path: 'process.executable',
- migration: true,
+ name: 'egress',
+ level: 'extended',
+ type: 'object',
+ object_type: 'keyword',
+ description:
+ 'Observer.egress holds information like interface number and name,\nvlan, and zone information to classify egress traffic. Single armed monitoring\nsuch as a network sensor on a span port should only use observer.ingress\nto categorize traffic.',
+ default_field: false,
},
- ],
- },
- ],
- },
- {
- key: 'log',
- title: 'Log file content',
- description: 'Contains log file lines.',
- fields: [
- {
- name: 'log.file.path',
- type: 'keyword',
- required: false,
- description:
- 'The file from which the line was read. This field contains the absolute path to the file. For example: `/var/log/system.log`.',
- },
- {
- name: 'log.source.address',
- type: 'keyword',
- required: false,
- description: 'Source address from which the log event was read / sent from.',
- },
- {
- name: 'log.offset',
- type: 'long',
- required: false,
- description: 'The file offset the reported line starts at.',
- },
- {
- name: 'stream',
- type: 'keyword',
- required: false,
- description: "Log stream when reading container logs, can be 'stdout' or 'stderr' ",
- },
- {
- name: 'input.type',
- required: true,
- description:
- 'The input type from which the event was generated. This field is set to the value specified for the `type` option in the input section of the Filebeat config file.',
- },
- {
- name: 'event.sequence',
- type: 'long',
- required: false,
- description: 'The sequence number of this event.',
- },
- {
- name: 'syslog.facility',
- type: 'long',
- required: false,
- description: 'The facility extracted from the priority.',
- },
- {
- name: 'syslog.priority',
- type: 'long',
- required: false,
- description: 'The priority of the syslog event.',
- },
- {
- name: 'syslog.severity_label',
- type: 'keyword',
- required: false,
- description: 'The human readable severity.',
- },
- {
- name: 'syslog.facility_label',
- type: 'keyword',
- required: false,
- description: 'The human readable facility.',
- },
- {
- name: 'process.program',
- type: 'keyword',
- required: false,
- description: 'The name of the program.',
- },
- {
- name: 'log.flags',
- description: 'This field contains the flags of the event.',
- },
- {
- name: 'http.response.content_length',
- type: 'alias',
- path: 'http.response.body.bytes',
- migration: true,
- },
- {
- name: 'user_agent',
- type: 'group',
- fields: [
{
- name: 'os',
- type: 'group',
- fields: [
+ name: 'egress.interface.alias',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Interface alias as reported by the system, typically used in firewall\nimplementations for e.g. inside, outside, or dmz logical interface naming.',
+ example: 'outside',
+ default_field: false,
+ },
+ {
+ name: 'egress.interface.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Interface ID as reported by an observer (typically SNMP interface\nID).',
+ example: 10,
+ default_field: false,
+ },
+ {
+ name: 'egress.interface.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Interface name as reported by the system.',
+ example: 'eth0',
+ default_field: false,
+ },
+ {
+ name: 'egress.vlan.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'VLAN ID as reported by the observer.',
+ example: 10,
+ default_field: false,
+ },
+ {
+ name: 'egress.vlan.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Optional VLAN name as reported by the observer.',
+ example: 'outside',
+ default_field: false,
+ },
+ {
+ name: 'egress.zone',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Network zone of outbound traffic as reported by the observer to\ncategorize the destination area of egress traffic, e.g. Internal, External,\nDMZ, HR, Legal, etc.',
+ example: 'Public_Internet',
+ default_field: false,
+ },
+ {
+ name: 'geo.city_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
+ },
+ {
+ name: 'geo.continent_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
+ },
+ {
+ name: 'geo.country_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
+ },
+ {
+ name: 'geo.country_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
+ },
+ {
+ name: 'geo.location',
+ level: 'core',
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
+ },
+ {
+ name: 'geo.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
+ },
+ {
+ name: 'geo.region_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
+ },
+ {
+ name: 'geo.region_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
+ },
+ {
+ name: 'hostname',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Hostname of the observer.',
+ },
+ {
+ name: 'ingress',
+ level: 'extended',
+ type: 'object',
+ object_type: 'keyword',
+ description:
+ 'Observer.ingress holds information like interface number and name,\nvlan, and zone information to classify ingress traffic. Single armed monitoring\nsuch as a network sensor on a span port should only use observer.ingress\nto categorize traffic.',
+ default_field: false,
+ },
+ {
+ name: 'ingress.interface.alias',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Interface alias as reported by the system, typically used in firewall\nimplementations for e.g. inside, outside, or dmz logical interface naming.',
+ example: 'outside',
+ default_field: false,
+ },
+ {
+ name: 'ingress.interface.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Interface ID as reported by an observer (typically SNMP interface\nID).',
+ example: 10,
+ default_field: false,
+ },
+ {
+ name: 'ingress.interface.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Interface name as reported by the system.',
+ example: 'eth0',
+ default_field: false,
+ },
+ {
+ name: 'ingress.vlan.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'VLAN ID as reported by the observer.',
+ example: 10,
+ default_field: false,
+ },
+ {
+ name: 'ingress.vlan.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Optional VLAN name as reported by the observer.',
+ example: 'outside',
+ default_field: false,
+ },
+ {
+ name: 'ingress.zone',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Network zone of incoming traffic as reported by the observer to\ncategorize the source area of ingress traffic. e.g. internal, External, DMZ,\nHR, Legal, etc.',
+ example: 'DMZ',
+ default_field: false,
+ },
+ {
+ name: 'ip',
+ level: 'core',
+ type: 'ip',
+ description: 'IP addresses of the observer.',
+ },
+ {
+ name: 'mac',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'MAC addresses of the observer',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Custom name of the observer.\n\nThis is a name that can be given to an observer. This can be helpful for example\nif multiple firewalls of the same model are used in an organization.\n\nIf no custom name is needed, the field can be left empty.',
+ example: '1_proxySG',
+ },
+ {
+ name: 'os.family',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'OS family (such as redhat, debian, freebsd, windows).',
+ example: 'debian',
+ },
+ {
+ name: 'os.full',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'full_name',
- type: 'keyword',
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Operating system name, including the version or code name.',
+ example: 'Mac OS Mojave',
+ },
+ {
+ name: 'os.kernel',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system kernel version as a raw string.',
+ example: '4.4.0-112-generic',
+ },
+ {
+ name: 'os.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
},
],
+ description: 'Operating system name, without the version.',
+ example: 'Mac OS X',
+ },
+ {
+ name: 'os.platform',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system platform (such centos, ubuntu, windows).',
+ example: 'darwin',
+ },
+ {
+ name: 'os.version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system version as a raw string.',
+ example: '10.14.1',
+ },
+ {
+ name: 'product',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The product name of the observer.',
+ example: 's200',
+ },
+ {
+ name: 'serial_number',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Observer serial number.',
+ },
+ {
+ name: 'type',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The type of the observer the data is coming from.\n\nThere is no predefined list of observer types. Some examples are `forwarder`,\n`firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.',
+ example: 'firewall',
+ },
+ {
+ name: 'vendor',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Vendor name of the observer.',
+ example: 'Symantec',
+ },
+ {
+ name: 'version',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Observer version.',
},
],
},
{
- name: 'fileset.name',
- type: 'keyword',
- description: 'The Filebeat fileset that generated this event.',
- },
- {
- name: 'fileset.module',
- type: 'alias',
- path: 'event.module',
- migration: true,
- },
- {
- name: 'read_timestamp',
- type: 'alias',
- path: 'event.created',
- migration: true,
- },
- ],
- },
- {
- key: 'apache',
- title: 'Apache',
- description: 'Apache Module',
- short_config: true,
- fields: [
- {
- name: 'apache2',
+ name: 'organization',
+ title: 'Organization',
+ group: 2,
+ description:
+ 'The organization fields enrich data with information about the company\nor entity the data is associated with.\n\nThese fields help you arrange or filter data stored in an index by one or multiple\norganizations.',
type: 'group',
- description: 'Aliases for backward compatibility with old apache2 fields',
fields: [
{
- name: 'access',
- type: 'group',
- fields: [
+ name: 'id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the organization.',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'remote_ip',
- type: 'alias',
- path: 'source.address',
- migration: true,
- },
- {
- name: 'ssl.protocol',
- type: 'alias',
- path: 'apache.access.ssl.protocol',
- migration: true,
- },
- {
- name: 'ssl.cipher',
- type: 'alias',
- path: 'apache.access.ssl.cipher',
- migration: true,
- },
- {
- name: 'body_sent.bytes',
- type: 'alias',
- path: 'http.response.body.bytes',
- migration: true,
- },
- {
- name: 'user_name',
- type: 'alias',
- path: 'user.name',
- migration: true,
- },
- {
- name: 'method',
- type: 'alias',
- path: 'http.request.method',
- migration: true,
- },
- {
- name: 'url',
- type: 'alias',
- path: 'url.original',
- migration: true,
- },
- {
- name: 'http_version',
- type: 'alias',
- path: 'http.version',
- migration: true,
- },
- {
- name: 'response_code',
- type: 'alias',
- path: 'http.response.status_code',
- migration: true,
- },
- {
- name: 'referrer',
- type: 'alias',
- path: 'http.request.referrer',
- migration: true,
- },
- {
- name: 'agent',
- type: 'alias',
- path: 'user_agent.original',
- migration: true,
- },
- {
- name: 'user_agent',
- type: 'group',
- fields: [
- {
- name: 'device',
- type: 'alias',
- path: 'user_agent.device.name',
- migration: true,
- },
- {
- name: 'name',
- type: 'alias',
- path: 'user_agent.name',
- migration: true,
- },
- {
- name: 'os',
- type: 'alias',
- path: 'user_agent.os.full_name',
- migration: true,
- },
- {
- name: 'os_name',
- type: 'alias',
- path: 'user_agent.os.name',
- migration: true,
- },
- {
- name: 'original',
- type: 'alias',
- path: 'user_agent.original',
- migration: true,
- },
- ],
- },
- {
- name: 'geoip',
- type: 'group',
- fields: [
- {
- name: 'continent_name',
- type: 'alias',
- path: 'source.geo.continent_name',
- migration: true,
- },
- {
- name: 'country_iso_code',
- type: 'alias',
- path: 'source.geo.country_iso_code',
- migration: true,
- },
- {
- name: 'location',
- type: 'alias',
- path: 'source.geo.location',
- migration: true,
- },
- {
- name: 'region_name',
- type: 'alias',
- path: 'source.geo.region_name',
- migration: true,
- },
- {
- name: 'city_name',
- type: 'alias',
- path: 'source.geo.city_name',
- migration: true,
- },
- {
- name: 'region_iso_code',
- type: 'alias',
- path: 'source.geo.region_iso_code',
- migration: true,
- },
- ],
- },
- ],
- },
- {
- name: 'error',
- type: 'group',
- fields: [
- {
- name: 'level',
- type: 'alias',
- path: 'log.level',
- migration: true,
- },
- {
- name: 'message',
- type: 'alias',
- path: 'message',
- migration: true,
- },
- {
- name: 'pid',
- type: 'alias',
- path: 'process.pid',
- migration: true,
- },
- {
- name: 'tid',
- type: 'alias',
- path: 'process.thread.id',
- migration: true,
- },
- {
- name: 'module',
- type: 'alias',
- path: 'apache.error.module',
- migration: true,
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
},
],
+ description: 'Organization name.',
},
],
},
{
- name: 'apache',
+ name: 'os',
+ title: 'Operating System',
+ group: 2,
+ description: 'The OS fields contain information about the operating system.',
type: 'group',
- description: 'Apache fields.',
fields: [
{
- name: 'access',
- type: 'group',
- description: 'Contains fields for the Apache HTTP Server access logs.',
- fields: [
- {
- name: 'ssl.protocol',
- type: 'keyword',
- description: 'SSL protocol version.',
- },
+ name: 'family',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'OS family (such as redhat, debian, freebsd, windows).',
+ example: 'debian',
+ },
+ {
+ name: 'full',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'ssl.cipher',
- type: 'keyword',
- description: 'SSL cipher name.',
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
},
],
+ description: 'Operating system name, including the version or code name.',
+ example: 'Mac OS Mojave',
},
{
- name: 'error',
- type: 'group',
- description: 'Fields from the Apache error logs.',
- fields: [
+ name: 'kernel',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system kernel version as a raw string.',
+ example: '4.4.0-112-generic',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'module',
- type: 'keyword',
- description: 'The module producing the logged message.',
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
},
],
+ description: 'Operating system name, without the version.',
+ example: 'Mac OS X',
+ },
+ {
+ name: 'platform',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system platform (such centos, ubuntu, windows).',
+ example: 'darwin',
+ },
+ {
+ name: 'version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system version as a raw string.',
+ example: '10.14.1',
},
],
},
- ],
- },
- {
- key: 'auditd',
- title: 'Auditd',
- description: 'Module for parsing auditd logs.',
- short_config: true,
- fields: [
{
- name: 'user',
+ name: 'package',
+ title: 'Package',
+ group: 2,
+ description:
+ 'These fields contain information about an installed software package.\nIt contains general information about a package, such as name, version or size.\nIt also contains installation details, such as time or location.',
type: 'group',
fields: [
{
- name: 'terminal',
+ name: 'architecture',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Package architecture.',
+ example: 'x86_64',
+ },
+ {
+ name: 'build_version',
+ level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Terminal or tty device on which the user is performing the observed activity.',
+ 'Additional information about the build version of the installed\npackage.\n\nFor example use the commit SHA of a non-released package.',
+ example: '36f4f7e89dd61b0988b12ee000b98966867710cd',
+ default_field: false,
},
{
- name: 'audit',
- type: 'group',
- fields: [
- {
- name: 'id',
- type: 'keyword',
- description: 'One or multiple unique identifiers of the user.',
- },
- {
- name: 'name',
- type: 'keyword',
- example: 'albert',
- description: 'Short name or login of the user.',
- },
- {
- name: 'group.id',
- type: 'keyword',
- description: 'Unique identifier for the group on the system/platform.',
- },
- {
- name: 'group.name',
- type: 'keyword',
- description: 'Name of the group.',
- },
- ],
+ name: 'checksum',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Checksum of the installed package for verification.',
+ example: '68b329da9893e34099c7d8ad5cb9c940',
},
{
- name: 'effective',
- type: 'group',
- fields: [
- {
- name: 'id',
- type: 'keyword',
- description: 'One or multiple unique identifiers of the user.',
- },
- {
- name: 'name',
- type: 'keyword',
- example: 'albert',
- description: 'Short name or login of the user.',
- },
- {
- name: 'group.id',
- type: 'keyword',
- description: 'Unique identifier for the group on the system/platform.',
- },
- {
- name: 'group.name',
- type: 'keyword',
- description: 'Name of the group.',
- },
- ],
+ name: 'description',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Description of the package.',
+ example:
+ 'Open source programming language to build simple/reliable/efficient\nsoftware.',
},
{
- name: 'filesystem',
- type: 'group',
- fields: [
- {
- name: 'id',
- type: 'keyword',
- description: 'One or multiple unique identifiers of the user.',
- },
- {
- name: 'name',
- type: 'keyword',
- example: 'albert',
- description: 'Short name or login of the user.',
- },
- {
- name: 'group.id',
- type: 'keyword',
- description: 'Unique identifier for the group on the system/platform.',
- },
- {
- name: 'group.name',
- type: 'keyword',
- description: 'Name of the group.',
- },
- ],
+ name: 'install_scope',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Indicating how the package was installed, e.g. user-local, global.',
+ example: 'global',
},
{
- name: 'owner',
- type: 'group',
- fields: [
- {
- name: 'id',
- type: 'keyword',
- description: 'One or multiple unique identifiers of the user.',
- },
- {
- name: 'name',
- type: 'keyword',
- example: 'albert',
- description: 'Short name or login of the user.',
- },
- {
- name: 'group.id',
- type: 'keyword',
- description: 'Unique identifier for the group on the system/platform.',
- },
- {
- name: 'group.name',
- type: 'keyword',
- description: 'Name of the group.',
- },
- ],
+ name: 'installed',
+ level: 'extended',
+ type: 'date',
+ description: 'Time when package was installed.',
},
{
- name: 'saved',
- type: 'group',
- fields: [
- {
- name: 'id',
- type: 'keyword',
- description: 'One or multiple unique identifiers of the user.',
- },
- {
- name: 'name',
- type: 'keyword',
- example: 'albert',
- description: 'Short name or login of the user.',
- },
- {
- name: 'group.id',
- type: 'keyword',
- description: 'Unique identifier for the group on the system/platform.',
- },
- {
- name: 'group.name',
- type: 'keyword',
- description: 'Name of the group.',
- },
- ],
+ name: 'license',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'License under which the package was released.\n\nUse a short name, e.g. the license identifier from SPDX License List where\npossible (https://spdx.org/licenses/).',
+ example: 'Apache License 2.0',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Package name',
+ example: 'go',
+ },
+ {
+ name: 'path',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Path where the package is installed.',
+ example: '/usr/local/Cellar/go/1.12.9/',
+ },
+ {
+ name: 'reference',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Home page or reference URL of the software in this package, if\navailable.',
+ example: 'https://golang.org',
+ default_field: false,
+ },
+ {
+ name: 'size',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: 'Package size in bytes.',
+ example: 62231,
+ },
+ {
+ name: 'type',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Type of package.\n\nThis should contain the package file type, rather than the package manager\nname. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.',
+ example: 'rpm',
+ default_field: false,
+ },
+ {
+ name: 'version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Package version',
+ example: '1.12.9',
},
],
},
{
- name: 'auditd',
+ name: 'pe',
+ title: 'PE Header',
+ group: 2,
+ description: 'These fields contain Windows Portable Executable (PE) metadata.',
type: 'group',
- description: 'Fields from the auditd logs.',
fields: [
{
- name: 'log',
- type: 'group',
+ name: 'company',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal company name of the file, provided at compile-time.',
+ example: 'Microsoft Corporation',
+ default_field: false,
+ },
+ {
+ name: 'description',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal description of the file, provided at compile-time.',
+ example: 'Paint',
+ default_field: false,
+ },
+ {
+ name: 'file_version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal version of the file, provided at compile-time.',
+ example: '6.3.9600.17415',
+ default_field: false,
+ },
+ {
+ name: 'original_file_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal name of the file, provided at compile-time.',
+ example: 'MSPAINT.EXE',
+ default_field: false,
+ },
+ {
+ name: 'product',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal product name of the file, provided at compile-time.',
+ example: 'Microsoft® Windows® Operating System',
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'process',
+ title: 'Process',
+ group: 2,
+ description:
+ 'These fields contain information about a process.\n\nThese fields can help you correlate metrics information with a process id/name\nfrom a log message. The `process.pid` often stays in the metric itself and\nis copied to the global field for correlation.',
+ type: 'group',
+ fields: [
+ {
+ name: 'args',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
description:
- 'Fields from the Linux audit log. Not all fields are documented here because they are dynamic and vary by audit event type.',
- fields: [
- {
- name: 'old_auid',
- description:
- 'For login events this is the old audit ID used for the user prior to this login.',
- },
- {
- name: 'new_auid',
- description:
- 'For login events this is the new audit ID. The audit ID can be used to trace future events to the user even if their identity changes (like becoming root).',
- },
- {
- name: 'old_ses',
- description:
- 'For login events this is the old session ID used for the user prior to this login.',
- },
- {
- name: 'new_ses',
- description:
- 'For login events this is the new session ID. It can be used to tie a user to future events by session ID.',
- },
- {
- name: 'sequence',
- type: 'long',
- description: 'The audit event sequence number.',
- },
- {
- name: 'items',
- description: 'The number of items in an event.',
- },
+ 'Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.',
+ example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'],
+ },
+ {
+ name: 'args_count',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'Length of the process.args array.\n\nThis field can be useful for querying or performing bucket analysis on how\nmany arguments were provided to start a process. More arguments may be an\nindication of suspicious activity.',
+ example: 4,
+ default_field: false,
+ },
+ {
+ name: 'code_signature.exists',
+ level: 'core',
+ type: 'boolean',
+ description: 'Boolean to capture if a signature is present.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.status',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Additional information about the certificate status.\n\nThis is useful for logging cryptographic errors with the certificate validity\nor trust status. Leave unpopulated if the validity or trust of the certificate\nwas unchecked.',
+ example: 'ERROR_UNTRUSTED_ROOT',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.subject_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Subject name of the code signer',
+ example: 'Microsoft Corporation',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.trusted',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Stores the trust status of the certificate chain.\n\nValidating the trust of the certificate chain may be complicated, and this\nfield should only be populated by tools that actively check the status.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.valid',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Boolean to capture if the digital signature is verified against\nthe binary content.\n\nLeave unpopulated if a certificate was unchecked.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'command_line',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'item',
- description:
- 'The item field indicates which item out of the total number of items. This number is zero-based; a value of 0 means it is the first item.',
+ name: 'text',
+ type: 'text',
+ norms: false,
},
+ ],
+ description:
+ 'Full command line that started the process, including the absolute\npath to the executable, and all arguments.\n\nSome arguments may be filtered to protect sensitive information.',
+ example: '/usr/bin/ssh -l user 10.0.0.16',
+ default_field: false,
+ },
+ {
+ name: 'entity_id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique identifier for the process.\n\nThe implementation of this is specified by the data source, but some examples\nof what could be used here are a process-generated UUID, Sysmon Process GUIDs,\nor a hash of some uniquely identifying components of a process.\n\nConstructing a globally unique identifier is a common practice to mitigate\nPID reuse as well as to identify a specific process over time, across multiple\nmonitored hosts.',
+ example: 'c2c455d9f99375d',
+ default_field: false,
+ },
+ {
+ name: 'executable',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'tty',
- type: 'keyword',
- definition: 'TTY udevice the user is running programs on.',
- },
- {
- name: 'a0',
- description: 'The first argument to the system call.',
- },
- {
- name: 'addr',
- type: 'ip',
- definition: 'Remote address that the user is connecting from.',
- },
- {
- name: 'rport',
- type: 'long',
- definition: 'Remote port number.',
- },
- {
- name: 'laddr',
- type: 'ip',
- definition: 'Local network address.',
- },
- {
- name: 'lport',
- type: 'long',
- definition: 'Local port number.',
- },
- {
- name: 'acct',
- type: 'alias',
- path: 'user.name',
- migration: true,
- },
- {
- name: 'pid',
- type: 'alias',
- path: 'process.pid',
- migration: true,
- },
- {
- name: 'ppid',
- type: 'alias',
- path: 'process.ppid',
- migration: true,
- },
- {
- name: 'res',
- type: 'alias',
- path: 'event.outcome',
- migration: true,
- },
- {
- name: 'record_type',
- type: 'alias',
- path: 'event.action',
- migration: true,
- },
- {
- name: 'geoip',
- type: 'group',
- fields: [
- {
- name: 'continent_name',
- type: 'alias',
- path: 'source.geo.continent_name',
- migration: true,
- },
- {
- name: 'country_iso_code',
- type: 'alias',
- path: 'source.geo.country_iso_code',
- migration: true,
- },
- {
- name: 'location',
- type: 'alias',
- path: 'source.geo.location',
- migration: true,
- },
- {
- name: 'region_name',
- type: 'alias',
- path: 'source.geo.region_name',
- migration: true,
- },
- {
- name: 'city_name',
- type: 'alias',
- path: 'source.geo.city_name',
- migration: true,
- },
- {
- name: 'region_iso_code',
- type: 'alias',
- path: 'source.geo.region_iso_code',
- migration: true,
- },
- ],
- },
- {
- name: 'arch',
- type: 'alias',
- path: 'host.architecture',
- migration: true,
- },
- {
- name: 'gid',
- type: 'alias',
- path: 'user.group.id',
- migration: true,
- },
- {
- name: 'uid',
- type: 'alias',
- path: 'user.id',
- migration: true,
- },
- {
- name: 'agid',
- type: 'alias',
- path: 'user.audit.group.id',
- migration: true,
- },
- {
- name: 'auid',
- type: 'alias',
- path: 'user.audit.id',
- migration: true,
- },
- {
- name: 'fsgid',
- type: 'alias',
- path: 'user.filesystem.group.id',
- migration: true,
- },
- {
- name: 'fsuid',
- type: 'alias',
- path: 'user.filesystem.id',
- migration: true,
- },
- {
- name: 'egid',
- type: 'alias',
- path: 'user.effective.group.id',
- migration: true,
- },
- {
- name: 'euid',
- type: 'alias',
- path: 'user.effective.id',
- migration: true,
- },
- {
- name: 'sgid',
- type: 'alias',
- path: 'user.saved.group.id',
- migration: true,
- },
- {
- name: 'suid',
- type: 'alias',
- path: 'user.saved.id',
- migration: true,
- },
- {
- name: 'ogid',
- type: 'alias',
- path: 'user.owner.group.id',
- migration: true,
- },
- {
- name: 'ouid',
- type: 'alias',
- path: 'user.owner.id',
- migration: true,
- },
- {
- name: 'comm',
- type: 'alias',
- path: 'process.name',
- migration: true,
- },
- {
- name: 'exe',
- type: 'alias',
- path: 'process.executable',
- migration: true,
- },
- {
- name: 'terminal',
- type: 'alias',
- path: 'user.terminal',
- migration: true,
- },
- {
- name: 'msg',
- type: 'alias',
- path: 'message',
- migration: true,
- },
- {
- name: 'src',
- type: 'alias',
- path: 'source.address',
- migration: true,
- },
- {
- name: 'dst',
- type: 'alias',
- path: 'destination.address',
- migration: true,
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
},
],
+ description: 'Absolute path to the process executable.',
+ example: '/usr/bin/ssh',
},
- ],
- },
- ],
- },
- {
- key: 'elasticsearch',
- title: 'elasticsearch',
- description: 'elasticsearch Module',
- fields: [
- {
- name: 'elasticsearch',
- type: 'group',
- description: '',
- fields: [
{
- name: 'component',
- description: 'Elasticsearch component from where the log event originated',
- example: 'o.e.c.m.MetaDataCreateIndexService',
- type: 'keyword',
+ name: 'exit_code',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'The exit code of the process, if this is a termination event.\n\nThe field should be absent if there is no exit code for the event (e.g. process\nstart).',
+ example: 137,
+ default_field: false,
},
{
- name: 'cluster.uuid',
- description: 'UUID of the cluster',
- example: 'GmvrbHlNTiSVYiPf8kxg9g',
+ name: 'hash.md5',
+ level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
+ description: 'MD5 hash.',
},
{
- name: 'cluster.name',
- description: 'Name of the cluster',
- example: 'docker-cluster',
+ name: 'hash.sha1',
+ level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA1 hash.',
},
{
- name: 'node.id',
- description: 'ID of the node',
- example: 'DSiWcTyeThWtUXLB9J0BMw',
+ name: 'hash.sha256',
+ level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA256 hash.',
},
{
- name: 'node.name',
- description: 'Name of the node',
- example: 'vWNJsZ3',
+ name: 'hash.sha512',
+ level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA512 hash.',
},
{
- name: 'index.name',
- description: 'Index name',
- example: 'filebeat-test-input',
+ name: 'name',
+ level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Process name.\n\nSometimes called program name or similar.',
+ example: 'ssh',
},
{
- name: 'index.id',
- description: 'Index id',
- example: 'aOGgDwbURfCV57AScqbCgw',
+ name: 'parent.args',
+ level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Array of process arguments.\n\nMay be filtered to protect sensitive information.',
+ example: ['ssh', '-l', 'user', '10.0.0.16'],
+ default_field: false,
},
{
- name: 'shard.id',
- description: 'Id of the shard',
- example: '0',
+ name: 'parent.args_count',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'Length of the process.args array.\n\nThis field can be useful for querying or performing bucket analysis on how\nmany arguments were provided to start a process. More arguments may be an\nindication of suspicious activity.',
+ example: 4,
+ default_field: false,
+ },
+ {
+ name: 'parent.code_signature.exists',
+ level: 'core',
+ type: 'boolean',
+ description: 'Boolean to capture if a signature is present.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'parent.code_signature.status',
+ level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Additional information about the certificate status.\n\nThis is useful for logging cryptographic errors with the certificate validity\nor trust status. Leave unpopulated if the validity or trust of the certificate\nwas unchecked.',
+ example: 'ERROR_UNTRUSTED_ROOT',
+ default_field: false,
},
{
- name: 'audit',
- type: 'group',
- description: '',
- fields: [
- {
- name: 'layer',
- description:
- 'The layer from which this event originated: rest, transport or ip_filter',
- example: 'rest',
- type: 'keyword',
- },
- {
- name: 'origin.type',
- description:
- 'Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request)',
- example: 'local_node',
- type: 'keyword',
- },
- {
- name: 'realm',
- description: 'The authentication realm the authentication was validated against',
- example: 'default_file',
- type: 'keyword',
- },
- {
- name: 'user.realm',
- description: "The user's authentication realm, if authenticated",
- example: 'active_directory',
- type: 'keyword',
- },
- {
- name: 'user.roles',
- description: 'Roles to which the principal belongs',
- example: ['kibana_admin', 'beats_admin'],
- type: 'keyword',
- },
- {
- name: 'action',
- description: 'The name of the action that was executed',
- example: 'cluster:monitor/main',
- type: 'keyword',
- },
- {
- name: 'url.params',
- description: 'REST URI parameters',
- example: '{username=jacknich2}',
- },
- {
- name: 'indices',
- description: 'Indices accessed by action',
- example: ['foo-2019.01.04', 'foo-2019.01.03', 'foo-2019.01.06'],
- type: 'keyword',
- },
- {
- name: 'request.id',
- description: 'Unique ID of request',
- example: 'WzL_kb6VSvOhAq0twPvHOQ',
- type: 'keyword',
- },
- {
- name: 'request.name',
- description: 'The type of request that was executed',
- example: 'ClearScrollRequest',
- type: 'keyword',
- },
- {
- name: 'request_body',
- type: 'alias',
- path: 'http.request.body.content',
- migration: true,
- },
- {
- name: 'event_type',
- type: 'alias',
- path: 'event.type',
- migration: true,
- },
+ name: 'parent.code_signature.subject_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Subject name of the code signer',
+ example: 'Microsoft Corporation',
+ default_field: false,
+ },
+ {
+ name: 'parent.code_signature.trusted',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Stores the trust status of the certificate chain.\n\nValidating the trust of the certificate chain may be complicated, and this\nfield should only be populated by tools that actively check the status.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'parent.code_signature.valid',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Boolean to capture if the digital signature is verified against\nthe binary content.\n\nLeave unpopulated if a certificate was unchecked.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'parent.command_line',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'origin_address',
- type: 'alias',
- path: 'source.ip',
- migration: true,
+ name: 'text',
+ type: 'text',
+ norms: false,
},
+ ],
+ description:
+ 'Full command line that started the process, including the absolute\npath to the executable, and all arguments.\n\nSome arguments may be filtered to protect sensitive information.',
+ example: '/usr/bin/ssh -l user 10.0.0.16',
+ default_field: false,
+ },
+ {
+ name: 'parent.entity_id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique identifier for the process.\n\nThe implementation of this is specified by the data source, but some examples\nof what could be used here are a process-generated UUID, Sysmon Process GUIDs,\nor a hash of some uniquely identifying components of a process.\n\nConstructing a globally unique identifier is a common practice to mitigate\nPID reuse as well as to identify a specific process over time, across multiple\nmonitored hosts.',
+ example: 'c2c455d9f99375d',
+ default_field: false,
+ },
+ {
+ name: 'parent.executable',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'uri',
- type: 'alias',
- path: 'url.original',
- migration: true,
+ name: 'text',
+ type: 'text',
+ norms: false,
},
+ ],
+ description: 'Absolute path to the process executable.',
+ example: '/usr/bin/ssh',
+ default_field: false,
+ },
+ {
+ name: 'parent.exit_code',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'The exit code of the process, if this is a termination event.\n\nThe field should be absent if there is no exit code for the event (e.g. process\nstart).',
+ example: 137,
+ default_field: false,
+ },
+ {
+ name: 'parent.hash.md5',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'MD5 hash.',
+ default_field: false,
+ },
+ {
+ name: 'parent.hash.sha1',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA1 hash.',
+ default_field: false,
+ },
+ {
+ name: 'parent.hash.sha256',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA256 hash.',
+ default_field: false,
+ },
+ {
+ name: 'parent.hash.sha512',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA512 hash.',
+ default_field: false,
+ },
+ {
+ name: 'parent.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'principal',
- type: 'alias',
- path: 'user.name',
- migration: true,
+ name: 'text',
+ type: 'text',
+ norms: false,
},
],
+ description: 'Process name.\n\nSometimes called program name or similar.',
+ example: 'ssh',
+ default_field: false,
},
{
- name: 'deprecation',
- type: 'group',
- description: '',
+ name: 'parent.pgid',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: 'Identifier of the group of processes the process belongs to.',
+ default_field: false,
},
{
- name: 'gc',
- type: 'group',
- description: 'GC fileset fields.',
- fields: [
+ name: 'parent.pid',
+ level: 'core',
+ type: 'long',
+ format: 'string',
+ description: 'Process id.',
+ example: 4242,
+ default_field: false,
+ },
+ {
+ name: 'parent.ppid',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: "Parent process' pid.",
+ example: 4241,
+ default_field: false,
+ },
+ {
+ name: 'parent.start',
+ level: 'extended',
+ type: 'date',
+ description: 'The time the process started.',
+ example: '2016-05-23T08:05:34.853Z',
+ default_field: false,
+ },
+ {
+ name: 'parent.thread.id',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: 'Thread ID.',
+ example: 4242,
+ default_field: false,
+ },
+ {
+ name: 'parent.thread.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Thread name.',
+ example: 'thread-0',
+ default_field: false,
+ },
+ {
+ name: 'parent.title',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'phase',
- type: 'group',
- description: 'Fields specific to GC phase.',
- fields: [
- {
- name: 'name',
- type: 'keyword',
- description: 'Name of the GC collection phase.',
- },
- {
- name: 'duration_sec',
- type: 'float',
- description: 'Collection phase duration according to the Java virtual machine.',
- },
- {
- name: 'scrub_symbol_table_time_sec',
- type: 'float',
- description: 'Pause time in seconds cleaning up symbol tables.',
- },
- {
- name: 'scrub_string_table_time_sec',
- type: 'float',
- description: 'Pause time in seconds cleaning up string tables.',
- },
- {
- name: 'weak_refs_processing_time_sec',
- type: 'float',
- description: 'Time spent processing weak references in seconds.',
- },
- {
- name: 'parallel_rescan_time_sec',
- type: 'float',
- description:
- 'Time spent in seconds marking live objects while application is stopped.',
- },
- {
- name: 'class_unload_time_sec',
- type: 'float',
- description: 'Time spent unloading unused classes in seconds.',
- },
- {
- name: 'cpu_time',
- type: 'group',
- description: 'Process CPU time spent performing collections.',
- fields: [
- {
- name: 'user_sec',
- type: 'float',
- description: 'CPU time spent outside the kernel.',
- },
- {
- name: 'sys_sec',
- type: 'float',
- description: 'CPU time spent inside the kernel.',
- },
- {
- name: 'real_sec',
- type: 'float',
- description:
- 'Total elapsed CPU time spent to complete the collection from start to finish.',
- },
- ],
- },
- ],
+ name: 'text',
+ type: 'text',
+ norms: false,
},
+ ],
+ description:
+ 'Process title.\n\nThe proctitle, some times the same as process name. Can also be different:\nfor example a browser setting its title to the web page currently opened.',
+ default_field: false,
+ },
+ {
+ name: 'parent.uptime',
+ level: 'extended',
+ type: 'long',
+ description: 'Seconds the process has been up.',
+ example: 1325,
+ default_field: false,
+ },
+ {
+ name: 'parent.working_directory',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'jvm_runtime_sec',
- type: 'float',
- description: 'The time from JVM start up in seconds, as a floating point number.',
- },
- {
- name: 'threads_total_stop_time_sec',
- type: 'float',
- description: 'Garbage collection threads total stop time seconds.',
- },
- {
- name: 'stopping_threads_time_sec',
- type: 'float',
- description: 'Time took to stop threads seconds.',
- },
- {
- name: 'tags',
- type: 'keyword',
- description: 'GC logging tags.',
- },
- {
- name: 'heap',
- type: 'group',
- description: 'Heap allocation and total size.',
- fields: [
- {
- name: 'size_kb',
- type: 'integer',
- description: 'Total heap size in kilobytes.',
- },
- {
- name: 'used_kb',
- type: 'integer',
- description: 'Used heap in kilobytes.',
- },
- ],
- },
- {
- name: 'old_gen',
- type: 'group',
- description: 'Old generation occupancy and total size.',
- fields: [
- {
- name: 'size_kb',
- type: 'integer',
- description: 'Total size of old generation in kilobytes.',
- },
- {
- name: 'used_kb',
- type: 'integer',
- description: 'Old generation occupancy in kilobytes.',
- },
- ],
- },
- {
- name: 'young_gen',
- type: 'group',
- description: 'Young generation occupancy and total size.',
- fields: [
- {
- name: 'size_kb',
- type: 'integer',
- description: 'Total size of young generation in kilobytes.',
- },
- {
- name: 'used_kb',
- type: 'integer',
- description: 'Young generation occupancy in kilobytes.',
- },
- ],
+ name: 'text',
+ type: 'text',
+ norms: false,
},
],
+ description: 'The working directory of the process.',
+ example: '/home/alice',
+ default_field: false,
},
{
- name: 'server',
- description: 'Server log file',
- type: 'group',
- fields: [
- {
- name: 'stacktrace',
- description: 'Stack trace in case of errors',
- index: false,
- },
- {
- name: 'gc',
- description: 'GC log',
- type: 'group',
- fields: [
- {
- name: 'young',
- description: 'Young GC',
- example: '',
- type: 'group',
- fields: [
- {
- name: 'one',
- description: '',
- example: '',
- type: 'long',
- },
- {
- name: 'two',
- description: '',
- example: '',
- type: 'long',
- },
- ],
- },
- {
- name: 'overhead_seq',
- description: 'Sequence number',
- example: 3449992,
- type: 'long',
- },
- {
- name: 'collection_duration.ms',
- description: 'Time spent in GC, in milliseconds',
- example: 1600,
- type: 'float',
- },
- {
- name: 'observation_duration.ms',
- description: 'Total time over which collection was observed, in milliseconds',
- example: 1800,
- type: 'float',
- },
- ],
- },
- ],
+ name: 'pe.company',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal company name of the file, provided at compile-time.',
+ example: 'Microsoft Corporation',
+ default_field: false,
},
{
- name: 'slowlog',
- description: 'Slowlog events from Elasticsearch',
- example:
- '[2018-06-29T10:06:14,933][INFO ][index.search.slowlog.query] [v_VJhjV] [metricbeat-6.3.0-2018.06.26][0] took[4.5ms], took_millis[4], total_hits[19435], types[], stats[], search_type[QUERY_THEN_FETCH], total_shards[1], source[{"query":{"match_all":{"boost":1.0}}}],',
- type: 'group',
- fields: [
- {
- name: 'logger',
- description: 'Logger name',
- example: 'index.search.slowlog.fetch',
- type: 'keyword',
- },
- {
- name: 'took',
- description: 'Time it took to execute the query',
- example: '300ms',
- type: 'keyword',
- },
- {
- name: 'types',
- description: 'Types',
- example: '',
- type: 'keyword',
- },
- {
- name: 'stats',
- description: 'Stats groups',
- example: 'group1',
- type: 'keyword',
- },
- {
- name: 'search_type',
- description: 'Search type',
- example: 'QUERY_THEN_FETCH',
- type: 'keyword',
- },
- {
- name: 'source_query',
- description: 'Slow query',
- example: '{"query":{"match_all":{"boost":1.0}}}',
- type: 'keyword',
- },
- {
- name: 'extra_source',
- description: 'Extra source information',
- example: '',
- type: 'keyword',
- },
- {
- name: 'total_hits',
- description: 'Total hits',
- example: 42,
- type: 'keyword',
- },
- {
- name: 'total_shards',
- description: 'Total queried shards',
- example: 22,
- type: 'keyword',
- },
- {
- name: 'routing',
- description: 'Routing',
- example: 's01HZ2QBk9jw4gtgaFtn',
- type: 'keyword',
- },
- {
- name: 'id',
- description: 'Id',
- example: '',
- type: 'keyword',
- },
- {
- name: 'type',
- description: 'Type',
- example: 'doc',
- type: 'keyword',
- },
- ],
+ name: 'pe.description',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal description of the file, provided at compile-time.',
+ example: 'Paint',
+ default_field: false,
},
- ],
- },
- ],
- },
- {
- key: 'haproxy',
- title: 'haproxy',
- description: 'haproxy Module',
- fields: [
- {
- name: 'haproxy',
- type: 'group',
- description: '',
- fields: [
{
- name: 'frontend_name',
- description:
- 'Name of the frontend (or listener) which received and processed the connection.',
+ name: 'pe.file_version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal version of the file, provided at compile-time.',
+ example: '6.3.9600.17415',
+ default_field: false,
},
{
- name: 'backend_name',
- description:
- 'Name of the backend (or listener) which was selected to manage the connection to the server.',
+ name: 'pe.original_file_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal name of the file, provided at compile-time.',
+ example: 'MSPAINT.EXE',
+ default_field: false,
},
{
- name: 'server_name',
- description: 'Name of the last server to which the connection was sent.',
+ name: 'pe.product',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal product name of the file, provided at compile-time.',
+ example: 'Microsoft® Windows® Operating System',
+ default_field: false,
},
{
- name: 'total_waiting_time_ms',
- description: 'Total time in milliseconds spent waiting in the various queues',
+ name: 'pgid',
+ level: 'extended',
type: 'long',
+ format: 'string',
+ description: 'Identifier of the group of processes the process belongs to.',
},
{
- name: 'connection_wait_time_ms',
- description:
- 'Total time in milliseconds spent waiting for the connection to establish to the final server',
+ name: 'pid',
+ level: 'core',
type: 'long',
+ format: 'string',
+ description: 'Process id.',
+ example: 4242,
},
{
- name: 'bytes_read',
- description: 'Total number of bytes transmitted to the client when the log is emitted.',
+ name: 'ppid',
+ level: 'extended',
type: 'long',
+ format: 'string',
+ description: "Parent process' pid.",
+ example: 4241,
},
{
- name: 'time_queue',
- description: 'Total time in milliseconds spent waiting in the various queues.',
- type: 'long',
+ name: 'start',
+ level: 'extended',
+ type: 'date',
+ description: 'The time the process started.',
+ example: '2016-05-23T08:05:34.853Z',
},
{
- name: 'time_backend_connect',
- description:
- 'Total time in milliseconds spent waiting for the connection to establish to the final server, including retries.',
+ name: 'thread.id',
+ level: 'extended',
type: 'long',
+ format: 'string',
+ description: 'Thread ID.',
+ example: 4242,
},
{
- name: 'server_queue',
- description:
- 'Total number of requests which were processed before this one in the server queue.',
- type: 'long',
+ name: 'thread.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Thread name.',
+ example: 'thread-0',
},
{
- name: 'backend_queue',
- description:
- "Total number of requests which were processed before this one in the backend's global queue.",
- type: 'long',
- },
- {
- name: 'bind_name',
- description: 'Name of the listening address which received the connection.',
- },
- {
- name: 'error_message',
- description: 'Error message logged by HAProxy in case of error.',
- type: 'text',
- },
- {
- name: 'source',
+ name: 'title',
+ level: 'extended',
type: 'keyword',
- description: 'The HAProxy source of the log',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description:
+ 'Process title.\n\nThe proctitle, some times the same as process name. Can also be different:\nfor example a browser setting its title to the web page currently opened.',
},
{
- name: 'termination_state',
- description: 'Condition the session was in when the session ended.',
+ name: 'uptime',
+ level: 'extended',
+ type: 'long',
+ description: 'Seconds the process has been up.',
+ example: 1325,
},
{
- name: 'mode',
+ name: 'working_directory',
+ level: 'extended',
type: 'keyword',
- description: 'mode that the frontend is operating (TCP or HTTP)',
- },
- {
- name: 'connections',
- description: 'Contains various counts of connections active in the process.',
- type: 'group',
- fields: [
- {
- name: 'active',
- description:
- 'Total number of concurrent connections on the process when the session was logged.',
- type: 'long',
- },
- {
- name: 'frontend',
- description:
- 'Total number of concurrent connections on the frontend when the session was logged.',
- type: 'long',
- },
- {
- name: 'backend',
- description:
- 'Total number of concurrent connections handled by the backend when the session was logged.',
- type: 'long',
- },
- {
- name: 'server',
- description:
- 'Total number of concurrent connections still active on the server when the session was logged.',
- type: 'long',
- },
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'retries',
- description:
- 'Number of connection retries experienced by this session when trying to connect to the server.',
- type: 'long',
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
},
],
+ description: 'The working directory of the process.',
+ example: '/home/alice',
},
+ ],
+ },
+ {
+ name: 'registry',
+ title: 'Registry',
+ group: 2,
+ description: 'Fields related to Windows Registry operations.',
+ type: 'group',
+ fields: [
{
- name: 'client',
- description: 'Information about the client doing the request',
- type: 'group',
- fields: [
- {
- name: 'ip',
- type: 'alias',
- path: 'source.address',
- migration: true,
- },
- {
- name: 'port',
- type: 'alias',
- path: 'source.port',
- migration: true,
- },
- ],
+ name: 'data.bytes',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Original bytes written with base64 encoding.\n\nFor Windows registry operations, such as SetValueEx and RegQueryValueEx, this\ncorresponds to the data pointed by `lp_data`. This is optional but provides\nbetter recoverability and should be populated for REG_BINARY encoded values.',
+ example: 'ZQBuAC0AVQBTAAAAZQBuAAAAAAA=',
+ default_field: false,
},
{
- name: 'process_name',
- type: 'alias',
- path: 'process.name',
- migration: true,
+ name: 'data.strings',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Content when writing string types.\n\nPopulated as an array when writing string data to the registry. For single\nstring registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with\none string. For sequences of string with REG_MULTI_SZ, this array will be\nvariable length. For numeric data, such as REG_DWORD and REG_QWORD, this should\nbe populated with the decimal representation (e.g `"1"`).',
+ example: '["C:\\rta\\red_ttp\\bin\\myapp.exe"]',
+ default_field: false,
},
{
- name: 'pid',
- type: 'alias',
- path: 'process.pid',
- migration: true,
+ name: 'data.type',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Standard registry type for encoding contents',
+ example: 'REG_SZ',
+ default_field: false,
},
{
- name: 'destination',
- description: 'Destination information',
- type: 'group',
- fields: [
- {
- name: 'port',
- type: 'alias',
- path: 'destination.port',
- migration: true,
- },
- {
- name: 'ip',
- type: 'alias',
- path: 'destination.ip',
- migration: true,
- },
- ],
+ name: 'hive',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Abbreviated name for the hive.',
+ example: 'HKLM',
+ default_field: false,
},
{
- name: 'geoip',
- type: 'group',
- description:
- 'Contains GeoIP information gathered based on the client.ip field. Only present if the GeoIP Elasticsearch plugin is available and used.',
- fields: [
- {
- name: 'continent_name',
- type: 'alias',
- path: 'source.geo.continent_name',
- migration: true,
- },
- {
- name: 'country_iso_code',
- type: 'alias',
- path: 'source.geo.country_iso_code',
- migration: true,
- },
- {
- name: 'location',
- type: 'alias',
- path: 'source.geo.location',
- migration: true,
- },
- {
- name: 'region_name',
- type: 'alias',
- path: 'source.geo.region_name',
- migration: true,
- },
- {
- name: 'city_name',
- type: 'alias',
- path: 'source.geo.city_name',
- migration: true,
- },
- {
- name: 'region_iso_code',
- type: 'alias',
- path: 'source.geo.region_iso_code',
- migration: true,
- },
- ],
+ name: 'key',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Hive-relative path of keys.',
+ example:
+ 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe',
+ default_field: false,
},
{
- name: 'http',
- description: 'Please add description',
- type: 'group',
- fields: [
- {
- name: 'response',
- description: 'Fields related to the HTTP response',
- type: 'group',
- fields: [
- {
- name: 'captured_cookie',
- description:
- 'Optional "name=value" entry indicating that the client had this cookie in the response.',
- },
- {
- name: 'captured_headers',
- description:
- 'List of headers captured in the response due to the presence of the "capture response header" statement in the frontend.',
- type: 'keyword',
- },
- {
- name: 'status_code',
- type: 'alias',
- path: 'http.response.status_code',
- migration: true,
- },
- ],
- },
- {
- name: 'request',
- description: 'Fields related to the HTTP request',
- type: 'group',
- fields: [
- {
- name: 'captured_cookie',
- description:
- 'Optional "name=value" entry indicating that the server has returned a cookie with its request.',
- },
- {
- name: 'captured_headers',
- description:
- 'List of headers captured in the request due to the presence of the "capture request header" statement in the frontend.',
- type: 'keyword',
- },
- {
- name: 'raw_request_line',
- description:
- 'Complete HTTP request line, including the method, request and HTTP version string.',
- type: 'keyword',
- },
- {
- name: 'time_wait_without_data_ms',
- description:
- 'Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data.',
- type: 'long',
- },
- {
- name: 'time_wait_ms',
- description:
- 'Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received.',
- type: 'long',
- },
- ],
- },
- ],
+ name: 'path',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Full path, including hive, key and value',
+ example:
+ 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution\nOptions\\winword.exe\\Debugger',
+ default_field: false,
},
{
- name: 'tcp',
- description: 'TCP log format',
- type: 'group',
- fields: [
- {
- name: 'connection_waiting_time_ms',
- type: 'long',
- description:
- 'Total time in milliseconds elapsed between the accept and the last close',
- },
- ],
+ name: 'value',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the value written.',
+ example: 'Debugger',
+ default_field: false,
},
],
},
- ],
- },
- {
- key: 'icinga',
- title: 'Icinga',
- description: 'Icinga Module',
- fields: [
{
- name: 'icinga',
+ name: 'related',
+ title: 'Related',
+ group: 2,
+ description:
+ 'This field set is meant to facilitate pivoting around a piece of\ndata.\n\nSome pieces of information can be seen in many places in an ECS event. To facilitate\nsearching for them, store an array of all seen values to their corresponding\nfield in `related.`.\n\nA concrete example is IP addresses, which can be under host, observer, source,\ndestination, client, server, and network.forwarded_ip. If you append all IPs\nto `related.ip`, you can then search for a given IP trivially, no matter where\nit appeared, by querying `related.ip:192.0.2.15`.',
type: 'group',
- description: '',
fields: [
{
- name: 'debug',
- type: 'group',
- description: 'Contains fields for the Icinga debug logs.',
- fields: [
- {
- name: 'facility',
- type: 'keyword',
- description: 'Specifies what component of Icinga logged the message.',
- },
- {
- name: 'severity',
- type: 'alias',
- path: 'log.level',
- migration: true,
- },
- {
- name: 'message',
- type: 'alias',
- path: 'message',
- migration: true,
- },
- ],
+ name: 'hash',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ "All the hashes seen on your event. Populating this field, then\nusing it to search for hashes can help in situations where you're unsure what\nthe hash algorithm is (and therefore which key name to search).",
+ default_field: false,
},
{
- name: 'main',
- type: 'group',
- description: 'Contains fields for the Icinga main logs.',
- fields: [
- {
- name: 'facility',
- type: 'keyword',
- description: 'Specifies what component of Icinga logged the message.',
- },
- {
- name: 'severity',
- type: 'alias',
- path: 'log.level',
- migration: true,
- },
- {
- name: 'message',
- type: 'alias',
- path: 'message',
- migration: true,
- },
- ],
+ name: 'ip',
+ level: 'extended',
+ type: 'ip',
+ description: 'All of the IPs seen on your event.',
},
{
- name: 'startup',
- type: 'group',
- description: 'Contains fields for the Icinga startup logs.',
- fields: [
- {
- name: 'facility',
- type: 'keyword',
- description: 'Specifies what component of Icinga logged the message.',
- },
- {
- name: 'severity',
- type: 'alias',
- path: 'log.level',
- migration: true,
- },
- {
- name: 'message',
- type: 'alias',
- path: 'message',
- migration: true,
- },
- ],
+ name: 'user',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'All the user names seen on your event.',
+ default_field: false,
},
],
},
- ],
- },
- {
- key: 'iis',
- title: 'IIS',
- description: 'Module for parsing IIS log files.',
- fields: [
{
- name: 'iis',
+ name: 'rule',
+ title: 'Rule',
+ group: 2,
+ description:
+ 'Rule fields are used to capture the specifics of any observer or\nagent rules that generate alerts or other notable events.\n\nExamples of data sources that would populate the rule fields include: network\nadmission control platforms, network or host IDS/IPS, network firewalls, web\napplication firewalls, url filters, endpoint detection and response (EDR) systems,\netc.',
type: 'group',
- description: 'Fields from IIS log files.',
fields: [
{
- name: 'access',
- type: 'group',
- description: 'Contains fields for IIS access logs.',
- fields: [
- {
- name: 'sub_status',
- type: 'long',
- description: 'The HTTP substatus code.',
- },
- {
- name: 'win32_status',
- type: 'long',
- description: 'The Windows status code.',
- },
- {
- name: 'site_name',
- type: 'keyword',
- description: 'The site name and instance number.',
- },
- {
- name: 'server_name',
- type: 'keyword',
- description: 'The name of the server on which the log file entry was generated.',
- },
- {
- name: 'cookie',
- type: 'keyword',
- description: 'The content of the cookie sent or received, if any.',
- },
- {
- name: 'body_received.bytes',
- type: 'alias',
- path: 'http.request.body.bytes',
- migration: true,
- },
- {
- name: 'body_sent.bytes',
- type: 'alias',
- path: 'http.response.body.bytes',
- migration: true,
- },
- {
- name: 'server_ip',
- type: 'alias',
- path: 'destination.address',
- migration: true,
- },
- {
- name: 'method',
- type: 'alias',
- path: 'http.request.method',
- migration: true,
- },
- {
- name: 'url',
- type: 'alias',
- path: 'url.path',
- migration: true,
- },
- {
- name: 'query_string',
- type: 'alias',
- path: 'url.query',
- migration: true,
- },
- {
- name: 'port',
- type: 'alias',
- path: 'destination.port',
- migration: true,
- },
- {
- name: 'user_name',
- type: 'alias',
- path: 'user.name',
- migration: true,
- },
- {
- name: 'remote_ip',
- type: 'alias',
- path: 'source.address',
- migration: true,
- },
- {
- name: 'referrer',
- type: 'alias',
- path: 'http.request.referrer',
- migration: true,
- },
- {
- name: 'response_code',
- type: 'alias',
- path: 'http.response.status_code',
- migration: true,
- },
- {
- name: 'http_version',
- type: 'alias',
- path: 'http.version',
- migration: true,
- },
+ name: 'author',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name, organization, or pseudonym of the author or authors who created\nthe rule used to generate this event.',
+ example: ['Star-Lord'],
+ default_field: false,
+ },
+ {
+ name: 'category',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A categorization value keyword used by the entity using the rule\nfor detection of this event.',
+ example: 'Attempted Information Leak',
+ default_field: false,
+ },
+ {
+ name: 'description',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The description of the rule generating the event.',
+ example: 'Block requests to public DNS over HTTPS / TLS protocols',
+ default_field: false,
+ },
+ {
+ name: 'id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A rule ID that is unique within the scope of an agent, observer,\nor other entity using the rule for detection of this event.',
+ example: 101,
+ default_field: false,
+ },
+ {
+ name: 'license',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the license under which the rule used to generate this\nevent is made available.',
+ example: 'Apache 2.0',
+ default_field: false,
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The name of the rule or signature generating the event.',
+ example: 'BLOCK_DNS_over_TLS',
+ default_field: false,
+ },
+ {
+ name: 'reference',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Reference URL to additional information about the rule used to\ngenerate this event.\n\nThe URL can point to the vendor documentation about the rule. If that is\nnot available, it can also be a link to a more general page describing this\ntype of alert.',
+ example: 'https://en.wikipedia.org/wiki/DNS_over_TLS',
+ default_field: false,
+ },
+ {
+ name: 'ruleset',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the ruleset, policy, group, or parent category in which\nthe rule used to generate this event is a member.',
+ example: 'Standard_Protocol_Filters',
+ default_field: false,
+ },
+ {
+ name: 'uuid',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A rule ID that is unique within the scope of a set or group of\nagents, observers, or other entities using the rule for detection of this\nevent.',
+ example: 1100110011,
+ default_field: false,
+ },
+ {
+ name: 'version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The version / revision of the rule being used for analysis.',
+ example: 1.1,
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'server',
+ title: 'Server',
+ group: 2,
+ description:
+ 'A Server is defined as the responder in a network connection for\nevents regarding sessions, connections, or bidirectional flow records.\n\nFor TCP events, the server is the receiver of the initial SYN packet(s) of the\nTCP connection. For other protocols, the server is generally the responder in\nthe network transaction. Some systems actually use the term "responder" to refer\nthe server in TCP connections. The server fields describe details about the\nsystem acting as the server in the network event. Server fields are usually\npopulated in conjunction with client fields. Server fields are generally not\npopulated for packet-level events.\n\nClient / server representations can add semantic context to an exchange, which\nis helpful to visualize the data in certain situations. If your context falls\nin that category, you should still ensure that source and destination are filled\nappropriately.',
+ type: 'group',
+ fields: [
+ {
+ name: 'address',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Some event server addresses are defined ambiguously. The event\nwill sometimes list an IP, a domain or a unix socket. You should always store\nthe raw address in the `.address` field.\n\nThen it should be duplicated to `.ip` or `.domain`, depending on which one\nit is.',
+ },
+ {
+ name: 'as.number',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'Unique number allocated to the autonomous system. The autonomous\nsystem number (ASN) uniquely identifies each network on the Internet.',
+ example: 15169,
+ },
+ {
+ name: 'as.organization.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'hostname',
- type: 'alias',
- path: 'host.hostname',
- migration: true,
- },
- {
- name: 'user_agent',
- type: 'group',
- fields: [
- {
- name: 'device',
- type: 'alias',
- path: 'user_agent.device.name',
- migration: true,
- },
- {
- name: 'name',
- type: 'alias',
- path: 'user_agent.name',
- migration: true,
- },
- {
- name: 'os',
- type: 'alias',
- path: 'user_agent.os.full_name',
- migration: true,
- },
- {
- name: 'os_name',
- type: 'alias',
- path: 'user_agent.os.name',
- migration: true,
- },
- {
- name: 'original',
- type: 'alias',
- path: 'user_agent.original',
- migration: true,
- },
- ],
- },
- {
- name: 'geoip',
- type: 'group',
- fields: [
- {
- name: 'continent_name',
- type: 'alias',
- path: 'source.geo.continent_name',
- migration: true,
- },
- {
- name: 'country_iso_code',
- type: 'alias',
- path: 'source.geo.country_iso_code',
- migration: true,
- },
- {
- name: 'location',
- type: 'alias',
- path: 'source.geo.location',
- migration: true,
- },
- {
- name: 'region_name',
- type: 'alias',
- path: 'source.geo.region_name',
- migration: true,
- },
- {
- name: 'city_name',
- type: 'alias',
- path: 'source.geo.city_name',
- migration: true,
- },
- {
- name: 'region_iso_code',
- type: 'alias',
- path: 'source.geo.region_iso_code',
- migration: true,
- },
- ],
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
},
],
+ description: 'Organization name.',
+ example: 'Google LLC',
},
{
- name: 'error',
- type: 'group',
- description: 'Contains fields for IIS error logs.',
- fields: [
- {
- name: 'reason_phrase',
- type: 'keyword',
- description: 'The HTTP reason phrase.',
- },
- {
- name: 'queue_name',
- type: 'keyword',
- description: 'The IIS application pool name.',
- },
- {
- name: 'remote_ip',
- type: 'alias',
- path: 'source.address',
- migration: true,
- },
- {
- name: 'remote_port',
- type: 'alias',
- path: 'source.port',
- migration: true,
- },
- {
- name: 'server_ip',
- type: 'alias',
- path: 'destination.address',
- migration: true,
- },
- {
- name: 'server_port',
- type: 'alias',
- path: 'destination.port',
- migration: true,
- },
- {
- name: 'http_version',
- type: 'alias',
- path: 'http.version',
- migration: true,
- },
- {
- name: 'method',
- type: 'alias',
- path: 'http.request.method',
- migration: true,
- },
- {
- name: 'url',
- type: 'alias',
- path: 'url.original',
- migration: true,
- },
- {
- name: 'response_code',
- type: 'alias',
- path: 'http.response.status_code',
- migration: true,
- },
- {
- name: 'geoip',
- type: 'group',
- fields: [
- {
- name: 'continent_name',
- type: 'alias',
- path: 'source.geo.continent_name',
- migration: true,
- },
- {
- name: 'country_iso_code',
- type: 'alias',
- path: 'source.geo.country_iso_code',
- migration: true,
- },
- {
- name: 'location',
- type: 'alias',
- path: 'source.geo.location',
- migration: true,
- },
- {
- name: 'region_name',
- type: 'alias',
- path: 'source.geo.region_name',
- migration: true,
- },
- {
- name: 'city_name',
- type: 'alias',
- path: 'source.geo.city_name',
- migration: true,
- },
- {
- name: 'region_iso_code',
- type: 'alias',
- path: 'source.geo.region_iso_code',
- migration: true,
- },
- ],
- },
- ],
+ name: 'bytes',
+ level: 'core',
+ type: 'long',
+ format: 'bytes',
+ description: 'Bytes sent from the server to the client.',
+ example: 184,
},
- ],
- },
- ],
- },
- {
- key: 'kafka',
- title: 'Kafka',
- description: 'Kafka module',
- fields: [
- {
- name: 'kafka',
- type: 'group',
- description: '',
- fields: [
{
- name: 'log',
- type: 'group',
- description: 'Kafka log lines.',
- fields: [
- {
- name: 'level',
- type: 'alias',
- path: 'log.level',
- migration: true,
- },
- {
- name: 'message',
- type: 'alias',
- path: 'message',
- migration: true,
- },
- {
- name: 'component',
- type: 'keyword',
- description: 'Component the log is coming from.',
- },
- {
- name: 'class',
- type: 'keyword',
- description: 'Java class the log is coming from.',
- },
- {
- name: 'trace',
- type: 'group',
- description: 'Trace in the log line.',
- fields: [
- {
- name: 'class',
- type: 'keyword',
- description: 'Java class the trace is coming from.',
- },
- {
- name: 'message',
- type: 'text',
- description: 'Message part of the trace.',
- },
- ],
- },
- ],
+ name: 'domain',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Server domain.',
},
- ],
- },
- ],
- },
- {
- key: 'kibana',
- title: 'kibana',
- description: 'kibana Module',
- fields: [
- {
- name: 'kibana',
- type: 'group',
- description: '',
- fields: [
{
- name: 'log',
- type: 'group',
- description: 'Kafka log lines.',
- fields: [
- {
- name: 'tags',
- type: 'keyword',
- description: 'Kibana logging tags.',
- },
- {
- name: 'state',
- type: 'keyword',
- description: 'Current state of Kibana.',
- },
- {
- name: 'meta',
- type: 'object',
- object_type: 'keyword',
- },
- {
- name: 'kibana.log.meta.req.headers.referer',
- type: 'alias',
- path: 'http.request.referrer',
- migration: true,
- },
- {
- name: 'kibana.log.meta.req.referer',
- type: 'alias',
- path: 'http.request.referrer',
- migration: true,
- },
- {
- name: 'kibana.log.meta.req.headers.user-agent',
- type: 'alias',
- path: 'user_agent.original',
- migration: true,
- },
- {
- name: 'kibana.log.meta.req.remoteAddress',
- type: 'alias',
- path: 'source.address',
- migration: true,
- },
- {
- name: 'kibana.log.meta.req.url',
- type: 'alias',
- path: 'url.original',
- migration: true,
- },
+ name: 'geo.city_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
+ },
+ {
+ name: 'geo.continent_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
+ },
+ {
+ name: 'geo.country_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
+ },
+ {
+ name: 'geo.country_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
+ },
+ {
+ name: 'geo.location',
+ level: 'core',
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
+ },
+ {
+ name: 'geo.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
+ },
+ {
+ name: 'geo.region_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
+ },
+ {
+ name: 'geo.region_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
+ },
+ {
+ name: 'ip',
+ level: 'core',
+ type: 'ip',
+ description:
+ 'IP address of the server.\n\nCan be one or multiple IPv4 or IPv6 addresses.',
+ },
+ {
+ name: 'mac',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'MAC address of the server.',
+ },
+ {
+ name: 'nat.ip',
+ level: 'extended',
+ type: 'ip',
+ description:
+ 'Translated ip of destination based NAT sessions (e.g. internet\nto private DMZ)\n\nTypically used with load balancers, firewalls, or routers.',
+ },
+ {
+ name: 'nat.port',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description:
+ 'Translated port of destination based NAT sessions (e.g. internet\nto private DMZ)\n\nTypically used with load balancers, firewalls, or routers.',
+ },
+ {
+ name: 'packets',
+ level: 'core',
+ type: 'long',
+ description: 'Packets sent from the server to the client.',
+ example: 12,
+ },
+ {
+ name: 'port',
+ level: 'core',
+ type: 'long',
+ format: 'string',
+ description: 'Port of the server.',
+ },
+ {
+ name: 'registered_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The highest registered server domain, stripped of the subdomain.\n\nFor example, the registered domain for "foo.google.com" is "google.com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last two labels will not work well for TLDs such as "co.uk".',
+ example: 'google.com',
+ },
+ {
+ name: 'top_level_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The effective top level domain (eTLD), also known as the domain\nsuffix, is the last part of the domain name. For example, the top level domain\nfor google.com is "com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last label will not work well for effective TLDs such as "co.uk".',
+ example: 'co.uk',
+ },
+ {
+ name: 'user.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the user is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'user.email',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'User email address.',
+ },
+ {
+ name: 'user.full_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'kibana.log.meta.statusCode',
- type: 'alias',
- path: 'http.response.status_code',
- migration: true,
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
},
+ ],
+ description: "User's full name, if available.",
+ example: 'Albert Einstein',
+ },
+ {
+ name: 'user.group.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'user.group.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
+ },
+ {
+ name: 'user.group.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the group.',
+ },
+ {
+ name: 'user.hash',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique user hash to correlate information for a user in anonymized\nform.\n\nUseful if `user.id` or `user.name` contain confidential information and cannot\nbe used.',
+ },
+ {
+ name: 'user.id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifiers of the user.',
+ },
+ {
+ name: 'user.name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'kibana.log.meta.method',
- type: 'alias',
- path: 'http.request.method',
- migration: true,
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
},
],
+ description: 'Short name or login of the user.',
+ example: 'albert',
},
],
},
- ],
- },
- {
- key: 'logstash',
- title: 'logstash',
- description: 'logstash Module',
- fields: [
{
- name: 'logstash',
+ name: 'service',
+ title: 'Service',
+ group: 2,
+ description:
+ 'The service fields describe the service for or from which the data\nwas collected.\n\nThese fields help you find and correlate logs for a specific service and version.',
type: 'group',
- description: '',
fields: [
{
- name: 'log',
- title: 'Logstash',
- type: 'group',
- description: 'Fields from the Logstash logs.',
- fields: [
- {
- name: 'module',
- type: 'keyword',
- description: 'The module or class where the event originate.',
- },
- {
- name: 'thread',
- type: 'keyword',
- description: 'Information about the running thread where the log originate.',
- multi_fields: [
- {
- name: 'text',
- type: 'text',
- },
- ],
- },
- {
- name: 'log_event',
- type: 'object',
- description: 'key and value debugging information.',
- },
- {
- name: 'message',
- type: 'alias',
- path: 'message',
- migration: true,
- },
- {
- name: 'level',
- type: 'alias',
- path: 'log.level',
- migration: true,
- },
- ],
+ name: 'ephemeral_id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Ephemeral identifier of this service (if one exists).\n\nThis id normally changes across restarts, but `service.id` does not.',
+ example: '8a4f500f',
},
{
- name: 'slowlog',
- type: 'group',
- description: 'slowlog',
- fields: [
- {
- name: 'module',
- type: 'keyword',
- description: 'The module or class where the event originate.',
- },
- {
- name: 'thread',
- type: 'keyword',
- description: 'Information about the running thread where the log originate.',
- multi_fields: [
- {
- name: 'text',
- type: 'text',
- },
- ],
- },
- {
- name: 'event',
- type: 'keyword',
- description: 'Raw dump of the original event',
- multi_fields: [
- {
- name: 'text',
- type: 'text',
- },
- ],
- },
- {
- name: 'plugin_name',
- type: 'keyword',
- description: 'Name of the plugin',
- },
- {
- name: 'plugin_type',
- type: 'keyword',
- description: 'Type of the plugin: Inputs, Filters, Outputs or Codecs.',
- },
- {
- name: 'took_in_millis',
- type: 'long',
- description: 'Execution time for the plugin in milliseconds.',
- },
- {
- name: 'plugin_params',
- type: 'keyword',
- description: 'String value of the plugin configuration',
- multi_fields: [
- {
- name: 'text',
- type: 'text',
- },
- ],
- },
- {
- name: 'plugin_params_object',
- type: 'object',
- description: 'key -> value of the configuration used by the plugin.',
- },
- {
- name: 'level',
- type: 'alias',
- path: 'log.level',
- migration: true,
- },
- {
- name: 'took_in_nanos',
- type: 'alias',
- path: 'event.duration',
- migration: true,
- },
- ],
+ name: 'id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique identifier of the running service. If the service is comprised\nof many nodes, the `service.id` should be the same for all nodes.\n\nThis id should uniquely identify the service. This makes it possible to correlate\nlogs and metrics for one specific service, no matter which particular node\nemitted the event.\n\nNote that if you need to see the events from one specific host of the service,\nyou should filter on that `host.name` or `host.id` instead.',
+ example: 'd37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6',
+ },
+ {
+ name: 'name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the service data is collected from.\n\nThe name of the service is normally user given. This allows for distributed\nservices that run on multiple hosts to correlate the related instances based\non the name.\n\nIn the case of Elasticsearch the `service.name` could contain the cluster\nname. For Beats the `service.name` is by default a copy of the `service.type`\nfield if no name is specified.',
+ example: 'elasticsearch-metrics',
+ },
+ {
+ name: 'node.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of a service node.\n\nThis allows for two nodes of the same service running on the same host to\nbe differentiated. Therefore, `service.node.name` should typically be unique\nacross nodes of a given service.\n\nIn the case of Elasticsearch, the `service.node.name` could contain the unique\nnode name within the Elasticsearch cluster. In cases where the service does not\nhave the concept of a node name, the host name or container name can be used\nto distinguish running instances that make up this service. If those do not\nprovide uniqueness (e.g. multiple instances of the service running on the\nsame host) - the node name can be manually set.',
+ example: 'instance-0000000016',
+ },
+ {
+ name: 'state',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Current state of the service.',
+ },
+ {
+ name: 'type',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The type of the service data is collected from.\n\nThe type can be used to group and correlate logs and metrics from one service\ntype.\n\nExample: If logs or metrics are collected from Elasticsearch, `service.type`\nwould be `elasticsearch`.',
+ example: 'elasticsearch',
+ },
+ {
+ name: 'version',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Version of the service the data was collected from.\n\nThis allows to look at a data set only for a specific version of a service.',
+ example: '3.2.4',
},
],
},
- ],
- },
- {
- key: 'mongodb',
- title: 'mongodb',
- description: 'Module for parsing MongoDB log files.',
- fields: [
{
- name: 'mongodb',
+ name: 'source',
+ title: 'Source',
+ group: 2,
+ description:
+ 'Source fields describe details about the source of a packet/event.\n\nSource fields are usually populated in conjunction with destination fields.',
type: 'group',
- description: 'Fields from MongoDB logs.',
fields: [
{
- name: 'log',
- type: 'group',
- description: 'Contains fields from MongoDB logs.',
- fields: [
- {
- name: 'component',
- description: 'Functional categorization of message',
- example: 'COMMAND',
- type: 'keyword',
- },
- {
- name: 'context',
- description: 'Context of message',
- example: 'initandlisten',
- type: 'keyword',
- },
- {
- name: 'severity',
- type: 'alias',
- path: 'log.level',
- migration: true,
- },
+ name: 'address',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Some event source addresses are defined ambiguously. The event\nwill sometimes list an IP, a domain or a unix socket. You should always store\nthe raw address in the `.address` field.\n\nThen it should be duplicated to `.ip` or `.domain`, depending on which one\nit is.',
+ },
+ {
+ name: 'as.number',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'Unique number allocated to the autonomous system. The autonomous\nsystem number (ASN) uniquely identifies each network on the Internet.',
+ example: 15169,
+ },
+ {
+ name: 'as.organization.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'message',
- type: 'alias',
- path: 'message',
- migration: true,
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
},
],
+ description: 'Organization name.',
+ example: 'Google LLC',
},
- ],
- },
- ],
- },
- {
- key: 'mysql',
- title: 'MySQL',
- description: 'Module for parsing the MySQL log files.',
- short_config: true,
- fields: [
- {
- name: 'mysql',
- type: 'group',
- description: 'Fields from the MySQL log files.',
- fields: [
{
- name: 'thread_id',
+ name: 'bytes',
+ level: 'core',
type: 'long',
- description: 'The connection or thread ID for the query.',
+ format: 'bytes',
+ description: 'Bytes sent from the source to the destination.',
+ example: 184,
},
{
- name: 'error',
- type: 'group',
- description: 'Contains fields from the MySQL error logs.',
- fields: [
- {
- name: 'thread_id',
- type: 'alias',
- path: 'mysql.thread_id',
- migration: true,
- },
- {
- name: 'level',
- type: 'alias',
- path: 'log.level',
- migration: true,
- },
+ name: 'domain',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Source domain.',
+ },
+ {
+ name: 'geo.city_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
+ },
+ {
+ name: 'geo.continent_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
+ },
+ {
+ name: 'geo.country_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
+ },
+ {
+ name: 'geo.country_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
+ },
+ {
+ name: 'geo.location',
+ level: 'core',
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
+ },
+ {
+ name: 'geo.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
+ },
+ {
+ name: 'geo.region_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
+ },
+ {
+ name: 'geo.region_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
+ },
+ {
+ name: 'ip',
+ level: 'core',
+ type: 'ip',
+ description:
+ 'IP address of the source.\n\nCan be one or multiple IPv4 or IPv6 addresses.',
+ },
+ {
+ name: 'mac',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'MAC address of the source.',
+ },
+ {
+ name: 'nat.ip',
+ level: 'extended',
+ type: 'ip',
+ description:
+ 'Translated ip of source based NAT sessions (e.g. internal client\nto internet)\n\nTypically connections traversing load balancers, firewalls, or routers.',
+ },
+ {
+ name: 'nat.port',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description:
+ 'Translated port of source based NAT sessions. (e.g. internal client\nto internet)\n\nTypically used with load balancers, firewalls, or routers.',
+ },
+ {
+ name: 'packets',
+ level: 'core',
+ type: 'long',
+ description: 'Packets sent from the source to the destination.',
+ example: 12,
+ },
+ {
+ name: 'port',
+ level: 'core',
+ type: 'long',
+ format: 'string',
+ description: 'Port of the source.',
+ },
+ {
+ name: 'registered_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The highest registered source domain, stripped of the subdomain.\n\nFor example, the registered domain for "foo.google.com" is "google.com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last two labels will not work well for TLDs such as "co.uk".',
+ example: 'google.com',
+ },
+ {
+ name: 'top_level_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The effective top level domain (eTLD), also known as the domain\nsuffix, is the last part of the domain name. For example, the top level domain\nfor google.com is "com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last label will not work well for effective TLDs such as "co.uk".',
+ example: 'co.uk',
+ },
+ {
+ name: 'user.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the user is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'user.email',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'User email address.',
+ },
+ {
+ name: 'user.full_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'message',
- type: 'alias',
- path: 'message',
- migration: true,
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
},
],
+ description: "User's full name, if available.",
+ example: 'Albert Einstein',
},
{
- name: 'slowlog',
- type: 'group',
- description: 'Contains fields from the MySQL slow logs.',
- fields: [
- {
- name: 'lock_time.sec',
- type: 'float',
- description:
- 'The amount of time the query waited for the lock to be available. The value is in seconds, as a floating point number.',
- },
- {
- name: 'rows_sent',
- type: 'long',
- description: 'The number of rows returned by the query.',
- },
- {
- name: 'rows_examined',
- type: 'long',
- description: 'The number of rows scanned by the query.',
- },
- {
- name: 'rows_affected',
- type: 'long',
- description: 'The number of rows modified by the query.',
- },
- {
- name: 'bytes_sent',
- type: 'long',
- format: 'bytes',
- description: 'The size of the query result.',
- },
- {
- name: 'query',
- description: 'The slow query.',
- },
- {
- name: 'id',
- type: 'alias',
- path: 'mysql.thread_id',
- migration: true,
- },
- {
- name: 'schema',
- type: 'keyword',
- description: 'The schema where the slow query was executed.',
- },
- {
- name: 'current_user',
- type: 'keyword',
- description:
- 'Current authenticated user, used to determine access privileges. Can differ from the value for user.',
- },
- {
- name: 'last_errno',
- type: 'keyword',
- description: 'Last SQL error seen.',
- },
- {
- name: 'killed',
- type: 'keyword',
- description: 'Code of the reason if the query was killed.',
- },
- {
- name: 'query_cache_hit',
- type: 'boolean',
- description: 'Whether the query cache was hit.',
- },
- {
- name: 'tmp_table',
- type: 'boolean',
- description: 'Whether a temporary table was used to resolve the query.',
- },
- {
- name: 'tmp_table_on_disk',
- type: 'boolean',
- description: 'Whether the query needed temporary tables on disk.',
- },
- {
- name: 'tmp_tables',
- type: 'long',
- description: 'Number of temporary tables created for this query',
- },
- {
- name: 'tmp_disk_tables',
- type: 'long',
- description: 'Number of temporary tables created on disk for this query.',
- },
- {
- name: 'tmp_table_sizes',
- type: 'long',
- format: 'bytes',
- description: 'Size of temporary tables created for this query.',
- },
- {
- name: 'filesort',
- type: 'boolean',
- description: 'Whether filesort optimization was used.',
- },
- {
- name: 'filesort_on_disk',
- type: 'boolean',
- description:
- 'Whether filesort optimization was used and it needed temporary tables on disk.',
- },
- {
- name: 'priority_queue',
- type: 'boolean',
- description: 'Whether a priority queue was used for filesort.',
- },
- {
- name: 'full_scan',
- type: 'boolean',
- description: 'Whether a full table scan was needed for the slow query.',
- },
- {
- name: 'full_join',
- type: 'boolean',
- description:
- 'Whether a full join was needed for the slow query (no indexes were used for joins).',
- },
- {
- name: 'merge_passes',
- type: 'long',
- description: 'Number of merge passes executed for the query.',
- },
- {
- name: 'log_slow_rate_type',
- type: 'keyword',
- description:
- 'Type of slow log rate limit, it can be `session` if the rate limit is applied per session, or `query` if it applies per query.',
- },
- {
- name: 'log_slow_rate_limit',
- type: 'keyword',
- description:
- 'Slow log rate limit, a value of 100 means that one in a hundred queries or sessions are being logged.',
- },
- {
- name: 'innodb',
- type: 'group',
- description: 'Contains fields relative to InnoDB engine',
- fields: [
- {
- name: 'trx_id',
- type: 'keyword',
- description: 'Transaction ID',
- },
- {
- name: 'io_r_ops',
- type: 'long',
- description: 'Number of page read operations.',
- },
- {
- name: 'io_r_bytes',
- type: 'long',
- format: 'bytes',
- description: 'Bytes read during page read operations.',
- },
- {
- name: 'io_r_wait.sec',
- type: 'long',
- description: 'How long it took to read all needed data from storage.',
- },
- {
- name: 'rec_lock_wait.sec',
- type: 'long',
- description: 'How long the query waited for locks.',
- },
- {
- name: 'queue_wait.sec',
- type: 'long',
- description:
- 'How long the query waited to enter the InnoDB queue and to be executed once in the queue.',
- },
- {
- name: 'pages_distinct',
- type: 'long',
- description: 'Approximated count of pages accessed to execute the query.',
- },
- ],
- },
- {
- name: 'user',
- type: 'alias',
- path: 'user.name',
- migration: true,
- },
- {
- name: 'host',
- type: 'alias',
- path: 'source.domain',
- migration: true,
- },
+ name: 'user.group.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'user.group.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
+ },
+ {
+ name: 'user.group.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the group.',
+ },
+ {
+ name: 'user.hash',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique user hash to correlate information for a user in anonymized\nform.\n\nUseful if `user.id` or `user.name` contain confidential information and cannot\nbe used.',
+ },
+ {
+ name: 'user.id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifiers of the user.',
+ },
+ {
+ name: 'user.name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'ip',
- type: 'alias',
- path: 'source.ip',
- migration: true,
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
},
],
+ description: 'Short name or login of the user.',
+ example: 'albert',
},
],
},
- ],
- },
- {
- key: 'nats',
- title: 'nats',
- description: 'Module for parsing NATS log files.',
- release: 'beta',
- fields: [
{
- name: 'nats',
+ name: 'threat',
+ title: 'Threat',
+ group: 2,
+ description:
+ 'Fields to classify events and alerts according to a threat taxonomy\nsuch as the Mitre ATT&CK framework.\n\nThese fields are for users to classify alerts from all of their sources (e.g.\nIDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to\ncapture the high level category of the threat (e.g. "impact"). The threat.technique.*\nfields are meant to capture which kind of approach is used by this detected\nthreat, to accomplish the goal (e.g. "endpoint denial of service").',
type: 'group',
- description: 'Fields from NATS logs.',
fields: [
{
- name: 'log',
- type: 'group',
- description: 'Nats log files',
- release: 'beta',
+ name: 'framework',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the threat framework used to further categorize and classify\nthe tactic and technique of the reported threat. Framework classification\ncan be provided by detecting systems, evaluated at ingest time, or retrospectively\ntagged to events.',
+ example: 'MITRE ATT&CK',
+ },
+ {
+ name: 'tactic.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The id of tactic used by this threat. You can use the Mitre ATT&CK\nMatrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/\n)',
+ example: 'TA0040',
+ },
+ {
+ name: 'tactic.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the type of tactic used by this threat. You can use the\nMitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/\n)',
+ example: 'impact',
+ },
+ {
+ name: 'tactic.reference',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The reference url of tactic used by this threat. You can use the\nMitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/\n)',
+ example: 'https://attack.mitre.org/tactics/TA0040/',
+ },
+ {
+ name: 'technique.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The id of technique used by this tactic. You can use the Mitre\nATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/\n)',
+ example: 'T1499',
+ },
+ {
+ name: 'technique.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description:
+ 'The name of technique used by this tactic. You can use the Mitre\nATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/\n)',
+ example: 'endpoint denial of service',
+ },
+ {
+ name: 'technique.reference',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The reference url of technique used by this tactic. You can use\nthe Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/\n)',
+ example: 'https://attack.mitre.org/techniques/T1499/',
},
],
},
- ],
- },
- {
- key: 'nginx',
- title: 'Nginx',
- description: 'Module for parsing the Nginx log files.',
- short_config: true,
- fields: [
{
- name: 'nginx',
+ name: 'tls',
+ title: 'TLS',
+ group: 2,
+ description:
+ 'Fields related to a TLS connection. These fields focus on the TLS\nprotocol itself and intentionally avoids in-depth analysis of the related x.509\ncertificate files.',
type: 'group',
- description: 'Fields from the Nginx log files.',
fields: [
{
- name: 'access',
- type: 'group',
- description: 'Contains fields for the Nginx access logs.',
- fields: [
- {
- name: 'remote_ip_list',
- type: 'array',
- description:
- 'An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`.',
- },
- {
- name: 'body_sent.bytes',
- type: 'alias',
- path: 'http.response.body.bytes',
- migration: true,
- },
- {
- name: 'remote_ip',
- type: 'alias',
- path: 'source.ip',
- migration: true,
- },
- {
- name: 'user_name',
- type: 'alias',
- path: 'user.name',
- migration: true,
- },
- {
- name: 'method',
- type: 'alias',
- path: 'http.request.method',
- migration: true,
- },
- {
- name: 'url',
- type: 'alias',
- path: 'url.original',
- migration: true,
- },
- {
- name: 'http_version',
- type: 'alias',
- path: 'http.version',
- migration: true,
- },
- {
- name: 'response_code',
- type: 'alias',
- path: 'http.response.status_code',
- migration: true,
- },
- {
- name: 'referrer',
- type: 'alias',
- path: 'http.request.referrer',
- migration: true,
- },
- {
- name: 'agent',
- type: 'alias',
- path: 'user_agent.original',
- migration: true,
- },
- {
- name: 'user_agent',
- type: 'group',
- fields: [
- {
- name: 'device',
- type: 'alias',
- path: 'user_agent.device.name',
- migration: true,
- },
- {
- name: 'name',
- type: 'alias',
- path: 'user_agent.name',
- migration: true,
- },
- {
- name: 'os',
- type: 'alias',
- path: 'user_agent.os.full_name',
- migration: true,
- },
- {
- name: 'os_name',
- type: 'alias',
- path: 'user_agent.os.name',
- migration: true,
- },
- {
- name: 'original',
- type: 'alias',
- path: 'user_agent.original',
- migration: true,
- },
- ],
- },
- {
- name: 'geoip',
- type: 'group',
- fields: [
- {
- name: 'continent_name',
- type: 'alias',
- path: 'source.geo.continent_name',
- migration: true,
- },
- {
- name: 'country_iso_code',
- type: 'alias',
- path: 'source.geo.country_iso_code',
- migration: true,
- },
- {
- name: 'location',
- type: 'alias',
- path: 'source.geo.location',
- migration: true,
- },
- {
- name: 'region_name',
- type: 'alias',
- path: 'source.geo.region_name',
- migration: true,
- },
- {
- name: 'city_name',
- type: 'alias',
- path: 'source.geo.city_name',
- migration: true,
- },
- {
- name: 'region_iso_code',
- type: 'alias',
- path: 'source.geo.region_iso_code',
- migration: true,
- },
- ],
- },
- ],
+ name: 'cipher',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'String indicating the cipher used during the current connection.',
+ example: 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
+ default_field: false,
},
{
- name: 'error',
- type: 'group',
- description: 'Contains fields for the Nginx error logs.',
- fields: [
- {
- name: 'connection_id',
- type: 'long',
- description: 'Connection identifier.',
- },
- {
- name: 'level',
- type: 'alias',
- path: 'log.level',
- migration: true,
- },
- {
- name: 'pid',
- type: 'alias',
- path: 'process.pid',
- migration: true,
- },
- {
- name: 'tid',
- type: 'alias',
- path: 'process.thread.id',
- migration: true,
- },
- {
- name: 'message',
- type: 'alias',
- path: 'message',
- migration: true,
- },
- ],
+ name: 'client.certificate',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'PEM-encoded stand-alone certificate offered by the client. This\nis usually mutually-exclusive of `client.certificate_chain` since this value\nalso exists in that list.',
+ example: 'MII...',
+ default_field: false,
},
- ],
- },
- ],
- },
- {
- key: 'osquery',
- title: 'Osquery',
- description: 'Fields exported by the `osquery` module',
- fields: [
- {
- name: 'osquery',
- type: 'group',
- description: '',
- fields: [
{
- name: 'result',
- type: 'group',
- description: 'Common fields exported by the result metricset.',
- fields: [
- {
- name: 'name',
- type: 'keyword',
- description: 'The name of the query that generated this event.',
- },
- {
- name: 'action',
- type: 'keyword',
- description:
- 'For incremental data, marks whether the entry was added or removed. It can be one of "added", "removed", or "snapshot".',
- },
- {
- name: 'host_identifier',
- type: 'keyword',
- description:
- 'The identifier for the host on which the osquery agent is running. Normally the hostname.',
- },
- {
- name: 'unix_time',
- type: 'long',
- description:
- 'Unix timestamp of the event, in seconds since the epoch. Used for computing the `@timestamp` column.',
- },
- {
- name: 'calendar_time',
- type: 'keyword',
- description:
- 'String representation of the collection time, as formatted by osquery.',
- },
- ],
+ name: 'client.certificate_chain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Array of PEM-encoded certificates that make up the certificate\nchain offered by the client. This is usually mutually-exclusive of `client.certificate`\nsince that value should be the first certificate in the chain.',
+ example: ['MII...', 'MII...'],
+ default_field: false,
},
- ],
- },
- ],
- },
- {
- key: 'postgresql',
- title: 'PostgreSQL',
- description: 'Module for parsing the PostgreSQL log files.',
- short_config: true,
- fields: [
- {
- name: 'postgresql',
- type: 'group',
- description: 'Fields from PostgreSQL logs.',
- fields: [
{
- name: 'log',
- type: 'group',
- description: 'Fields from the PostgreSQL log files.',
- fields: [
- {
- name: 'timestamp',
- description: 'The timestamp from the log line.',
- },
- {
- name: 'core_id',
- type: 'long',
- description: 'Core id',
- },
- {
- name: 'database',
- example: 'mydb',
- description: 'Name of database',
- },
- {
- name: 'query',
- example: 'SELECT * FROM users;',
- description: 'Query statement.',
- },
- {
- name: 'timezone',
- type: 'alias',
- path: 'event.timezone',
- migration: true,
- },
- {
- name: 'thread_id',
- type: 'alias',
- path: 'process.pid',
- migration: true,
- },
- {
- name: 'user',
- type: 'alias',
- path: 'user.name',
- migration: true,
- },
- {
- name: 'level',
- type: 'alias',
- path: 'log.level',
- migration: true,
- },
- {
- name: 'message',
- type: 'alias',
- path: 'message',
- migration: true,
- },
+ name: 'client.hash.md5',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Certificate fingerprint using the MD5 digest of DER-encoded version\nof certificate offered by the client. For consistency with other hash values,\nthis value should be formatted as an uppercase hash.',
+ example: '0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC',
+ default_field: false,
+ },
+ {
+ name: 'client.hash.sha1',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Certificate fingerprint using the SHA1 digest of DER-encoded version\nof certificate offered by the client. For consistency with other hash values,\nthis value should be formatted as an uppercase hash.',
+ example: '9E393D93138888D288266C2D915214D1D1CCEB2A',
+ default_field: false,
+ },
+ {
+ name: 'client.hash.sha256',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Certificate fingerprint using the SHA256 digest of DER-encoded\nversion of certificate offered by the client. For consistency with other hash\nvalues, this value should be formatted as an uppercase hash.',
+ example: '0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0',
+ default_field: false,
+ },
+ {
+ name: 'client.issuer',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Distinguished name of subject of the issuer of the x.509 certificate\npresented by the client.',
+ example: 'CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com',
+ default_field: false,
+ },
+ {
+ name: 'client.ja3',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A hash that identifies clients based on how they perform an SSL/TLS\nhandshake.',
+ example: 'd4e5b18d6b55c71272893221c96ba240',
+ default_field: false,
+ },
+ {
+ name: 'client.not_after',
+ level: 'extended',
+ type: 'date',
+ description:
+ 'Date/Time indicating when client certificate is no longer considered\nvalid.',
+ example: '2021-01-01T00:00:00.000Z',
+ default_field: false,
+ },
+ {
+ name: 'client.not_before',
+ level: 'extended',
+ type: 'date',
+ description: 'Date/Time indicating when client certificate is first considered\nvalid.',
+ example: '1970-01-01T00:00:00.000Z',
+ default_field: false,
+ },
+ {
+ name: 'client.server_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Also called an SNI, this tells the server which hostname to which\nthe client is attempting to connect. When this value is available, it should\nget copied to `destination.domain`.',
+ example: 'www.elastic.co',
+ default_field: false,
+ },
+ {
+ name: 'client.subject',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Distinguished name of subject of the x.509 certificate presented\nby the client.',
+ example: 'CN=myclient, OU=Documentation Team, DC=mydomain, DC=com',
+ default_field: false,
+ },
+ {
+ name: 'client.supported_ciphers',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Array of ciphers offered by the client during the client hello.',
+ example: [
+ 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
+ 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
+ '...',
],
+ default_field: false,
+ },
+ {
+ name: 'curve',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'String indicating the curve used for the given cipher, when applicable.',
+ example: 'secp256r1',
+ default_field: false,
+ },
+ {
+ name: 'established',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Boolean flag indicating if the TLS negotiation was successful and\ntransitioned to an encrypted tunnel.',
+ default_field: false,
+ },
+ {
+ name: 'next_protocol',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'String indicating the protocol being tunneled. Per the values in\nthe IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids),\nthis string should be lower case.',
+ example: 'http/1.1',
+ default_field: false,
+ },
+ {
+ name: 'resumed',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Boolean flag indicating if this TLS connection was resumed from\nan existing TLS negotiation.',
+ default_field: false,
+ },
+ {
+ name: 'server.certificate',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'PEM-encoded stand-alone certificate offered by the server. This\nis usually mutually-exclusive of `server.certificate_chain` since this value\nalso exists in that list.',
+ example: 'MII...',
+ default_field: false,
+ },
+ {
+ name: 'server.certificate_chain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Array of PEM-encoded certificates that make up the certificate\nchain offered by the server. This is usually mutually-exclusive of `server.certificate`\nsince that value should be the first certificate in the chain.',
+ example: ['MII...', 'MII...'],
+ default_field: false,
+ },
+ {
+ name: 'server.hash.md5',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Certificate fingerprint using the MD5 digest of DER-encoded version\nof certificate offered by the server. For consistency with other hash values,\nthis value should be formatted as an uppercase hash.',
+ example: '0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC',
+ default_field: false,
+ },
+ {
+ name: 'server.hash.sha1',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Certificate fingerprint using the SHA1 digest of DER-encoded version\nof certificate offered by the server. For consistency with other hash values,\nthis value should be formatted as an uppercase hash.',
+ example: '9E393D93138888D288266C2D915214D1D1CCEB2A',
+ default_field: false,
+ },
+ {
+ name: 'server.hash.sha256',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Certificate fingerprint using the SHA256 digest of DER-encoded\nversion of certificate offered by the server. For consistency with other hash\nvalues, this value should be formatted as an uppercase hash.',
+ example: '0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0',
+ default_field: false,
+ },
+ {
+ name: 'server.issuer',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Subject of the issuer of the x.509 certificate presented by the\nserver.',
+ example: 'CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com',
+ default_field: false,
+ },
+ {
+ name: 'server.ja3s',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A hash that identifies servers based on how they perform an SSL/TLS\nhandshake.',
+ example: '394441ab65754e2207b1e1b457b3641d',
+ default_field: false,
+ },
+ {
+ name: 'server.not_after',
+ level: 'extended',
+ type: 'date',
+ description:
+ 'Timestamp indicating when server certificate is no longer considered\nvalid.',
+ example: '2021-01-01T00:00:00.000Z',
+ default_field: false,
+ },
+ {
+ name: 'server.not_before',
+ level: 'extended',
+ type: 'date',
+ description: 'Timestamp indicating when server certificate is first considered\nvalid.',
+ example: '1970-01-01T00:00:00.000Z',
+ default_field: false,
+ },
+ {
+ name: 'server.subject',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Subject of the x.509 certificate presented by the server.',
+ example: 'CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com',
+ default_field: false,
+ },
+ {
+ name: 'version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Numeric part of the version parsed from the original string.',
+ example: '1.2',
+ default_field: false,
+ },
+ {
+ name: 'version_protocol',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Normalized lowercase protocol name parsed from original string.',
+ example: 'tls',
+ default_field: false,
},
],
},
- ],
- },
- {
- key: 'redis',
- title: 'Redis',
- description: 'Redis Module',
- fields: [
{
- name: 'redis',
+ name: 'tracing',
+ title: 'Tracing',
+ group: 2,
+ description:
+ 'Distributed tracing makes it possible to analyze performance throughout\na microservice architecture all in one view. This is accomplished by tracing\nall of the requests - from the initial web request in the front-end service\n- to queries made through multiple back-end services.',
type: 'group',
- description: '',
fields: [
{
- name: 'log',
- type: 'group',
- description: 'Redis log files',
- fields: [
- {
- name: 'role',
- type: 'keyword',
- description:
- 'The role of the Redis instance. Can be one of `master`, `slave`, `child` (for RDF/AOF writing child), or `sentinel`.',
- },
- {
- name: 'pid',
- type: 'alias',
- path: 'process.pid',
- migration: true,
- },
- {
- name: 'level',
- type: 'alias',
- path: 'log.level',
- migration: true,
- },
- {
- name: 'message',
- type: 'alias',
- path: 'message',
- migration: true,
- },
- ],
+ name: 'trace.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique identifier of the trace.\n\nA trace groups multiple events like transactions that belong together. For\nexample, a user request handled by multiple inter-connected services.',
+ example: '4bf92f3577b34da6a3ce929d0e0e4736',
},
{
- name: 'slowlog',
- type: 'group',
- description: 'Slow logs are retrieved from Redis via a network connection.',
- fields: [
- {
- name: 'cmd',
- type: 'keyword',
- description: 'The command executed.',
- },
- {
- name: 'duration.us',
- type: 'long',
- description: 'How long it took to execute the command in microseconds.',
- },
- {
- name: 'id',
- type: 'long',
- description: 'The ID of the query.',
- },
- {
- name: 'key',
- type: 'keyword',
- description: 'The key on which the command was executed.',
- },
- {
- name: 'args',
- type: 'keyword',
- description: 'The arguments with which the command was called.',
- },
- ],
+ name: 'transaction.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique identifier of the transaction.\n\nA transaction is the highest level of work measured within a service, such\nas a request to a server.',
+ example: '00f067aa0ba902b7',
},
],
},
- ],
- },
- {
- key: 'santa',
- title: 'Google Santa',
- description: 'Santa Module',
- fields: [
{
- name: 'santa',
+ name: 'url',
+ title: 'URL',
+ group: 2,
+ description:
+ 'URL fields provide support for complete or partial URLs, and supports\nthe breaking down into scheme, domain, path, and so on.',
type: 'group',
- description: '',
fields: [
{
- name: 'action',
+ name: 'domain',
+ level: 'extended',
type: 'keyword',
- example: 'EXEC',
- description: 'Action',
+ ignore_above: 1024,
+ description:
+ 'Domain of the url, such as "www.elastic.co".\n\nIn some cases a URL may refer to an IP and/or port directly, without a domain\nname. In this case, the IP address would go to the `domain` field.',
+ example: 'www.elastic.co',
},
{
- name: 'decision',
+ name: 'extension',
+ level: 'extended',
type: 'keyword',
- example: 'ALLOW',
- description: 'Decision that santad took.',
+ ignore_above: 1024,
+ description:
+ 'The field contains the file extension from the original request\nurl.\n\nThe file extension is only set if it exists, as not every url has a file extension.\n\nThe leading period must not be included. For example, the value must be "png",\nnot ".png".',
+ example: 'png',
},
{
- name: 'reason',
+ name: 'fragment',
+ level: 'extended',
type: 'keyword',
- example: 'CERT',
- description: 'Reason for the decsision.',
+ ignore_above: 1024,
+ description:
+ 'Portion of the url after the `#`, such as "top".\n\nThe `#` is not part of the fragment.',
},
{
- name: 'mode',
+ name: 'full',
+ level: 'extended',
type: 'keyword',
- example: 'M',
- description: 'Operating mode of Santa.',
- },
- {
- name: 'disk',
- type: 'group',
- description: 'Fields for DISKAPPEAR actions.',
- fields: [
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'volume',
- description: 'The volume name.',
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
},
+ ],
+ description:
+ 'If full URLs are important to your use case, they should be stored\nin `url.full`, whether this field is reconstructed or present in the event\nsource.',
+ example: 'https://www.elastic.co:443/search?q=elasticsearch#top',
+ },
+ {
+ name: 'original',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'bus',
- description: 'The disk bus protocol.',
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
},
- {
- name: 'serial',
- description: 'The disk serial number.',
+ ],
+ description:
+ 'Unmodified original url as seen in the event source.\n\nNote that in network monitoring, the observed URL may be a full URL, whereas\nin access logs, the URL is often just represented as a path.\n\nThis field is meant to represent the URL as it was observed, complete or not.',
+ example:
+ 'https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch',
+ },
+ {
+ name: 'password',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Password of the request.',
+ },
+ {
+ name: 'path',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Path of the request, such as "/search".',
+ },
+ {
+ name: 'port',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: 'Port of the request, such as 443.',
+ example: 443,
+ },
+ {
+ name: 'query',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The query field describes the query string of the request, such\nas "q=elasticsearch".\n\nThe `?` is excluded from the query string. If a URL contains no `?`, there\nis no query field. If there is a `?` but no query, the query field exists\nwith an empty string. The `exists` query can be used to differentiate between\nthe two cases.',
+ },
+ {
+ name: 'registered_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The highest registered url domain, stripped of the subdomain.\n\nFor example, the registered domain for "foo.google.com" is "google.com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last two labels will not work well for TLDs such as "co.uk".',
+ example: 'google.com',
+ },
+ {
+ name: 'scheme',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Scheme of the request, such as "https".\n\nNote: The `:` is not part of the scheme.',
+ example: 'https',
+ },
+ {
+ name: 'top_level_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The effective top level domain (eTLD), also known as the domain\nsuffix, is the last part of the domain name. For example, the top level domain\nfor google.com is "com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last label will not work well for effective TLDs such as "co.uk".',
+ example: 'co.uk',
+ },
+ {
+ name: 'username',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Username of the request.',
+ },
+ ],
+ },
+ {
+ name: 'user',
+ title: 'User',
+ group: 2,
+ description:
+ 'The user fields describe information about the user that is relevant\nto the event.\n\nFields can have one entry or multiple entries. If a user has more than one id,\nprovide an array that includes all of them.',
+ type: 'group',
+ fields: [
+ {
+ name: 'domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the user is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'email',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'User email address.',
+ },
+ {
+ name: 'full_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
},
+ ],
+ description: "User's full name, if available.",
+ example: 'Albert Einstein',
+ },
+ {
+ name: 'group.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'group.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
+ },
+ {
+ name: 'group.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the group.',
+ },
+ {
+ name: 'hash',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique user hash to correlate information for a user in anonymized\nform.\n\nUseful if `user.id` or `user.name` contain confidential information and cannot\nbe used.',
+ },
+ {
+ name: 'id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifiers of the user.',
+ },
+ {
+ name: 'name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'bsdname',
- example: 'disk1s3',
- description: 'The disk BSD name.',
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
},
+ ],
+ description: 'Short name or login of the user.',
+ example: 'albert',
+ },
+ ],
+ },
+ {
+ name: 'user_agent',
+ title: 'User agent',
+ group: 2,
+ description:
+ 'The user_agent fields normally come from a browser request.\n\nThey often show up in web service logs coming from the parsed user agent string.',
+ type: 'group',
+ fields: [
+ {
+ name: 'device.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the device.',
+ example: 'iPhone',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the user agent.',
+ example: 'Safari',
+ },
+ {
+ name: 'original',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'model',
- example: 'APPLE SSD SM0512L',
- description: 'The disk model.',
+ name: 'text',
+ type: 'text',
+ norms: false,
},
+ ],
+ description: 'Unparsed user_agent string.',
+ example:
+ 'Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15\n(KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1',
+ },
+ {
+ name: 'os.family',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'OS family (such as redhat, debian, freebsd, windows).',
+ example: 'debian',
+ },
+ {
+ name: 'os.full',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'fs',
- example: 'apfs',
- description: 'The disk volume kind (filesystem type).',
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
},
+ ],
+ description: 'Operating system name, including the version or code name.',
+ example: 'Mac OS Mojave',
+ },
+ {
+ name: 'os.kernel',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system kernel version as a raw string.',
+ example: '4.4.0-112-generic',
+ },
+ {
+ name: 'os.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'mount',
- description: 'The disk volume path.',
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
},
],
+ description: 'Operating system name, without the version.',
+ example: 'Mac OS X',
+ },
+ {
+ name: 'os.platform',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system platform (such centos, ubuntu, windows).',
+ example: 'darwin',
+ },
+ {
+ name: 'os.version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system version as a raw string.',
+ example: '10.14.1',
+ },
+ {
+ name: 'version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Version of the user agent.',
+ example: 12,
},
],
},
{
- name: 'certificate.common_name',
- type: 'keyword',
- description: 'Common name from code signing certificate.',
- },
- {
- name: 'certificate.sha256',
- type: 'keyword',
- description: 'SHA256 hash of code signing certificate.',
- },
- {
- name: 'hash.sha256',
- type: 'keyword',
- description: 'Hash of process executable.',
+ name: 'vlan',
+ title: 'VLAN',
+ group: 2,
+ description:
+ 'The VLAN fields are used to identify 802.1q tag(s) of a packet,\nas well as ingress and egress VLAN associations of an observer in relation to\na specific packet or connection.\n\nNetwork.vlan fields are used to record a single VLAN tag, or the outer tag in\nthe case of q-in-q encapsulations, for a packet or connection as observed, typically\nprovided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic.\n\nNetwork.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple\n802.1q encapsulations) as observed, typically provided by a network sensor (e.g.\nZeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should\nonly be used in addition to network.vlan fields to indicate q-in-q tagging.\n\nObserver.ingress and observer.egress VLAN values are used to record observer\nspecific information when observer events contain discrete ingress and egress\nVLAN information, typically provided by firewalls, routers, or load balancers.',
+ type: 'group',
+ fields: [
+ {
+ name: 'id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'VLAN ID as reported by the observer.',
+ example: 10,
+ default_field: false,
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Optional VLAN name as reported by the observer.',
+ example: 'outside',
+ default_field: false,
+ },
+ ],
},
- ],
- },
- {
- key: 'system',
- title: 'System',
- description: 'Module for parsing system log files.',
- short_config: true,
- fields: [
{
- name: 'system',
+ name: 'vulnerability',
+ title: 'Vulnerability',
+ group: 2,
+ description:
+ 'The vulnerability fields describe information about a vulnerability\nthat is relevant to an event.',
type: 'group',
- description: 'Fields from the system log files.',
fields: [
{
- name: 'auth',
- type: 'group',
- description: 'Fields from the Linux authorization logs.',
- fields: [
+ name: 'category',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The type of system or architecture that the vulnerability affects.\nThese may be platform-specific (for example, Debian or SUSE) or general (for\nexample, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys\nvulnerability categories])\n\nThis field must be an array.',
+ example: '["Firewall"]',
+ default_field: false,
+ },
+ {
+ name: 'classification',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The classification of the vulnerability scoring system. For example\n(https://www.first.org/cvss/)',
+ example: 'CVSS',
+ default_field: false,
+ },
+ {
+ name: 'description',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'timestamp',
- type: 'alias',
- path: '@timestamp',
- migration: true,
- },
- {
- name: 'hostname',
- type: 'alias',
- path: 'host.hostname',
- migration: true,
- },
- {
- name: 'program',
- type: 'alias',
- path: 'process.name',
- migration: true,
- },
- {
- name: 'pid',
- type: 'alias',
- path: 'process.pid',
- migration: true,
- },
- {
- name: 'message',
- type: 'alias',
- path: 'message',
- migration: true,
- },
- {
- name: 'user',
- type: 'alias',
- path: 'user.name',
- migration: true,
- },
- {
- name: 'ssh',
- type: 'group',
- fields: [
- {
- name: 'method',
- description:
- 'The SSH authentication method. Can be one of "password" or "publickey".',
- },
- {
- name: 'signature',
- description: 'The signature of the client public key.',
- },
- {
- name: 'dropped_ip',
- type: 'ip',
- description:
- 'The client IP from SSH connections that are open and immediately dropped.',
- },
- {
- name: 'event',
- type: 'alias',
- path: 'event.action',
- migration: true,
- },
- {
- name: 'ip',
- type: 'alias',
- path: 'source.ip',
- migration: true,
- },
- {
- name: 'port',
- type: 'alias',
- path: 'source.port',
- migration: true,
- },
- {
- name: 'geoip',
- type: 'group',
- fields: [
- {
- name: 'continent_name',
- type: 'alias',
- path: 'source.geo.continent_name',
- migration: true,
- },
- {
- name: 'country_iso_code',
- type: 'alias',
- path: 'source.geo.country_iso_code',
- migration: true,
- },
- {
- name: 'location',
- type: 'alias',
- path: 'source.geo.location',
- migration: true,
- },
- {
- name: 'region_name',
- type: 'alias',
- path: 'source.geo.region_name',
- migration: true,
- },
- {
- name: 'city_name',
- type: 'alias',
- path: 'source.geo.city_name',
- migration: true,
- },
- {
- name: 'region_iso_code',
- type: 'alias',
- path: 'source.geo.region_iso_code',
- migration: true,
- },
- ],
- },
- ],
- },
- {
- name: 'sudo',
- type: 'group',
- description: 'Fields specific to events created by the `sudo` command.',
- fields: [
- {
- name: 'error',
- example: 'user NOT in sudoers',
- description: 'The error message in case the sudo command failed.',
- },
- {
- name: 'tty',
- description: 'The TTY where the sudo command is executed.',
- },
- {
- name: 'pwd',
- description: 'The current directory where the sudo command is executed.',
- },
- {
- name: 'user',
- example: 'root',
- description: 'The target user to which the sudo command is switching.',
- },
- {
- name: 'command',
- description: 'The command executed via sudo.',
- },
- ],
- },
- {
- name: 'useradd',
- type: 'group',
- description: 'Fields specific to events created by the `useradd` command.',
- fields: [
- {
- name: 'home',
- description: 'The home folder for the new user.',
- },
- {
- name: 'shell',
- description: 'The default shell for the new user.',
- },
- {
- name: 'name',
- type: 'alias',
- path: 'user.name',
- migration: true,
- },
- {
- name: 'uid',
- type: 'alias',
- path: 'user.id',
- migration: true,
- },
- {
- name: 'gid',
- type: 'alias',
- path: 'group.id',
- migration: true,
- },
- ],
- },
- {
- name: 'groupadd',
- type: 'group',
- description: 'Fields specific to events created by the `groupadd` command.',
- fields: [
- {
- name: 'name',
- type: 'alias',
- path: 'group.name',
- migration: true,
- },
- {
- name: 'gid',
- type: 'alias',
- path: 'group.id',
- migration: true,
- },
- ],
+ name: 'text',
+ type: 'text',
+ norms: false,
},
],
+ description:
+ 'The description of the vulnerability that provides additional context\nof the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common\nVulnerabilities and Exposure CVE description])',
+ example: 'In macOS before 2.12.6, there is a vulnerability in the RPC...',
+ default_field: false,
},
{
- name: 'syslog',
- type: 'group',
- description: 'Contains fields from the syslog system logs.',
- fields: [
- {
- name: 'timestamp',
- type: 'alias',
- path: '@timestamp',
- migration: true,
- },
- {
- name: 'hostname',
- type: 'alias',
- path: 'host.hostname',
- migration: true,
- },
- {
- name: 'program',
- type: 'alias',
- path: 'process.name',
- migration: true,
- },
- {
- name: 'pid',
- type: 'alias',
- path: 'process.pid',
- migration: true,
- },
- {
- name: 'message',
- type: 'alias',
- path: 'message',
- migration: true,
- },
- ],
+ name: 'enumeration',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The type of identifier used for this vulnerability. For example\n(https://cve.mitre.org/about/)',
+ example: 'CVE',
+ default_field: false,
},
- ],
- },
- ],
- },
- {
- key: 'traefik',
- title: 'Traefik',
- description: 'Module for parsing the Traefik log files.',
- fields: [
- {
- name: 'traefik',
- type: 'group',
- description: 'Fields from the Traefik log files.',
- fields: [
{
- name: 'access',
- type: 'group',
- description: 'Contains fields for the Traefik access logs.',
- fields: [
- {
- name: 'user_identifier',
- type: 'keyword',
- description: 'Is the RFC 1413 identity of the client',
- },
- {
- name: 'request_count',
- type: 'long',
- description: 'The number of requests',
- },
- {
- name: 'frontend_name',
- type: 'keyword',
- description: 'The name of the frontend used',
- },
- {
- name: 'backend_url',
- type: 'keyword',
- description: 'The url of the backend where request is forwarded',
- },
- {
- name: 'body_sent.bytes',
- type: 'alias',
- path: 'http.response.body.bytes',
- migration: true,
- },
- {
- name: 'remote_ip',
- type: 'alias',
- path: 'source.address',
- migration: true,
- },
- {
- name: 'user_name',
- type: 'alias',
- path: 'user.name',
- migration: true,
- },
- {
- name: 'method',
- type: 'alias',
- path: 'http.request.method',
- migration: true,
- },
- {
- name: 'url',
- type: 'alias',
- path: 'url.original',
- migration: true,
- },
- {
- name: 'http_version',
- type: 'alias',
- path: 'http.version',
- migration: true,
- },
- {
- name: 'response_code',
- type: 'alias',
- path: 'http.response.status_code',
- migration: true,
- },
- {
- name: 'referrer',
- type: 'alias',
- path: 'http.request.referrer',
- migration: true,
- },
- {
- name: 'agent',
- type: 'alias',
- path: 'user_agent.original',
- migration: true,
- },
- {
- name: 'user_agent',
- type: 'group',
- fields: [
- {
- name: 'device',
- type: 'alias',
- path: 'user_agent.device.name',
- },
- {
- name: 'name',
- type: 'alias',
- path: 'user_agent.name',
- },
- {
- name: 'os',
- type: 'alias',
- path: 'user_agent.os.full_name',
- },
- {
- name: 'os_name',
- type: 'alias',
- path: 'user_agent.os.name',
- },
- {
- name: 'original',
- type: 'alias',
- path: 'user_agent.original',
- },
- ],
- },
- {
- name: 'geoip',
- type: 'group',
- fields: [
- {
- name: 'continent_name',
- type: 'alias',
- path: 'source.geo.continent_name',
- },
- {
- name: 'country_iso_code',
- type: 'alias',
- path: 'source.geo.country_iso_code',
- },
- {
- name: 'location',
- type: 'alias',
- path: 'source.geo.location',
- },
- {
- name: 'region_name',
- type: 'alias',
- path: 'source.geo.region_name',
- },
- {
- name: 'city_name',
- type: 'alias',
- path: 'source.geo.city_name',
- },
- {
- name: 'region_iso_code',
- type: 'alias',
- path: 'source.geo.region_iso_code',
- },
- ],
- },
- ],
- },
- ],
- },
- ],
- },
- {
- key: 'iptables',
- title: 'iptables',
- description: 'Module for handling the iptables logs.',
- fields: [
- {
- name: 'iptables',
- type: 'group',
- description: 'Fields from the iptables logs.',
- fields: [
- {
- name: 'ether_type',
- type: 'long',
- description: 'Value of the ethernet type field identifying the network layer protocol.',
- },
- {
- name: 'flow_label',
- type: 'integer',
- description: 'IPv6 flow label.',
- },
- {
- name: 'fragment_flags',
+ name: 'id',
+ level: 'extended',
type: 'keyword',
- description: 'IP fragment flags. A combination of CE, DF and MF.',
- },
- {
- name: 'fragment_offset',
- type: 'long',
- description: 'Offset of the current IP fragment.',
- },
- {
- name: 'icmp',
- type: 'group',
- description: 'ICMP fields.',
- fields: [
- {
- name: 'code',
- type: 'long',
- description: 'ICMP code.',
- },
- {
- name: 'id',
- type: 'long',
- description: 'ICMP ID.',
- },
- {
- name: 'parameter',
- type: 'long',
- description: 'ICMP parameter.',
- },
- {
- name: 'redirect',
- type: 'ip',
- description: 'ICMP redirect address.',
- },
- {
- name: 'seq',
- type: 'long',
- description: 'ICMP sequence number.',
- },
- {
- name: 'type',
- type: 'long',
- description: 'ICMP type.',
- },
- ],
+ ignore_above: 1024,
+ description:
+ 'The identification (ID) is the number portion of a vulnerability\nentry. It includes a unique identification number for the vulnerability. For\nexample (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities\nand Exposure CVE ID]',
+ example: 'CVE-2019-00001',
+ default_field: false,
},
{
- name: 'id',
- type: 'long',
- description: 'Packet identifier.',
+ name: 'reference',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A resource that provides additional information, context, and mitigations\nfor the identified vulnerability.',
+ example: 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111',
+ default_field: false,
},
{
- name: 'incomplete_bytes',
- type: 'long',
- description: 'Number of incomplete bytes.',
+ name: 'report_id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The report or scan identification number.',
+ example: 20191018.0001,
+ default_field: false,
},
{
- name: 'input_device',
+ name: 'scanner.vendor',
+ level: 'extended',
type: 'keyword',
- description: 'Device that received the packet.',
+ ignore_above: 1024,
+ description: 'The name of the vulnerability scanner vendor.',
+ example: 'Tenable',
+ default_field: false,
},
{
- name: 'precedence_bits',
- type: 'short',
- description: 'IP precedence bits.',
+ name: 'score.base',
+ level: 'extended',
+ type: 'float',
+ description:
+ 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\n\nBase scores cover an assessment for exploitability metrics (attack vector,\ncomplexity, privileges, and user interaction), impact metrics (confidentiality,\nintegrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)',
+ example: 5.5,
+ default_field: false,
},
{
- name: 'tos',
- type: 'long',
- description: 'IP Type of Service field.',
+ name: 'score.environmental',
+ level: 'extended',
+ type: 'float',
+ description:
+ 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\n\nEnvironmental scores cover an assessment for any modified Base metrics, confidentiality,\nintegrity, and availability requirements. For example (https://www.first.org/cvss/specification-document)',
+ example: 5.5,
+ default_field: false,
},
{
- name: 'length',
- type: 'long',
- description: 'Packet length.',
+ name: 'score.temporal',
+ level: 'extended',
+ type: 'float',
+ description:
+ 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\n\nTemporal scores cover an assessment for code maturity, remediation level,\nand confidence. For example (https://www.first.org/cvss/specification-document)',
+ default_field: false,
},
{
- name: 'output_device',
+ name: 'score.version',
+ level: 'extended',
type: 'keyword',
- description: 'Device that output the packet.',
- },
- {
- name: 'tcp',
- type: 'group',
- description: 'TCP fields.',
- fields: [
- {
- name: 'flags',
- type: 'keyword',
- description: 'TCP flags.',
- },
- {
- name: 'reserved_bits',
- type: 'short',
- description: 'TCP reserved bits.',
- },
- {
- name: 'seq',
- type: 'long',
- description: 'TCP sequence number.',
- },
- {
- name: 'ack',
- type: 'long',
- description: 'TCP Acknowledgment number.',
- },
- {
- name: 'window',
- type: 'long',
- description: 'Advertised TCP window size.',
- },
- ],
- },
- {
- name: 'ttl',
- type: 'integer',
- description: 'Time To Live field.',
+ ignore_above: 1024,
+ description:
+ 'The National Vulnerability Database (NVD) provides qualitative\nseverity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score\nranges in addition to the severity ratings for CVSS v3.0 as they are defined\nin the CVSS v3.0 specification.\n\nCVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit\norganization, whose mission is to help computer security incident response\nteams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)',
+ example: 2,
+ default_field: false,
},
{
- name: 'udp',
- type: 'group',
- description: 'UDP fields.',
- fields: [
- {
- name: 'length',
- type: 'long',
- description: 'Length of the UDP header and payload.',
- },
- ],
+ name: 'severity',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The severity of the vulnerability can help with metrics and internal\nprioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)',
+ example: 'Critical',
+ default_field: false,
},
- {
- name: 'ubiquiti',
- type: 'group',
- description: 'Fields for Ubiquiti network devices.',
- fields: [
- {
- name: 'input_zone',
- type: 'keyword',
- description: 'Input zone.',
- },
- {
- name: 'output_zone',
- type: 'keyword',
- description: 'Output zone.',
- },
- {
- name: 'rule_number',
- type: 'keyword',
- description: 'The rule number within the rule set.',
- },
- {
- name: 'rule_set',
- type: 'keyword',
- description: 'The rule set name.',
- },
- ],
+ ],
+ },
+ ],
+ },
+ {
+ key: 'beat',
+ anchor: 'beat-common',
+ title: 'Beat',
+ description: 'Contains common beat fields available in all event types.\n',
+ fields: [
+ {
+ name: 'agent.hostname',
+ type: 'keyword',
+ description: 'Hostname of the agent.',
+ },
+ {
+ name: 'beat.timezone',
+ type: 'alias',
+ path: 'event.timezone',
+ migration: true,
+ },
+ {
+ name: 'fields',
+ type: 'object',
+ object_type: 'keyword',
+ description: 'Contains user configurable fields.\n',
+ },
+ {
+ name: 'beat.name',
+ type: 'alias',
+ path: 'host.name',
+ migration: true,
+ },
+ {
+ name: 'beat.hostname',
+ type: 'alias',
+ path: 'agent.hostname',
+ migration: true,
+ },
+ {
+ name: 'timeseries.instance',
+ type: 'keyword',
+ description: 'Time series instance id',
+ },
+ ],
+ },
+ {
+ key: 'cloud',
+ title: 'Cloud provider metadata',
+ description: 'Metadata from cloud providers added by the add_cloud_metadata processor.\n',
+ fields: [
+ {
+ name: 'cloud.project.id',
+ example: 'project-x',
+ description: 'Name of the project in Google Cloud.\n',
+ },
+ {
+ name: 'cloud.image.id',
+ example: 'ami-abcd1234',
+ description: 'Image ID for the cloud instance.\n',
+ },
+ {
+ name: 'meta.cloud.provider',
+ type: 'alias',
+ path: 'cloud.provider',
+ migration: true,
+ },
+ {
+ name: 'meta.cloud.instance_id',
+ type: 'alias',
+ path: 'cloud.instance.id',
+ migration: true,
+ },
+ {
+ name: 'meta.cloud.instance_name',
+ type: 'alias',
+ path: 'cloud.instance.name',
+ migration: true,
+ },
+ {
+ name: 'meta.cloud.machine_type',
+ type: 'alias',
+ path: 'cloud.machine.type',
+ migration: true,
+ },
+ {
+ name: 'meta.cloud.availability_zone',
+ type: 'alias',
+ path: 'cloud.availability_zone',
+ migration: true,
+ },
+ {
+ name: 'meta.cloud.project_id',
+ type: 'alias',
+ path: 'cloud.project.id',
+ migration: true,
+ },
+ {
+ name: 'meta.cloud.region',
+ type: 'alias',
+ path: 'cloud.region',
+ migration: true,
+ },
+ ],
+ },
+ {
+ key: 'docker',
+ title: 'Docker',
+ description: 'Docker stats collected from Docker.\n',
+ short_config: false,
+ anchor: 'docker-processor',
+ fields: [
+ {
+ name: 'docker',
+ type: 'group',
+ fields: [
+ {
+ name: 'container.id',
+ type: 'alias',
+ path: 'container.id',
+ migration: true,
+ },
+ {
+ name: 'container.image',
+ type: 'alias',
+ path: 'container.image.name',
+ migration: true,
+ },
+ {
+ name: 'container.name',
+ type: 'alias',
+ path: 'container.name',
+ migration: true,
+ },
+ {
+ name: 'container.labels',
+ type: 'object',
+ object_type: 'keyword',
+ description: 'Image labels.\n',
},
],
},
],
},
{
- key: 'netflow-module',
- title: 'NetFlow',
- description:
- 'Module for receiving NetFlow and IPFIX flow records over UDP. The module does not add fields beyond what the netflow input provides.',
+ key: 'host',
+ title: 'Host',
+ description: 'Info collected for the host machine.\n',
+ anchor: 'host-processor',
+ fields: [
+ {
+ name: 'host',
+ type: 'group',
+ fields: [
+ {
+ name: 'containerized',
+ type: 'boolean',
+ description: 'If the host is a container.\n',
+ },
+ {
+ name: 'os.build',
+ type: 'keyword',
+ example: '18D109',
+ description: 'OS build information.\n',
+ },
+ {
+ name: 'os.codename',
+ type: 'keyword',
+ example: 'stretch',
+ description: 'OS codename, if any.\n',
+ },
+ ],
+ },
+ ],
},
{
- key: 'suricata',
- title: 'Suricata',
- description: 'Module for handling the EVE JSON logs produced by Suricata.',
+ key: 'kubernetes',
+ title: 'Kubernetes',
+ description: 'Kubernetes metadata added by the kubernetes processor\n',
+ short_config: false,
+ anchor: 'kubernetes-processor',
fields: [
{
- name: 'suricata',
+ name: 'kubernetes',
type: 'group',
- description: 'Fields from the Suricata EVE log file.',
fields: [
{
- name: 'eve',
- type: 'group',
- description: 'Fields exported by the EVE JSON logs',
- fields: [
- {
- name: 'event_type',
- type: 'keyword',
- },
- {
- name: 'app_proto_orig',
- type: 'keyword',
- },
- {
- name: 'tcp',
- type: 'group',
- fields: [
- {
- name: 'tcp_flags',
- type: 'keyword',
- },
- {
- name: 'psh',
- type: 'boolean',
- },
- {
- name: 'tcp_flags_tc',
- type: 'keyword',
- },
- {
- name: 'ack',
- type: 'boolean',
- },
- {
- name: 'syn',
- type: 'boolean',
- },
- {
- name: 'state',
- type: 'keyword',
- },
- {
- name: 'tcp_flags_ts',
- type: 'keyword',
- },
- {
- name: 'rst',
- type: 'boolean',
- },
- {
- name: 'fin',
- type: 'boolean',
- },
- ],
- },
- {
- name: 'fileinfo',
- type: 'group',
- fields: [
- {
- name: 'sha1',
- type: 'keyword',
- },
- {
- name: 'filename',
- type: 'alias',
- path: 'file.path',
- },
- {
- name: 'tx_id',
- type: 'long',
- },
- {
- name: 'state',
- type: 'keyword',
- },
- {
- name: 'stored',
- type: 'boolean',
- },
- {
- name: 'gaps',
- type: 'boolean',
- },
- {
- name: 'sha256',
- type: 'keyword',
- },
- {
- name: 'md5',
- type: 'keyword',
- },
- {
- name: 'size',
- type: 'alias',
- path: 'file.size',
- },
- ],
- },
- {
- name: 'icmp_type',
- type: 'long',
- },
- {
- name: 'dest_port',
- type: 'alias',
- path: 'destination.port',
- },
- {
- name: 'src_port',
- type: 'alias',
- path: 'source.port',
- },
- {
- name: 'proto',
- type: 'alias',
- path: 'network.transport',
- },
- {
- name: 'pcap_cnt',
- type: 'long',
- },
- {
- name: 'src_ip',
- type: 'alias',
- path: 'source.ip',
- },
- {
- name: 'dns',
- type: 'group',
- fields: [
- {
- name: 'type',
- type: 'keyword',
- },
- {
- name: 'rrtype',
- type: 'keyword',
- },
- {
- name: 'rrname',
- type: 'keyword',
- },
- {
- name: 'rdata',
- type: 'keyword',
- },
- {
- name: 'tx_id',
- type: 'long',
- },
- {
- name: 'ttl',
- type: 'long',
- },
- {
- name: 'rcode',
- type: 'keyword',
- },
- {
- name: 'id',
- type: 'long',
- },
- ],
- },
+ name: 'pod.name',
+ type: 'keyword',
+ description: 'Kubernetes pod name\n',
+ },
+ {
+ name: 'pod.uid',
+ type: 'keyword',
+ description: 'Kubernetes Pod UID\n',
+ },
+ {
+ name: 'namespace',
+ type: 'keyword',
+ description: 'Kubernetes namespace\n',
+ },
+ {
+ name: 'node.name',
+ type: 'keyword',
+ description: 'Kubernetes node name\n',
+ },
+ {
+ name: 'labels.*',
+ type: 'object',
+ object_type: 'keyword',
+ object_type_mapping_type: '*',
+ description: 'Kubernetes labels map\n',
+ },
+ {
+ name: 'annotations.*',
+ type: 'object',
+ object_type: 'keyword',
+ object_type_mapping_type: '*',
+ description: 'Kubernetes annotations map\n',
+ },
+ {
+ name: 'replicaset.name',
+ type: 'keyword',
+ description: 'Kubernetes replicaset name\n',
+ },
+ {
+ name: 'deployment.name',
+ type: 'keyword',
+ description: 'Kubernetes deployment name\n',
+ },
+ {
+ name: 'statefulset.name',
+ type: 'keyword',
+ description: 'Kubernetes statefulset name\n',
+ },
+ {
+ name: 'container.name',
+ type: 'keyword',
+ description: 'Kubernetes container name\n',
+ },
+ {
+ name: 'container.image',
+ type: 'keyword',
+ description: 'Kubernetes container image\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'process',
+ title: 'Process',
+ description: 'Process metadata fields\n',
+ fields: [
+ {
+ name: 'process',
+ type: 'group',
+ fields: [
+ {
+ name: 'exe',
+ type: 'alias',
+ path: 'process.executable',
+ migration: true,
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'jolokia-autodiscover',
+ title: 'Jolokia Discovery autodiscover provider',
+ description: 'Metadata from Jolokia Discovery added by the jolokia provider.\n',
+ fields: [
+ {
+ name: 'jolokia.agent.version',
+ type: 'keyword',
+ description: 'Version number of jolokia agent.\n',
+ },
+ {
+ name: 'jolokia.agent.id',
+ type: 'keyword',
+ description:
+ 'Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type.\n',
+ },
+ {
+ name: 'jolokia.server.product',
+ type: 'keyword',
+ description: 'The container product if detected.\n',
+ },
+ {
+ name: 'jolokia.server.version',
+ type: 'keyword',
+ description: "The container's version (if detected).\n",
+ },
+ {
+ name: 'jolokia.server.vendor',
+ type: 'keyword',
+ description: 'The vendor of the container the agent is running in.\n',
+ },
+ {
+ name: 'jolokia.url',
+ type: 'keyword',
+ description: 'The URL how this agent can be contacted.\n',
+ },
+ {
+ name: 'jolokia.secured',
+ type: 'boolean',
+ description: 'Whether the agent was configured for authentication or not.\n',
+ },
+ ],
+ },
+ {
+ key: 'log',
+ title: 'Log file content',
+ description: 'Contains log file lines.\n',
+ fields: [
+ {
+ name: 'log.file.path',
+ type: 'keyword',
+ required: false,
+ description:
+ 'The file from which the line was read. This field contains the absolute path to the file. For example: `/var/log/system.log`.\n',
+ },
+ {
+ name: 'log.source.address',
+ type: 'keyword',
+ required: false,
+ description: 'Source address from which the log event was read / sent from.\n',
+ },
+ {
+ name: 'log.offset',
+ type: 'long',
+ required: false,
+ description: 'The file offset the reported line starts at.\n',
+ },
+ {
+ name: 'stream',
+ type: 'keyword',
+ required: false,
+ description: "Log stream when reading container logs, can be 'stdout' or 'stderr'\n",
+ },
+ {
+ name: 'input.type',
+ required: true,
+ description:
+ 'The input type from which the event was generated. This field is set to the value specified for the `type` option in the input section of the Filebeat config file.\n',
+ },
+ {
+ name: 'syslog.facility',
+ type: 'long',
+ required: false,
+ description: 'The facility extracted from the priority.\n',
+ },
+ {
+ name: 'syslog.priority',
+ type: 'long',
+ required: false,
+ description: 'The priority of the syslog event.\n',
+ },
+ {
+ name: 'syslog.severity_label',
+ type: 'keyword',
+ required: false,
+ description: 'The human readable severity.\n',
+ },
+ {
+ name: 'syslog.facility_label',
+ type: 'keyword',
+ required: false,
+ description: 'The human readable facility.\n',
+ },
+ {
+ name: 'process.program',
+ type: 'keyword',
+ required: false,
+ description: 'The name of the program.\n',
+ },
+ {
+ name: 'log.flags',
+ description: 'This field contains the flags of the event.\n',
+ },
+ {
+ name: 'http.response.content_length',
+ type: 'alias',
+ path: 'http.response.body.bytes',
+ migration: true,
+ },
+ {
+ name: 'user_agent',
+ type: 'group',
+ fields: [
+ {
+ name: 'os',
+ type: 'group',
+ fields: [
{
- name: 'flow_id',
+ name: 'full_name',
type: 'keyword',
},
- {
- name: 'email',
- type: 'group',
- fields: [
- {
- name: 'status',
- type: 'keyword',
- },
- ],
- },
- {
- name: 'dest_ip',
- type: 'alias',
- path: 'destination.ip',
+ ],
+ },
+ ],
+ },
+ {
+ name: 'fileset.name',
+ type: 'keyword',
+ description: 'The Filebeat fileset that generated this event.\n',
+ },
+ {
+ name: 'fileset.module',
+ type: 'alias',
+ path: 'event.module',
+ migration: true,
+ },
+ {
+ name: 'read_timestamp',
+ type: 'alias',
+ path: 'event.created',
+ migration: true,
+ },
+ {
+ name: 'docker.attrs',
+ type: 'object',
+ object_type: 'keyword',
+ description:
+ "docker.attrs contains labels and environment variables written by docker's JSON File logging driver. These fields are only available when they are configured in the logging driver options.\n",
+ },
+ {
+ name: 'icmp.code',
+ type: 'keyword',
+ description: 'ICMP code.\n',
+ },
+ {
+ name: 'icmp.type',
+ type: 'keyword',
+ description: 'ICMP type.\n',
+ },
+ {
+ name: 'igmp.type',
+ type: 'keyword',
+ description: 'IGMP type.\n',
+ },
+ {
+ name: 'azure',
+ type: 'group',
+ fields: [
+ {
+ name: 'eventhub',
+ type: 'keyword',
+ description: 'Name of the eventhub.\n',
+ },
+ {
+ name: 'offset',
+ type: 'long',
+ description: 'The offset.\n',
+ },
+ {
+ name: 'enqueued_time',
+ type: 'date',
+ description: 'The enqueued time.\n',
+ },
+ {
+ name: 'partition_id',
+ type: 'long',
+ description: 'The partition id.\n',
+ },
+ {
+ name: 'consumer_group',
+ type: 'keyword',
+ description: 'The consumer group.\n',
+ },
+ {
+ name: 'sequence_number',
+ type: 'long',
+ description: 'The sequence number.\n',
+ },
+ ],
+ },
+ {
+ name: 'kafka',
+ type: 'group',
+ fields: [
+ {
+ name: 'topic',
+ type: 'keyword',
+ description: 'Kafka topic\n',
+ },
+ {
+ name: 'partition',
+ type: 'long',
+ description: 'Kafka partition number\n',
+ },
+ {
+ name: 'offset',
+ type: 'long',
+ description: 'Kafka offset of this message\n',
+ },
+ {
+ name: 'key',
+ type: 'keyword',
+ description: 'Kafka key, corresponding to the Kafka value stored in the message\n',
+ },
+ {
+ name: 'block_timestamp',
+ type: 'date',
+ description: 'Kafka outer (compressed) block timestamp\n',
+ },
+ {
+ name: 'headers',
+ type: 'array',
+ description:
+ 'An array of Kafka header strings for this message, in the form ": ".\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'apache',
+ title: 'Apache',
+ description: 'Apache Module\n',
+ short_config: true,
+ fields: [
+ {
+ name: 'apache2',
+ type: 'group',
+ description: 'Aliases for backward compatibility with old apache2 fields\n',
+ fields: [
+ {
+ name: 'access',
+ type: 'group',
+ fields: [
+ {
+ name: 'remote_ip',
+ type: 'alias',
+ path: 'source.address',
+ migration: true,
},
{
- name: 'icmp_code',
- type: 'long',
+ name: 'ssl.protocol',
+ type: 'alias',
+ path: 'apache.access.ssl.protocol',
+ migration: true,
},
{
- name: 'http',
+ name: 'ssl.cipher',
+ type: 'alias',
+ path: 'apache.access.ssl.cipher',
+ migration: true,
+ },
+ {
+ name: 'body_sent.bytes',
+ type: 'alias',
+ path: 'http.response.body.bytes',
+ migration: true,
+ },
+ {
+ name: 'user_name',
+ type: 'alias',
+ path: 'user.name',
+ migration: true,
+ },
+ {
+ name: 'method',
+ type: 'alias',
+ path: 'http.request.method',
+ migration: true,
+ },
+ {
+ name: 'url',
+ type: 'alias',
+ path: 'url.original',
+ migration: true,
+ },
+ {
+ name: 'http_version',
+ type: 'alias',
+ path: 'http.version',
+ migration: true,
+ },
+ {
+ name: 'response_code',
+ type: 'alias',
+ path: 'http.response.status_code',
+ migration: true,
+ },
+ {
+ name: 'referrer',
+ type: 'alias',
+ path: 'http.request.referrer',
+ migration: true,
+ },
+ {
+ name: 'agent',
+ type: 'alias',
+ path: 'user_agent.original',
+ migration: true,
+ },
+ {
+ name: 'user_agent',
type: 'group',
fields: [
{
- name: 'status',
+ name: 'device',
type: 'alias',
- path: 'http.response.status_code',
+ path: 'user_agent.device.name',
+ migration: true,
},
{
- name: 'redirect',
- type: 'keyword',
+ name: 'name',
+ type: 'alias',
+ path: 'user_agent.name',
+ migration: true,
},
{
- name: 'http_user_agent',
+ name: 'os',
type: 'alias',
- path: 'user_agent.original',
+ path: 'user_agent.os.full_name',
+ migration: true,
},
{
- name: 'protocol',
- type: 'keyword',
+ name: 'os_name',
+ type: 'alias',
+ path: 'user_agent.os.name',
+ migration: true,
},
{
- name: 'http_refer',
+ name: 'original',
type: 'alias',
- path: 'http.request.referrer',
+ path: 'user_agent.original',
+ migration: true,
+ },
+ ],
+ },
+ {
+ name: 'geoip',
+ type: 'group',
+ fields: [
+ {
+ name: 'continent_name',
+ type: 'alias',
+ path: 'source.geo.continent_name',
+ migration: true,
},
{
- name: 'url',
+ name: 'country_iso_code',
type: 'alias',
- path: 'url.original',
+ path: 'source.geo.country_iso_code',
+ migration: true,
},
{
- name: 'hostname',
+ name: 'location',
type: 'alias',
- path: 'url.domain',
+ path: 'source.geo.location',
+ migration: true,
},
{
- name: 'length',
+ name: 'region_name',
type: 'alias',
- path: 'http.response.body.bytes',
+ path: 'source.geo.region_name',
+ migration: true,
},
{
- name: 'http_method',
+ name: 'city_name',
type: 'alias',
- path: 'http.request.method',
+ path: 'source.geo.city_name',
+ migration: true,
},
{
- name: 'http_content_type',
- type: 'keyword',
+ name: 'region_iso_code',
+ type: 'alias',
+ path: 'source.geo.region_iso_code',
+ migration: true,
},
],
},
+ ],
+ },
+ {
+ name: 'error',
+ type: 'group',
+ fields: [
{
- name: 'timestamp',
+ name: 'level',
type: 'alias',
- path: '@timestamp',
+ path: 'log.level',
+ migration: true,
},
{
- name: 'in_iface',
- type: 'keyword',
+ name: 'message',
+ type: 'alias',
+ path: 'message',
+ migration: true,
},
{
- name: 'alert',
- type: 'group',
- fields: [
- {
- name: 'category',
- type: 'keyword',
- },
- {
- name: 'severity',
- type: 'alias',
- path: 'event.severity',
- },
- {
- name: 'rev',
- type: 'long',
- },
- {
- name: 'gid',
- type: 'long',
- },
- {
- name: 'signature',
- type: 'keyword',
- },
- {
- name: 'action',
- type: 'alias',
- path: 'event.outcome',
- },
- {
- name: 'signature_id',
- type: 'long',
- },
- ],
+ name: 'pid',
+ type: 'alias',
+ path: 'process.pid',
+ migration: true,
},
{
- name: 'ssh',
- type: 'group',
- fields: [
- {
- name: 'client',
- type: 'group',
- fields: [
- {
- name: 'proto_version',
- type: 'keyword',
- },
- {
- name: 'software_version',
- type: 'keyword',
- },
- ],
- },
- {
- name: 'server',
- type: 'group',
- fields: [
- {
- name: 'proto_version',
- type: 'keyword',
- },
- {
- name: 'software_version',
- type: 'keyword',
- },
- ],
- },
- ],
+ name: 'tid',
+ type: 'alias',
+ path: 'process.thread.id',
+ migration: true,
},
{
- name: 'stats',
- type: 'group',
- fields: [
- {
- name: 'capture',
- type: 'group',
- fields: [
- {
- name: 'kernel_packets',
- type: 'long',
- },
- {
- name: 'kernel_drops',
- type: 'long',
- },
- {
- name: 'kernel_ifdrops',
- type: 'long',
- },
- ],
- },
- {
- name: 'uptime',
- type: 'long',
- },
- {
- name: 'detect',
- type: 'group',
- fields: [
- {
- name: 'alert',
- type: 'long',
- },
- ],
- },
- {
- name: 'http',
- type: 'group',
- fields: [
- {
- name: 'memcap',
- type: 'long',
- },
- {
- name: 'memuse',
- type: 'long',
- },
- ],
- },
- {
- name: 'file_store',
- type: 'group',
- fields: [
- {
- name: 'open_files',
- type: 'long',
- },
- ],
- },
- {
- name: 'defrag',
- type: 'group',
- fields: [
- {
- name: 'max_frag_hits',
- type: 'long',
- },
- {
- name: 'ipv4',
- type: 'group',
- fields: [
- {
- name: 'timeouts',
- type: 'long',
- },
- {
- name: 'fragments',
- type: 'long',
- },
- {
- name: 'reassembled',
- type: 'long',
- },
- ],
- },
- {
- name: 'ipv6',
- type: 'group',
- fields: [
- {
- name: 'timeouts',
- type: 'long',
- },
- {
- name: 'fragments',
- type: 'long',
- },
- {
- name: 'reassembled',
- type: 'long',
- },
- ],
- },
- ],
- },
- {
- name: 'flow',
- type: 'group',
- fields: [
- {
- name: 'tcp_reuse',
- type: 'long',
- },
- {
- name: 'udp',
- type: 'long',
- },
- {
- name: 'memcap',
- type: 'long',
- },
- {
- name: 'emerg_mode_entered',
- type: 'long',
- },
- {
- name: 'emerg_mode_over',
- type: 'long',
- },
- {
- name: 'tcp',
- type: 'long',
- },
- {
- name: 'icmpv6',
- type: 'long',
- },
- {
- name: 'icmpv4',
- type: 'long',
- },
- {
- name: 'spare',
- type: 'long',
- },
- {
- name: 'memuse',
- type: 'long',
- },
- ],
- },
- {
- name: 'tcp',
- type: 'group',
- fields: [
- {
- name: 'pseudo_failed',
- type: 'long',
- },
- {
- name: 'ssn_memcap_drop',
- type: 'long',
- },
- {
- name: 'insert_data_overlap_fail',
- type: 'long',
- },
- {
- name: 'sessions',
- type: 'long',
- },
- {
- name: 'pseudo',
- type: 'long',
- },
- {
- name: 'synack',
- type: 'long',
- },
- {
- name: 'insert_data_normal_fail',
- type: 'long',
- },
- {
- name: 'syn',
- type: 'long',
- },
- {
- name: 'memuse',
- type: 'long',
- },
- {
- name: 'invalid_checksum',
+ name: 'module',
+ type: 'alias',
+ path: 'apache.error.module',
+ migration: true,
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'apache',
+ type: 'group',
+ description: 'Apache fields.\n',
+ fields: [
+ {
+ name: 'access',
+ type: 'group',
+ description: 'Contains fields for the Apache HTTP Server access logs.\n',
+ fields: [
+ {
+ name: 'ssl.protocol',
+ type: 'keyword',
+ description: 'SSL protocol version.\n',
+ },
+ {
+ name: 'ssl.cipher',
+ type: 'keyword',
+ description: 'SSL cipher name.\n',
+ },
+ ],
+ },
+ {
+ name: 'error',
+ type: 'group',
+ description: 'Fields from the Apache error logs.\n',
+ fields: [
+ {
+ name: 'module',
+ type: 'keyword',
+ description: 'The module producing the logged message.\n',
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'auditd',
+ title: 'Auditd',
+ description: 'Module for parsing auditd logs.\n',
+ short_config: true,
+ fields: [
+ {
+ name: 'user',
+ type: 'group',
+ fields: [
+ {
+ name: 'terminal',
+ type: 'keyword',
+ description:
+ 'Terminal or tty device on which the user is performing the observed activity.\n',
+ },
+ {
+ name: 'audit',
+ type: 'group',
+ fields: [
+ {
+ name: 'id',
+ type: 'keyword',
+ description: 'One or multiple unique identifiers of the user.\n',
+ },
+ {
+ name: 'name',
+ type: 'keyword',
+ example: 'albert',
+ description: 'Short name or login of the user.\n',
+ },
+ {
+ name: 'group.id',
+ type: 'keyword',
+ description: 'Unique identifier for the group on the system/platform.\n',
+ },
+ {
+ name: 'group.name',
+ type: 'keyword',
+ description: 'Name of the group.\n',
+ },
+ ],
+ },
+ {
+ name: 'effective',
+ type: 'group',
+ fields: [
+ {
+ name: 'id',
+ type: 'keyword',
+ description: 'One or multiple unique identifiers of the user.\n',
+ },
+ {
+ name: 'name',
+ type: 'keyword',
+ example: 'albert',
+ description: 'Short name or login of the user.\n',
+ },
+ {
+ name: 'group.id',
+ type: 'keyword',
+ description: 'Unique identifier for the group on the system/platform.\n',
+ },
+ {
+ name: 'group.name',
+ type: 'keyword',
+ description: 'Name of the group.\n',
+ },
+ ],
+ },
+ {
+ name: 'filesystem',
+ type: 'group',
+ fields: [
+ {
+ name: 'id',
+ type: 'keyword',
+ description: 'One or multiple unique identifiers of the user.\n',
+ },
+ {
+ name: 'name',
+ type: 'keyword',
+ example: 'albert',
+ description: 'Short name or login of the user.\n',
+ },
+ {
+ name: 'group.id',
+ type: 'keyword',
+ description: 'Unique identifier for the group on the system/platform.\n',
+ },
+ {
+ name: 'group.name',
+ type: 'keyword',
+ description: 'Name of the group.\n',
+ },
+ ],
+ },
+ {
+ name: 'owner',
+ type: 'group',
+ fields: [
+ {
+ name: 'id',
+ type: 'keyword',
+ description: 'One or multiple unique identifiers of the user.\n',
+ },
+ {
+ name: 'name',
+ type: 'keyword',
+ example: 'albert',
+ description: 'Short name or login of the user.\n',
+ },
+ {
+ name: 'group.id',
+ type: 'keyword',
+ description: 'Unique identifier for the group on the system/platform.\n',
+ },
+ {
+ name: 'group.name',
+ type: 'keyword',
+ description: 'Name of the group.\n',
+ },
+ ],
+ },
+ {
+ name: 'saved',
+ type: 'group',
+ fields: [
+ {
+ name: 'id',
+ type: 'keyword',
+ description: 'One or multiple unique identifiers of the user.\n',
+ },
+ {
+ name: 'name',
+ type: 'keyword',
+ example: 'albert',
+ description: 'Short name or login of the user.\n',
+ },
+ {
+ name: 'group.id',
+ type: 'keyword',
+ description: 'Unique identifier for the group on the system/platform.\n',
+ },
+ {
+ name: 'group.name',
+ type: 'keyword',
+ description: 'Name of the group.\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'auditd',
+ type: 'group',
+ description: 'Fields from the auditd logs.\n',
+ fields: [
+ {
+ name: 'log',
+ type: 'group',
+ description:
+ 'Fields from the Linux audit log. Not all fields are documented here because they are dynamic and vary by audit event type.\n',
+ fields: [
+ {
+ name: 'old_auid',
+ description:
+ 'For login events this is the old audit ID used for the user prior to this login.\n',
+ },
+ {
+ name: 'new_auid',
+ description:
+ 'For login events this is the new audit ID. The audit ID can be used to trace future events to the user even if their identity changes (like becoming root).\n',
+ },
+ {
+ name: 'old_ses',
+ description:
+ 'For login events this is the old session ID used for the user prior to this login.\n',
+ },
+ {
+ name: 'new_ses',
+ description:
+ 'For login events this is the new session ID. It can be used to tie a user to future events by session ID.\n',
+ },
+ {
+ name: 'sequence',
+ type: 'long',
+ description: 'The audit event sequence number.\n',
+ },
+ {
+ name: 'items',
+ description: 'The number of items in an event.\n',
+ },
+ {
+ name: 'item',
+ description:
+ 'The item field indicates which item out of the total number of items. This number is zero-based; a value of 0 means it is the first item.\n',
+ },
+ {
+ name: 'tty',
+ type: 'keyword',
+ definition: 'TTY udevice the user is running programs on.\n',
+ },
+ {
+ name: 'a0',
+ description: 'The first argument to the system call.\n',
+ },
+ {
+ name: 'addr',
+ type: 'ip',
+ definition: 'Remote address that the user is connecting from.\n',
+ },
+ {
+ name: 'rport',
+ type: 'long',
+ definition: 'Remote port number.\n',
+ },
+ {
+ name: 'laddr',
+ type: 'ip',
+ definition: 'Local network address.\n',
+ },
+ {
+ name: 'lport',
+ type: 'long',
+ definition: 'Local port number.\n',
+ },
+ {
+ name: 'acct',
+ type: 'alias',
+ path: 'user.name',
+ migration: true,
+ },
+ {
+ name: 'pid',
+ type: 'alias',
+ path: 'process.pid',
+ migration: true,
+ },
+ {
+ name: 'ppid',
+ type: 'alias',
+ path: 'process.ppid',
+ migration: true,
+ },
+ {
+ name: 'res',
+ type: 'alias',
+ path: 'event.outcome',
+ migration: true,
+ },
+ {
+ name: 'record_type',
+ type: 'alias',
+ path: 'event.action',
+ migration: true,
+ },
+ {
+ name: 'geoip',
+ type: 'group',
+ fields: [
+ {
+ name: 'continent_name',
+ type: 'alias',
+ path: 'source.geo.continent_name',
+ migration: true,
+ },
+ {
+ name: 'country_iso_code',
+ type: 'alias',
+ path: 'source.geo.country_iso_code',
+ migration: true,
+ },
+ {
+ name: 'location',
+ type: 'alias',
+ path: 'source.geo.location',
+ migration: true,
+ },
+ {
+ name: 'region_name',
+ type: 'alias',
+ path: 'source.geo.region_name',
+ migration: true,
+ },
+ {
+ name: 'city_name',
+ type: 'alias',
+ path: 'source.geo.city_name',
+ migration: true,
+ },
+ {
+ name: 'region_iso_code',
+ type: 'alias',
+ path: 'source.geo.region_iso_code',
+ migration: true,
+ },
+ ],
+ },
+ {
+ name: 'arch',
+ type: 'alias',
+ path: 'host.architecture',
+ migration: true,
+ },
+ {
+ name: 'gid',
+ type: 'alias',
+ path: 'user.group.id',
+ migration: true,
+ },
+ {
+ name: 'uid',
+ type: 'alias',
+ path: 'user.id',
+ migration: true,
+ },
+ {
+ name: 'agid',
+ type: 'alias',
+ path: 'user.audit.group.id',
+ migration: true,
+ },
+ {
+ name: 'auid',
+ type: 'alias',
+ path: 'user.audit.id',
+ migration: true,
+ },
+ {
+ name: 'fsgid',
+ type: 'alias',
+ path: 'user.filesystem.group.id',
+ migration: true,
+ },
+ {
+ name: 'fsuid',
+ type: 'alias',
+ path: 'user.filesystem.id',
+ migration: true,
+ },
+ {
+ name: 'egid',
+ type: 'alias',
+ path: 'user.effective.group.id',
+ migration: true,
+ },
+ {
+ name: 'euid',
+ type: 'alias',
+ path: 'user.effective.id',
+ migration: true,
+ },
+ {
+ name: 'sgid',
+ type: 'alias',
+ path: 'user.saved.group.id',
+ migration: true,
+ },
+ {
+ name: 'suid',
+ type: 'alias',
+ path: 'user.saved.id',
+ migration: true,
+ },
+ {
+ name: 'ogid',
+ type: 'alias',
+ path: 'user.owner.group.id',
+ migration: true,
+ },
+ {
+ name: 'ouid',
+ type: 'alias',
+ path: 'user.owner.id',
+ migration: true,
+ },
+ {
+ name: 'comm',
+ type: 'alias',
+ path: 'process.name',
+ migration: true,
+ },
+ {
+ name: 'exe',
+ type: 'alias',
+ path: 'process.executable',
+ migration: true,
+ },
+ {
+ name: 'terminal',
+ type: 'alias',
+ path: 'user.terminal',
+ migration: true,
+ },
+ {
+ name: 'msg',
+ type: 'alias',
+ path: 'message',
+ migration: true,
+ },
+ {
+ name: 'src',
+ type: 'alias',
+ path: 'source.address',
+ migration: true,
+ },
+ {
+ name: 'dst',
+ type: 'alias',
+ path: 'destination.address',
+ migration: true,
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'elasticsearch',
+ title: 'elasticsearch',
+ description: 'elasticsearch Module\n',
+ fields: [
+ {
+ name: 'elasticsearch',
+ type: 'group',
+ description: '\n',
+ fields: [
+ {
+ name: 'component',
+ description: 'Elasticsearch component from where the log event originated',
+ example: 'o.e.c.m.MetaDataCreateIndexService',
+ type: 'keyword',
+ },
+ {
+ name: 'cluster.uuid',
+ description: 'UUID of the cluster',
+ example: 'GmvrbHlNTiSVYiPf8kxg9g',
+ type: 'keyword',
+ },
+ {
+ name: 'cluster.name',
+ description: 'Name of the cluster',
+ example: 'docker-cluster',
+ type: 'keyword',
+ },
+ {
+ name: 'node.id',
+ description: 'ID of the node',
+ example: 'DSiWcTyeThWtUXLB9J0BMw',
+ type: 'keyword',
+ },
+ {
+ name: 'node.name',
+ description: 'Name of the node',
+ example: 'vWNJsZ3',
+ type: 'keyword',
+ },
+ {
+ name: 'index.name',
+ description: 'Index name',
+ example: 'filebeat-test-input',
+ type: 'keyword',
+ },
+ {
+ name: 'index.id',
+ description: 'Index id',
+ example: 'aOGgDwbURfCV57AScqbCgw',
+ type: 'keyword',
+ },
+ {
+ name: 'shard.id',
+ description: 'Id of the shard',
+ example: '0',
+ type: 'keyword',
+ },
+ {
+ name: 'audit',
+ type: 'group',
+ description: '\n',
+ fields: [
+ {
+ name: 'layer',
+ description:
+ 'The layer from which this event originated: rest, transport or ip_filter',
+ example: 'rest',
+ type: 'keyword',
+ },
+ {
+ name: 'event_type',
+ description:
+ 'The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied',
+ example: 'access_granted',
+ type: 'keyword',
+ },
+ {
+ name: 'origin.type',
+ description:
+ 'Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request)',
+ example: 'local_node',
+ type: 'keyword',
+ },
+ {
+ name: 'realm',
+ description: 'The authentication realm the authentication was validated against',
+ example: 'default_file',
+ type: 'keyword',
+ },
+ {
+ name: 'user.realm',
+ description: "The user's authentication realm, if authenticated",
+ example: 'active_directory',
+ type: 'keyword',
+ },
+ {
+ name: 'user.roles',
+ description: 'Roles to which the principal belongs',
+ example: ['kibana_user', 'beats_admin'],
+ type: 'keyword',
+ },
+ {
+ name: 'action',
+ description: 'The name of the action that was executed',
+ example: 'cluster:monitor/main',
+ type: 'keyword',
+ },
+ {
+ name: 'url.params',
+ description: 'REST URI parameters',
+ example: '{username=jacknich2}',
+ },
+ {
+ name: 'indices',
+ description: 'Indices accessed by action',
+ example: ['foo-2019.01.04', 'foo-2019.01.03', 'foo-2019.01.06'],
+ type: 'keyword',
+ },
+ {
+ name: 'request.id',
+ description: 'Unique ID of request',
+ example: 'WzL_kb6VSvOhAq0twPvHOQ',
+ type: 'keyword',
+ },
+ {
+ name: 'request.name',
+ description: 'The type of request that was executed',
+ example: 'ClearScrollRequest',
+ type: 'keyword',
+ },
+ {
+ name: 'request_body',
+ type: 'alias',
+ path: 'http.request.body.content',
+ migration: true,
+ },
+ {
+ name: 'origin_address',
+ type: 'alias',
+ path: 'source.ip',
+ migration: true,
+ },
+ {
+ name: 'uri',
+ type: 'alias',
+ path: 'url.original',
+ migration: true,
+ },
+ {
+ name: 'principal',
+ type: 'alias',
+ path: 'user.name',
+ migration: true,
+ },
+ {
+ name: 'message',
+ type: 'text',
+ },
+ ],
+ },
+ {
+ name: 'gc',
+ type: 'group',
+ description: 'GC fileset fields.\n',
+ fields: [
+ {
+ name: 'phase',
+ type: 'group',
+ description: 'Fields specific to GC phase.\n',
+ fields: [
+ {
+ name: 'name',
+ type: 'keyword',
+ description: 'Name of the GC collection phase.\n',
+ },
+ {
+ name: 'duration_sec',
+ type: 'float',
+ description:
+ 'Collection phase duration according to the Java virtual machine.\n',
+ },
+ {
+ name: 'scrub_symbol_table_time_sec',
+ type: 'float',
+ description: 'Pause time in seconds cleaning up symbol tables.\n',
+ },
+ {
+ name: 'scrub_string_table_time_sec',
+ type: 'float',
+ description: 'Pause time in seconds cleaning up string tables.\n',
+ },
+ {
+ name: 'weak_refs_processing_time_sec',
+ type: 'float',
+ description: 'Time spent processing weak references in seconds.\n',
+ },
+ {
+ name: 'parallel_rescan_time_sec',
+ type: 'float',
+ description:
+ 'Time spent in seconds marking live objects while application is stopped.\n',
+ },
+ {
+ name: 'class_unload_time_sec',
+ type: 'float',
+ description: 'Time spent unloading unused classes in seconds.\n',
+ },
+ {
+ name: 'cpu_time',
+ type: 'group',
+ description: 'Process CPU time spent performing collections.\n',
+ fields: [
+ {
+ name: 'user_sec',
+ type: 'float',
+ description: 'CPU time spent outside the kernel.\n',
+ },
+ {
+ name: 'sys_sec',
+ type: 'float',
+ description: 'CPU time spent inside the kernel.\n',
+ },
+ {
+ name: 'real_sec',
+ type: 'float',
+ description:
+ 'Total elapsed CPU time spent to complete the collection from start to finish.\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'jvm_runtime_sec',
+ type: 'float',
+ description: 'The time from JVM start up in seconds, as a floating point number.\n',
+ },
+ {
+ name: 'threads_total_stop_time_sec',
+ type: 'float',
+ description: 'Garbage collection threads total stop time seconds.\n',
+ },
+ {
+ name: 'stopping_threads_time_sec',
+ type: 'float',
+ description: 'Time took to stop threads seconds.\n',
+ },
+ {
+ name: 'tags',
+ type: 'keyword',
+ description: 'GC logging tags.\n',
+ },
+ {
+ name: 'heap',
+ type: 'group',
+ description: 'Heap allocation and total size.\n',
+ fields: [
+ {
+ name: 'size_kb',
+ type: 'integer',
+ description: 'Total heap size in kilobytes.\n',
+ },
+ {
+ name: 'used_kb',
+ type: 'integer',
+ description: 'Used heap in kilobytes.\n',
+ },
+ ],
+ },
+ {
+ name: 'old_gen',
+ type: 'group',
+ description: 'Old generation occupancy and total size.\n',
+ fields: [
+ {
+ name: 'size_kb',
+ type: 'integer',
+ description: 'Total size of old generation in kilobytes.\n',
+ },
+ {
+ name: 'used_kb',
+ type: 'integer',
+ description: 'Old generation occupancy in kilobytes.\n',
+ },
+ ],
+ },
+ {
+ name: 'young_gen',
+ type: 'group',
+ description: 'Young generation occupancy and total size.\n',
+ fields: [
+ {
+ name: 'size_kb',
+ type: 'integer',
+ description: 'Total size of young generation in kilobytes.\n',
+ },
+ {
+ name: 'used_kb',
+ type: 'integer',
+ description: 'Young generation occupancy in kilobytes.\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'server',
+ description: 'Server log file',
+ type: 'group',
+ fields: [
+ {
+ name: 'stacktrace',
+ description: 'Stack trace in case of errors',
+ index: false,
+ },
+ {
+ name: 'gc',
+ description: 'GC log',
+ type: 'group',
+ fields: [
+ {
+ name: 'young',
+ description: 'Young GC',
+ example: '',
+ type: 'group',
+ fields: [
+ {
+ name: 'one',
+ description: '',
+ example: '',
+ type: 'long',
+ },
+ {
+ name: 'two',
+ description: '',
+ example: '',
+ type: 'long',
+ },
+ ],
+ },
+ {
+ name: 'overhead_seq',
+ description: 'Sequence number',
+ example: 3449992,
+ type: 'long',
+ },
+ {
+ name: 'collection_duration.ms',
+ description: 'Time spent in GC, in milliseconds',
+ example: 1600,
+ type: 'float',
+ },
+ {
+ name: 'observation_duration.ms',
+ description: 'Total time over which collection was observed, in milliseconds',
+ example: 1800,
+ type: 'float',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'slowlog',
+ description: 'Slowlog events from Elasticsearch',
+ example:
+ '[2018-06-29T10:06:14,933][INFO ][index.search.slowlog.query] [v_VJhjV] [metricbeat-6.3.0-2018.06.26][0] took[4.5ms], took_millis[4], total_hits[19435], types[], stats[], search_type[QUERY_THEN_FETCH], total_shards[1], source[{"query":{"match_all":{"boost":1.0}}}],',
+ type: 'group',
+ fields: [
+ {
+ name: 'logger',
+ description: 'Logger name',
+ example: 'index.search.slowlog.fetch',
+ type: 'keyword',
+ },
+ {
+ name: 'took',
+ description: 'Time it took to execute the query',
+ example: '300ms',
+ type: 'keyword',
+ },
+ {
+ name: 'types',
+ description: 'Types',
+ example: '',
+ type: 'keyword',
+ },
+ {
+ name: 'stats',
+ description: 'Stats groups',
+ example: 'group1',
+ type: 'keyword',
+ },
+ {
+ name: 'search_type',
+ description: 'Search type',
+ example: 'QUERY_THEN_FETCH',
+ type: 'keyword',
+ },
+ {
+ name: 'source_query',
+ description: 'Slow query',
+ example: '{"query":{"match_all":{"boost":1.0}}}',
+ type: 'keyword',
+ },
+ {
+ name: 'extra_source',
+ description: 'Extra source information',
+ example: '',
+ type: 'keyword',
+ },
+ {
+ name: 'total_hits',
+ description: 'Total hits',
+ example: 42,
+ type: 'keyword',
+ },
+ {
+ name: 'total_shards',
+ description: 'Total queried shards',
+ example: 22,
+ type: 'keyword',
+ },
+ {
+ name: 'routing',
+ description: 'Routing',
+ example: 's01HZ2QBk9jw4gtgaFtn',
+ type: 'keyword',
+ },
+ {
+ name: 'id',
+ description: 'Id',
+ example: '',
+ type: 'keyword',
+ },
+ {
+ name: 'type',
+ description: 'Type',
+ example: 'doc',
+ type: 'keyword',
+ },
+ {
+ name: 'source',
+ description: 'Source of document that was indexed',
+ type: 'keyword',
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'haproxy',
+ title: 'haproxy',
+ description: 'haproxy Module\n',
+ fields: [
+ {
+ name: 'haproxy',
+ type: 'group',
+ description: '\n',
+ fields: [
+ {
+ name: 'frontend_name',
+ description:
+ 'Name of the frontend (or listener) which received and processed the connection.',
+ },
+ {
+ name: 'backend_name',
+ description:
+ 'Name of the backend (or listener) which was selected to manage the connection to the server.',
+ },
+ {
+ name: 'server_name',
+ description: 'Name of the last server to which the connection was sent.',
+ },
+ {
+ name: 'total_waiting_time_ms',
+ description: 'Total time in milliseconds spent waiting in the various queues',
+ type: 'long',
+ },
+ {
+ name: 'connection_wait_time_ms',
+ description:
+ 'Total time in milliseconds spent waiting for the connection to establish to the final server',
+ type: 'long',
+ },
+ {
+ name: 'bytes_read',
+ description: 'Total number of bytes transmitted to the client when the log is emitted.',
+ type: 'long',
+ },
+ {
+ name: 'time_queue',
+ description: 'Total time in milliseconds spent waiting in the various queues.',
+ type: 'long',
+ },
+ {
+ name: 'time_backend_connect',
+ description:
+ 'Total time in milliseconds spent waiting for the connection to establish to the final server, including retries.',
+ type: 'long',
+ },
+ {
+ name: 'server_queue',
+ description:
+ 'Total number of requests which were processed before this one in the server queue.',
+ type: 'long',
+ },
+ {
+ name: 'backend_queue',
+ description:
+ "Total number of requests which were processed before this one in the backend's global queue.",
+ type: 'long',
+ },
+ {
+ name: 'bind_name',
+ description: 'Name of the listening address which received the connection.',
+ },
+ {
+ name: 'error_message',
+ description: 'Error message logged by HAProxy in case of error.',
+ type: 'text',
+ },
+ {
+ name: 'source',
+ type: 'keyword',
+ description: 'The HAProxy source of the log',
+ },
+ {
+ name: 'termination_state',
+ description: 'Condition the session was in when the session ended.',
+ },
+ {
+ name: 'mode',
+ type: 'keyword',
+ description: 'mode that the frontend is operating (TCP or HTTP)',
+ },
+ {
+ name: 'connections',
+ description: 'Contains various counts of connections active in the process.',
+ type: 'group',
+ fields: [
+ {
+ name: 'active',
+ description:
+ 'Total number of concurrent connections on the process when the session was logged.',
+ type: 'long',
+ },
+ {
+ name: 'frontend',
+ description:
+ 'Total number of concurrent connections on the frontend when the session was logged.',
+ type: 'long',
+ },
+ {
+ name: 'backend',
+ description:
+ 'Total number of concurrent connections handled by the backend when the session was logged.',
+ type: 'long',
+ },
+ {
+ name: 'server',
+ description:
+ 'Total number of concurrent connections still active on the server when the session was logged.',
+ type: 'long',
+ },
+ {
+ name: 'retries',
+ description:
+ 'Number of connection retries experienced by this session when trying to connect to the server.',
+ type: 'long',
+ },
+ ],
+ },
+ {
+ name: 'client',
+ description: 'Information about the client doing the request',
+ type: 'group',
+ fields: [
+ {
+ name: 'ip',
+ type: 'alias',
+ path: 'source.address',
+ migration: true,
+ },
+ {
+ name: 'port',
+ type: 'alias',
+ path: 'source.port',
+ migration: true,
+ },
+ ],
+ },
+ {
+ name: 'process_name',
+ type: 'alias',
+ path: 'process.name',
+ migration: true,
+ },
+ {
+ name: 'pid',
+ type: 'alias',
+ path: 'process.pid',
+ migration: true,
+ },
+ {
+ name: 'destination',
+ description: 'Destination information',
+ type: 'group',
+ fields: [
+ {
+ name: 'port',
+ type: 'alias',
+ path: 'destination.port',
+ migration: true,
+ },
+ {
+ name: 'ip',
+ type: 'alias',
+ path: 'destination.ip',
+ migration: true,
+ },
+ ],
+ },
+ {
+ name: 'geoip',
+ type: 'group',
+ description:
+ 'Contains GeoIP information gathered based on the client.ip field. Only present if the GeoIP Elasticsearch plugin is available and used.\n',
+ fields: [
+ {
+ name: 'continent_name',
+ type: 'alias',
+ path: 'source.geo.continent_name',
+ migration: true,
+ },
+ {
+ name: 'country_iso_code',
+ type: 'alias',
+ path: 'source.geo.country_iso_code',
+ migration: true,
+ },
+ {
+ name: 'location',
+ type: 'alias',
+ path: 'source.geo.location',
+ migration: true,
+ },
+ {
+ name: 'region_name',
+ type: 'alias',
+ path: 'source.geo.region_name',
+ migration: true,
+ },
+ {
+ name: 'city_name',
+ type: 'alias',
+ path: 'source.geo.city_name',
+ migration: true,
+ },
+ {
+ name: 'region_iso_code',
+ type: 'alias',
+ path: 'source.geo.region_iso_code',
+ migration: true,
+ },
+ ],
+ },
+ {
+ name: 'http',
+ description: 'Please add description',
+ type: 'group',
+ fields: [
+ {
+ name: 'response',
+ description: 'Fields related to the HTTP response',
+ type: 'group',
+ fields: [
+ {
+ name: 'captured_cookie',
+ description:
+ 'Optional "name=value" entry indicating that the client had this cookie in the response.\n',
+ },
+ {
+ name: 'captured_headers',
+ description:
+ 'List of headers captured in the response due to the presence of the "capture response header" statement in the frontend.\n',
+ type: 'keyword',
+ },
+ {
+ name: 'status_code',
+ type: 'alias',
+ path: 'http.response.status_code',
+ migration: true,
+ },
+ ],
+ },
+ {
+ name: 'request',
+ description: 'Fields related to the HTTP request',
+ type: 'group',
+ fields: [
+ {
+ name: 'captured_cookie',
+ description:
+ 'Optional "name=value" entry indicating that the server has returned a cookie with its request.\n',
+ },
+ {
+ name: 'captured_headers',
+ description:
+ 'List of headers captured in the request due to the presence of the "capture request header" statement in the frontend.\n',
+ type: 'keyword',
+ },
+ {
+ name: 'raw_request_line',
+ description:
+ 'Complete HTTP request line, including the method, request and HTTP version string.',
+ type: 'keyword',
+ },
+ {
+ name: 'time_wait_without_data_ms',
+ description:
+ 'Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data.',
+ type: 'long',
+ },
+ {
+ name: 'time_wait_ms',
+ description:
+ 'Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received.',
+ type: 'long',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'tcp',
+ description: 'TCP log format',
+ type: 'group',
+ fields: [
+ {
+ name: 'connection_waiting_time_ms',
+ type: 'long',
+ description:
+ 'Total time in milliseconds elapsed between the accept and the last close',
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'icinga',
+ title: 'Icinga',
+ description: 'Icinga Module\n',
+ fields: [
+ {
+ name: 'icinga',
+ type: 'group',
+ description: '\n',
+ fields: [
+ {
+ name: 'debug',
+ type: 'group',
+ description: 'Contains fields for the Icinga debug logs.\n',
+ fields: [
+ {
+ name: 'facility',
+ type: 'keyword',
+ description: 'Specifies what component of Icinga logged the message.\n',
+ },
+ {
+ name: 'severity',
+ type: 'alias',
+ path: 'log.level',
+ migration: true,
+ },
+ {
+ name: 'message',
+ type: 'alias',
+ path: 'message',
+ migration: true,
+ },
+ ],
+ },
+ {
+ name: 'main',
+ type: 'group',
+ description: 'Contains fields for the Icinga main logs.\n',
+ fields: [
+ {
+ name: 'facility',
+ type: 'keyword',
+ description: 'Specifies what component of Icinga logged the message.\n',
+ },
+ {
+ name: 'severity',
+ type: 'alias',
+ path: 'log.level',
+ migration: true,
+ },
+ {
+ name: 'message',
+ type: 'alias',
+ path: 'message',
+ migration: true,
+ },
+ ],
+ },
+ {
+ name: 'startup',
+ type: 'group',
+ description: 'Contains fields for the Icinga startup logs.\n',
+ fields: [
+ {
+ name: 'facility',
+ type: 'keyword',
+ description: 'Specifies what component of Icinga logged the message.\n',
+ },
+ {
+ name: 'severity',
+ type: 'alias',
+ path: 'log.level',
+ migration: true,
+ },
+ {
+ name: 'message',
+ type: 'alias',
+ path: 'message',
+ migration: true,
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'iis',
+ title: 'IIS',
+ description: 'Module for parsing IIS log files.\n',
+ fields: [
+ {
+ name: 'iis',
+ type: 'group',
+ description: 'Fields from IIS log files.\n',
+ fields: [
+ {
+ name: 'access',
+ type: 'group',
+ description: 'Contains fields for IIS access logs.\n',
+ fields: [
+ {
+ name: 'sub_status',
+ type: 'long',
+ description: 'The HTTP substatus code.\n',
+ },
+ {
+ name: 'win32_status',
+ type: 'long',
+ description: 'The Windows status code.\n',
+ },
+ {
+ name: 'site_name',
+ type: 'keyword',
+ description: 'The site name and instance number.\n',
+ },
+ {
+ name: 'server_name',
+ type: 'keyword',
+ description: 'The name of the server on which the log file entry was generated.\n',
+ },
+ {
+ name: 'cookie',
+ type: 'keyword',
+ description: 'The content of the cookie sent or received, if any.\n',
+ },
+ {
+ name: 'body_received.bytes',
+ type: 'alias',
+ path: 'http.request.body.bytes',
+ migration: true,
+ },
+ {
+ name: 'body_sent.bytes',
+ type: 'alias',
+ path: 'http.response.body.bytes',
+ migration: true,
+ },
+ {
+ name: 'server_ip',
+ type: 'alias',
+ path: 'destination.address',
+ migration: true,
+ },
+ {
+ name: 'method',
+ type: 'alias',
+ path: 'http.request.method',
+ migration: true,
+ },
+ {
+ name: 'url',
+ type: 'alias',
+ path: 'url.path',
+ migration: true,
+ },
+ {
+ name: 'query_string',
+ type: 'alias',
+ path: 'url.query',
+ migration: true,
+ },
+ {
+ name: 'port',
+ type: 'alias',
+ path: 'destination.port',
+ migration: true,
+ },
+ {
+ name: 'user_name',
+ type: 'alias',
+ path: 'user.name',
+ migration: true,
+ },
+ {
+ name: 'remote_ip',
+ type: 'alias',
+ path: 'source.address',
+ migration: true,
+ },
+ {
+ name: 'referrer',
+ type: 'alias',
+ path: 'http.request.referrer',
+ migration: true,
+ },
+ {
+ name: 'response_code',
+ type: 'alias',
+ path: 'http.response.status_code',
+ migration: true,
+ },
+ {
+ name: 'http_version',
+ type: 'alias',
+ path: 'http.version',
+ migration: true,
+ },
+ {
+ name: 'hostname',
+ type: 'alias',
+ path: 'host.hostname',
+ migration: true,
+ },
+ {
+ name: 'user_agent',
+ type: 'group',
+ fields: [
+ {
+ name: 'device',
+ type: 'alias',
+ path: 'user_agent.device.name',
+ migration: true,
+ },
+ {
+ name: 'name',
+ type: 'alias',
+ path: 'user_agent.name',
+ migration: true,
+ },
+ {
+ name: 'os',
+ type: 'alias',
+ path: 'user_agent.os.full_name',
+ migration: true,
+ },
+ {
+ name: 'os_name',
+ type: 'alias',
+ path: 'user_agent.os.name',
+ migration: true,
+ },
+ {
+ name: 'original',
+ type: 'alias',
+ path: 'user_agent.original',
+ migration: true,
+ },
+ ],
+ },
+ {
+ name: 'geoip',
+ type: 'group',
+ fields: [
+ {
+ name: 'continent_name',
+ type: 'alias',
+ path: 'source.geo.continent_name',
+ migration: true,
+ },
+ {
+ name: 'country_iso_code',
+ type: 'alias',
+ path: 'source.geo.country_iso_code',
+ migration: true,
+ },
+ {
+ name: 'location',
+ type: 'alias',
+ path: 'source.geo.location',
+ migration: true,
+ },
+ {
+ name: 'region_name',
+ type: 'alias',
+ path: 'source.geo.region_name',
+ migration: true,
+ },
+ {
+ name: 'city_name',
+ type: 'alias',
+ path: 'source.geo.city_name',
+ migration: true,
+ },
+ {
+ name: 'region_iso_code',
+ type: 'alias',
+ path: 'source.geo.region_iso_code',
+ migration: true,
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'error',
+ type: 'group',
+ description: 'Contains fields for IIS error logs.\n',
+ fields: [
+ {
+ name: 'reason_phrase',
+ type: 'keyword',
+ description: 'The HTTP reason phrase.\n',
+ },
+ {
+ name: 'queue_name',
+ type: 'keyword',
+ description: 'The IIS application pool name.\n',
+ },
+ {
+ name: 'remote_ip',
+ type: 'alias',
+ path: 'source.address',
+ migration: true,
+ },
+ {
+ name: 'remote_port',
+ type: 'alias',
+ path: 'source.port',
+ migration: true,
+ },
+ {
+ name: 'server_ip',
+ type: 'alias',
+ path: 'destination.address',
+ migration: true,
+ },
+ {
+ name: 'server_port',
+ type: 'alias',
+ path: 'destination.port',
+ migration: true,
+ },
+ {
+ name: 'http_version',
+ type: 'alias',
+ path: 'http.version',
+ migration: true,
+ },
+ {
+ name: 'method',
+ type: 'alias',
+ path: 'http.request.method',
+ migration: true,
+ },
+ {
+ name: 'url',
+ type: 'alias',
+ path: 'url.original',
+ migration: true,
+ },
+ {
+ name: 'response_code',
+ type: 'alias',
+ path: 'http.response.status_code',
+ migration: true,
+ },
+ {
+ name: 'geoip',
+ type: 'group',
+ fields: [
+ {
+ name: 'continent_name',
+ type: 'alias',
+ path: 'source.geo.continent_name',
+ migration: true,
+ },
+ {
+ name: 'country_iso_code',
+ type: 'alias',
+ path: 'source.geo.country_iso_code',
+ migration: true,
+ },
+ {
+ name: 'location',
+ type: 'alias',
+ path: 'source.geo.location',
+ migration: true,
+ },
+ {
+ name: 'region_name',
+ type: 'alias',
+ path: 'source.geo.region_name',
+ migration: true,
+ },
+ {
+ name: 'city_name',
+ type: 'alias',
+ path: 'source.geo.city_name',
+ migration: true,
+ },
+ {
+ name: 'region_iso_code',
+ type: 'alias',
+ path: 'source.geo.region_iso_code',
+ migration: true,
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'kafka',
+ title: 'Kafka',
+ description: 'Kafka module\n',
+ fields: [
+ {
+ name: 'kafka',
+ type: 'group',
+ description: '\n',
+ fields: [
+ {
+ name: 'log',
+ type: 'group',
+ description: 'Kafka log lines.\n',
+ fields: [
+ {
+ name: 'level',
+ type: 'alias',
+ path: 'log.level',
+ migration: true,
+ },
+ {
+ name: 'message',
+ type: 'alias',
+ path: 'message',
+ migration: true,
+ },
+ {
+ name: 'component',
+ type: 'keyword',
+ description: 'Component the log is coming from.\n',
+ },
+ {
+ name: 'class',
+ type: 'keyword',
+ description: 'Java class the log is coming from.\n',
+ },
+ {
+ name: 'trace',
+ type: 'group',
+ description: 'Trace in the log line.\n',
+ fields: [
+ {
+ name: 'class',
+ type: 'keyword',
+ description: 'Java class the trace is coming from.\n',
+ },
+ {
+ name: 'message',
+ type: 'text',
+ description: 'Message part of the trace.\n',
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'kibana',
+ title: 'kibana',
+ description: 'kibana Module\n',
+ fields: [
+ {
+ name: 'kibana',
+ type: 'group',
+ description: '\n',
+ fields: [
+ {
+ name: 'log',
+ type: 'group',
+ description: 'Kafka log lines.\n',
+ fields: [
+ {
+ name: 'tags',
+ type: 'keyword',
+ description: 'Kibana logging tags.\n',
+ },
+ {
+ name: 'state',
+ type: 'keyword',
+ description: 'Current state of Kibana.\n',
+ },
+ {
+ name: 'meta',
+ type: 'object',
+ object_type: 'keyword',
+ },
+ {
+ name: 'kibana.log.meta.req.headers.referer',
+ type: 'alias',
+ path: 'http.request.referrer',
+ migration: true,
+ },
+ {
+ name: 'kibana.log.meta.req.referer',
+ type: 'alias',
+ path: 'http.request.referrer',
+ migration: true,
+ },
+ {
+ name: 'kibana.log.meta.req.headers.user-agent',
+ type: 'alias',
+ path: 'user_agent.original',
+ migration: true,
+ },
+ {
+ name: 'kibana.log.meta.req.remoteAddress',
+ type: 'alias',
+ path: 'source.address',
+ migration: true,
+ },
+ {
+ name: 'kibana.log.meta.req.url',
+ type: 'alias',
+ path: 'url.original',
+ migration: true,
+ },
+ {
+ name: 'kibana.log.meta.statusCode',
+ type: 'alias',
+ path: 'http.response.status_code',
+ migration: true,
+ },
+ {
+ name: 'kibana.log.meta.method',
+ type: 'alias',
+ path: 'http.request.method',
+ migration: true,
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'logstash',
+ title: 'logstash',
+ description: 'logstash Module\n',
+ fields: [
+ {
+ name: 'logstash',
+ type: 'group',
+ description: '\n',
+ fields: [
+ {
+ name: 'log',
+ title: 'Logstash',
+ type: 'group',
+ description: 'Fields from the Logstash logs.\n',
+ fields: [
+ {
+ name: 'module',
+ type: 'keyword',
+ description: 'The module or class where the event originate.\n',
+ },
+ {
+ name: 'thread',
+ type: 'keyword',
+ description: 'Information about the running thread where the log originate.\n',
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ },
+ ],
+ },
+ {
+ name: 'log_event',
+ type: 'object',
+ description: 'key and value debugging information.\n',
+ },
+ {
+ name: 'pipeline_id',
+ type: 'keyword',
+ example: 'main',
+ description: 'The ID of the pipeline.\n',
+ },
+ {
+ name: 'message',
+ type: 'alias',
+ path: 'message',
+ migration: true,
+ },
+ {
+ name: 'level',
+ type: 'alias',
+ path: 'log.level',
+ migration: true,
+ },
+ ],
+ },
+ {
+ name: 'slowlog',
+ type: 'group',
+ description: 'slowlog\n',
+ fields: [
+ {
+ name: 'module',
+ type: 'keyword',
+ description: 'The module or class where the event originate.\n',
+ },
+ {
+ name: 'thread',
+ type: 'keyword',
+ description: 'Information about the running thread where the log originate.\n',
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ },
+ ],
+ },
+ {
+ name: 'event',
+ type: 'keyword',
+ description: 'Raw dump of the original event\n',
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ },
+ ],
+ },
+ {
+ name: 'plugin_name',
+ type: 'keyword',
+ description: 'Name of the plugin\n',
+ },
+ {
+ name: 'plugin_type',
+ type: 'keyword',
+ description: 'Type of the plugin: Inputs, Filters, Outputs or Codecs.\n',
+ },
+ {
+ name: 'took_in_millis',
+ type: 'long',
+ description: 'Execution time for the plugin in milliseconds.\n',
+ },
+ {
+ name: 'plugin_params',
+ type: 'keyword',
+ description: 'String value of the plugin configuration\n',
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ },
+ ],
+ },
+ {
+ name: 'plugin_params_object',
+ type: 'object',
+ description: 'key -> value of the configuration used by the plugin.\n',
+ },
+ {
+ name: 'level',
+ type: 'alias',
+ path: 'log.level',
+ migration: true,
+ },
+ {
+ name: 'took_in_nanos',
+ type: 'alias',
+ path: 'event.duration',
+ migration: true,
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'mongodb',
+ title: 'mongodb',
+ description: 'Module for parsing MongoDB log files.\n',
+ fields: [
+ {
+ name: 'mongodb',
+ type: 'group',
+ description: 'Fields from MongoDB logs.\n',
+ fields: [
+ {
+ name: 'log',
+ type: 'group',
+ description: 'Contains fields from MongoDB logs.\n',
+ fields: [
+ {
+ name: 'component',
+ description: 'Functional categorization of message\n',
+ example: 'COMMAND',
+ type: 'keyword',
+ },
+ {
+ name: 'context',
+ description: 'Context of message\n',
+ example: 'initandlisten',
+ type: 'keyword',
+ },
+ {
+ name: 'severity',
+ type: 'alias',
+ path: 'log.level',
+ migration: true,
+ },
+ {
+ name: 'message',
+ type: 'alias',
+ path: 'message',
+ migration: true,
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'mysql',
+ title: 'MySQL',
+ description: 'Module for parsing the MySQL log files.\n',
+ short_config: true,
+ fields: [
+ {
+ name: 'mysql',
+ type: 'group',
+ description: 'Fields from the MySQL log files.\n',
+ fields: [
+ {
+ name: 'thread_id',
+ type: 'long',
+ description: 'The connection or thread ID for the query.\n',
+ },
+ {
+ name: 'error',
+ type: 'group',
+ description: 'Contains fields from the MySQL error logs.\n',
+ fields: [
+ {
+ name: 'thread_id',
+ type: 'alias',
+ path: 'mysql.thread_id',
+ migration: true,
+ },
+ {
+ name: 'level',
+ type: 'alias',
+ path: 'log.level',
+ migration: true,
+ },
+ {
+ name: 'message',
+ type: 'alias',
+ path: 'message',
+ migration: true,
+ },
+ ],
+ },
+ {
+ name: 'slowlog',
+ type: 'group',
+ description: 'Contains fields from the MySQL slow logs.\n',
+ fields: [
+ {
+ name: 'lock_time.sec',
+ type: 'float',
+ description:
+ 'The amount of time the query waited for the lock to be available. The value is in seconds, as a floating point number.\n',
+ },
+ {
+ name: 'rows_sent',
+ type: 'long',
+ description: 'The number of rows returned by the query.\n',
+ },
+ {
+ name: 'rows_examined',
+ type: 'long',
+ description: 'The number of rows scanned by the query.\n',
+ },
+ {
+ name: 'rows_affected',
+ type: 'long',
+ description: 'The number of rows modified by the query.\n',
+ },
+ {
+ name: 'bytes_sent',
+ type: 'long',
+ format: 'bytes',
+ description: 'The number of bytes sent to client.\n',
+ },
+ {
+ name: 'bytes_received',
+ type: 'long',
+ format: 'bytes',
+ description: 'The number of bytes received from client.\n',
+ },
+ {
+ name: 'query',
+ description: 'The slow query.\n',
+ },
+ {
+ name: 'id',
+ type: 'alias',
+ path: 'mysql.thread_id',
+ migration: true,
+ },
+ {
+ name: 'schema',
+ type: 'keyword',
+ description: 'The schema where the slow query was executed.\n',
+ },
+ {
+ name: 'current_user',
+ type: 'keyword',
+ description:
+ 'Current authenticated user, used to determine access privileges. Can differ from the value for user.\n',
+ },
+ {
+ name: 'last_errno',
+ type: 'keyword',
+ description: 'Last SQL error seen.\n',
+ },
+ {
+ name: 'killed',
+ type: 'keyword',
+ description: 'Code of the reason if the query was killed.\n',
+ },
+ {
+ name: 'query_cache_hit',
+ type: 'boolean',
+ description: 'Whether the query cache was hit.\n',
+ },
+ {
+ name: 'tmp_table',
+ type: 'boolean',
+ description: 'Whether a temporary table was used to resolve the query.\n',
+ },
+ {
+ name: 'tmp_table_on_disk',
+ type: 'boolean',
+ description: 'Whether the query needed temporary tables on disk.\n',
+ },
+ {
+ name: 'tmp_tables',
+ type: 'long',
+ description: 'Number of temporary tables created for this query\n',
+ },
+ {
+ name: 'tmp_disk_tables',
+ type: 'long',
+ description: 'Number of temporary tables created on disk for this query.\n',
+ },
+ {
+ name: 'tmp_table_sizes',
+ type: 'long',
+ format: 'bytes',
+ description: 'Size of temporary tables created for this query.',
+ },
+ {
+ name: 'filesort',
+ type: 'boolean',
+ description: 'Whether filesort optimization was used.\n',
+ },
+ {
+ name: 'filesort_on_disk',
+ type: 'boolean',
+ description:
+ 'Whether filesort optimization was used and it needed temporary tables on disk.\n',
+ },
+ {
+ name: 'priority_queue',
+ type: 'boolean',
+ description: 'Whether a priority queue was used for filesort.\n',
+ },
+ {
+ name: 'full_scan',
+ type: 'boolean',
+ description: 'Whether a full table scan was needed for the slow query.\n',
+ },
+ {
+ name: 'full_join',
+ type: 'boolean',
+ description:
+ 'Whether a full join was needed for the slow query (no indexes were used for joins).\n',
+ },
+ {
+ name: 'merge_passes',
+ type: 'long',
+ description: 'Number of merge passes executed for the query.\n',
+ },
+ {
+ name: 'sort_merge_passes',
+ type: 'long',
+ description: 'Number of merge passes that the sort algorithm has had to do.\n',
+ },
+ {
+ name: 'sort_range_count',
+ type: 'long',
+ description: 'Number of sorts that were done using ranges.\n',
+ },
+ {
+ name: 'sort_rows',
+ type: 'long',
+ description: 'Number of sorted rows.\n',
+ },
+ {
+ name: 'sort_scan_count',
+ type: 'long',
+ description: 'Number of sorts that were done by scanning the table.\n',
+ },
+ {
+ name: 'log_slow_rate_type',
+ type: 'keyword',
+ description:
+ 'Type of slow log rate limit, it can be `session` if the rate limit is applied per session, or `query` if it applies per query.\n',
+ },
+ {
+ name: 'log_slow_rate_limit',
+ type: 'keyword',
+ description:
+ 'Slow log rate limit, a value of 100 means that one in a hundred queries or sessions are being logged.\n',
+ },
+ {
+ name: 'read_first',
+ type: 'long',
+ description: 'The number of times the first entry in an index was read.\n',
+ },
+ {
+ name: 'read_last',
+ type: 'long',
+ description: 'The number of times the last key in an index was read.\n',
+ },
+ {
+ name: 'read_key',
+ type: 'long',
+ description: 'The number of requests to read a row based on a key.\n',
+ },
+ {
+ name: 'read_next',
+ type: 'long',
+ description: 'The number of requests to read the next row in key order.\n',
+ },
+ {
+ name: 'read_prev',
+ type: 'long',
+ description: 'The number of requests to read the previous row in key order.\n',
+ },
+ {
+ name: 'read_rnd',
+ type: 'long',
+ description: 'The number of requests to read a row based on a fixed position.\n',
+ },
+ {
+ name: 'read_rnd_next',
+ type: 'long',
+ description: 'The number of requests to read the next row in the data file.\n',
+ },
+ {
+ name: 'innodb',
+ type: 'group',
+ description: 'Contains fields relative to InnoDB engine\n',
+ fields: [
+ {
+ name: 'trx_id',
+ type: 'keyword',
+ description: 'Transaction ID\n',
+ },
+ {
+ name: 'io_r_ops',
+ type: 'long',
+ description: 'Number of page read operations.\n',
+ },
+ {
+ name: 'io_r_bytes',
+ type: 'long',
+ format: 'bytes',
+ description: 'Bytes read during page read operations.\n',
+ },
+ {
+ name: 'io_r_wait.sec',
+ type: 'long',
+ description: 'How long it took to read all needed data from storage.\n',
+ },
+ {
+ name: 'rec_lock_wait.sec',
+ type: 'long',
+ description: 'How long the query waited for locks.\n',
+ },
+ {
+ name: 'queue_wait.sec',
+ type: 'long',
+ description:
+ 'How long the query waited to enter the InnoDB queue and to be executed once in the queue.\n',
+ },
+ {
+ name: 'pages_distinct',
+ type: 'long',
+ description: 'Approximated count of pages accessed to execute the query.\n',
+ },
+ ],
+ },
+ {
+ name: 'user',
+ type: 'alias',
+ path: 'user.name',
+ migration: true,
+ },
+ {
+ name: 'host',
+ type: 'alias',
+ path: 'source.domain',
+ migration: true,
+ },
+ {
+ name: 'ip',
+ type: 'alias',
+ path: 'source.ip',
+ migration: true,
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'nats',
+ title: 'nats',
+ description: 'Module for parsing NATS log files.\n',
+ release: 'beta',
+ fields: [
+ {
+ name: 'nats',
+ type: 'group',
+ description: 'Fields from NATS logs.\n',
+ fields: [
+ {
+ name: 'log',
+ type: 'group',
+ description: 'Nats log files\n',
+ release: 'beta',
+ fields: [
+ {
+ name: 'client',
+ type: 'group',
+ description: 'Fields from NATS logs client.\n',
+ fields: [
+ {
+ name: 'id',
+ type: 'integer',
+ description: 'The id of the client\n',
+ },
+ ],
+ },
+ {
+ name: 'msg',
+ type: 'group',
+ description: 'Fields from NATS logs message.\n',
+ fields: [
+ {
+ name: 'bytes',
+ type: 'long',
+ format: 'bytes',
+ description: 'Size of the payload in bytes\n',
+ },
+ {
+ name: 'type',
+ type: 'keyword',
+ description: 'The protocol message type\n',
+ },
+ {
+ name: 'subject',
+ type: 'keyword',
+ description: 'Subject name this message was received on\n',
+ },
+ {
+ name: 'sid',
+ type: 'integer',
+ description: 'The unique alphanumeric subscription ID of the subject\n',
+ },
+ {
+ name: 'reply_to',
+ type: 'keyword',
+ description:
+ 'The inbox subject on which the publisher is listening for responses\n',
+ },
+ {
+ name: 'max_messages',
+ type: 'integer',
+ description:
+ 'An optional number of messages to wait for before automatically unsubscribing\n',
+ },
+ {
+ name: 'error.message',
+ type: 'text',
+ description: 'Details about the error occurred\n',
+ },
+ {
+ name: 'queue_group',
+ type: 'text',
+ description: 'The queue group which subscriber will join\n',
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'nginx',
+ title: 'Nginx',
+ description: 'Module for parsing the Nginx log files.\n',
+ short_config: true,
+ fields: [
+ {
+ name: 'nginx',
+ type: 'group',
+ description: 'Fields from the Nginx log files.\n',
+ fields: [
+ {
+ name: 'access',
+ type: 'group',
+ description: 'Contains fields for the Nginx access logs.\n',
+ fields: [
+ {
+ name: 'remote_ip_list',
+ type: 'array',
+ description:
+ 'An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`.\n',
+ },
+ {
+ name: 'body_sent.bytes',
+ type: 'alias',
+ path: 'http.response.body.bytes',
+ migration: true,
+ },
+ {
+ name: 'user_name',
+ type: 'alias',
+ path: 'user.name',
+ migration: true,
+ },
+ {
+ name: 'method',
+ type: 'alias',
+ path: 'http.request.method',
+ migration: true,
+ },
+ {
+ name: 'url',
+ type: 'alias',
+ path: 'url.original',
+ migration: true,
+ },
+ {
+ name: 'http_version',
+ type: 'alias',
+ path: 'http.version',
+ migration: true,
+ },
+ {
+ name: 'response_code',
+ type: 'alias',
+ path: 'http.response.status_code',
+ migration: true,
+ },
+ {
+ name: 'referrer',
+ type: 'alias',
+ path: 'http.request.referrer',
+ migration: true,
+ },
+ {
+ name: 'agent',
+ type: 'alias',
+ path: 'user_agent.original',
+ migration: true,
+ },
+ {
+ name: 'user_agent',
+ type: 'group',
+ fields: [
+ {
+ name: 'device',
+ type: 'alias',
+ path: 'user_agent.device.name',
+ migration: true,
+ },
+ {
+ name: 'name',
+ type: 'alias',
+ path: 'user_agent.name',
+ migration: true,
+ },
+ {
+ name: 'os',
+ type: 'alias',
+ path: 'user_agent.os.full_name',
+ migration: true,
+ },
+ {
+ name: 'os_name',
+ type: 'alias',
+ path: 'user_agent.os.name',
+ migration: true,
+ },
+ {
+ name: 'original',
+ type: 'alias',
+ path: 'user_agent.original',
+ migration: true,
+ },
+ ],
+ },
+ {
+ name: 'geoip',
+ type: 'group',
+ fields: [
+ {
+ name: 'continent_name',
+ type: 'alias',
+ path: 'source.geo.continent_name',
+ migration: true,
+ },
+ {
+ name: 'country_iso_code',
+ type: 'alias',
+ path: 'source.geo.country_iso_code',
+ migration: true,
+ },
+ {
+ name: 'location',
+ type: 'alias',
+ path: 'source.geo.location',
+ migration: true,
+ },
+ {
+ name: 'region_name',
+ type: 'alias',
+ path: 'source.geo.region_name',
+ migration: true,
+ },
+ {
+ name: 'city_name',
+ type: 'alias',
+ path: 'source.geo.city_name',
+ migration: true,
+ },
+ {
+ name: 'region_iso_code',
+ type: 'alias',
+ path: 'source.geo.region_iso_code',
+ migration: true,
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'error',
+ type: 'group',
+ description: 'Contains fields for the Nginx error logs.\n',
+ fields: [
+ {
+ name: 'connection_id',
+ type: 'long',
+ description: 'Connection identifier.\n',
+ },
+ {
+ name: 'level',
+ type: 'alias',
+ path: 'log.level',
+ migration: true,
+ },
+ {
+ name: 'pid',
+ type: 'alias',
+ path: 'process.pid',
+ migration: true,
+ },
+ {
+ name: 'tid',
+ type: 'alias',
+ path: 'process.thread.id',
+ migration: true,
+ },
+ {
+ name: 'message',
+ type: 'alias',
+ path: 'message',
+ migration: true,
+ },
+ ],
+ },
+ {
+ name: 'ingress_controller',
+ type: 'group',
+ description: 'Contains fields for the Ingress Nginx controller access logs.\n',
+ fields: [
+ {
+ name: 'remote_ip_list',
+ type: 'array',
+ description:
+ 'An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`.\n',
+ },
+ {
+ name: 'http.request.length',
+ type: 'long',
+ format: 'bytes',
+ description:
+ 'The request length (including request line, header, and request body)\n',
+ },
+ {
+ name: 'http.request.time',
+ type: 'double',
+ format: 'duration',
+ description: 'Time elapsed since the first bytes were read from the client\n',
+ },
+ {
+ name: 'upstream.name',
+ type: 'text',
+ description: 'The name of the upstream.\n',
+ },
+ {
+ name: 'upstream.alternative_name',
+ type: 'text',
+ description: 'The name of the alternative upstream.\n',
+ },
+ {
+ name: 'upstream.response.length',
+ type: 'long',
+ format: 'bytes',
+ description: 'The length of the response obtained from the upstream server\n',
+ },
+ {
+ name: 'upstream.response.time',
+ type: 'double',
+ format: 'duration',
+ description:
+ 'The time spent on receiving the response from the upstream server as seconds with millisecond resolution\n',
+ },
+ {
+ name: 'upstream.response.status_code',
+ type: 'long',
+ description: 'The status code of the response obtained from the upstream server\n',
+ },
+ {
+ name: 'http.request.id',
+ type: 'text',
+ description: 'The randomly generated ID of the request\n',
+ },
+ {
+ name: 'upstream.ip',
+ type: 'ip',
+ description:
+ 'The IP address of the upstream server. If several servers were contacted during request processing, their addresses are separated by commas.\n',
+ },
+ {
+ name: 'upstream.port',
+ type: 'long',
+ description: 'The port of the upstream server.\n',
+ },
+ {
+ name: 'body_sent.bytes',
+ type: 'alias',
+ path: 'http.response.body.bytes',
+ migration: true,
+ },
+ {
+ name: 'user_name',
+ type: 'alias',
+ path: 'user.name',
+ migration: true,
+ },
+ {
+ name: 'method',
+ type: 'alias',
+ path: 'http.request.method',
+ migration: true,
+ },
+ {
+ name: 'url',
+ type: 'alias',
+ path: 'url.original',
+ migration: true,
+ },
+ {
+ name: 'http_version',
+ type: 'alias',
+ path: 'http.version',
+ migration: true,
+ },
+ {
+ name: 'response_code',
+ type: 'alias',
+ path: 'http.response.status_code',
+ migration: true,
+ },
+ {
+ name: 'referrer',
+ type: 'alias',
+ path: 'http.request.referrer',
+ migration: true,
+ },
+ {
+ name: 'agent',
+ type: 'alias',
+ path: 'user_agent.original',
+ migration: true,
+ },
+ {
+ name: 'user_agent',
+ type: 'group',
+ fields: [
+ {
+ name: 'device',
+ type: 'alias',
+ path: 'user_agent.device.name',
+ migration: true,
+ },
+ {
+ name: 'name',
+ type: 'alias',
+ path: 'user_agent.name',
+ migration: true,
+ },
+ {
+ name: 'os',
+ type: 'alias',
+ path: 'user_agent.os.full_name',
+ migration: true,
+ },
+ {
+ name: 'os_name',
+ type: 'alias',
+ path: 'user_agent.os.name',
+ migration: true,
+ },
+ {
+ name: 'original',
+ type: 'alias',
+ path: 'user_agent.original',
+ migration: true,
+ },
+ ],
+ },
+ {
+ name: 'geoip',
+ type: 'group',
+ fields: [
+ {
+ name: 'continent_name',
+ type: 'alias',
+ path: 'source.geo.continent_name',
+ migration: true,
+ },
+ {
+ name: 'country_iso_code',
+ type: 'alias',
+ path: 'source.geo.country_iso_code',
+ migration: true,
+ },
+ {
+ name: 'location',
+ type: 'alias',
+ path: 'source.geo.location',
+ migration: true,
+ },
+ {
+ name: 'region_name',
+ type: 'alias',
+ path: 'source.geo.region_name',
+ migration: true,
+ },
+ {
+ name: 'city_name',
+ type: 'alias',
+ path: 'source.geo.city_name',
+ migration: true,
+ },
+ {
+ name: 'region_iso_code',
+ type: 'alias',
+ path: 'source.geo.region_iso_code',
+ migration: true,
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'osquery',
+ title: 'Osquery',
+ description: 'Fields exported by the `osquery` module\n',
+ fields: [
+ {
+ name: 'osquery',
+ type: 'group',
+ description: '\n',
+ fields: [
+ {
+ name: 'result',
+ type: 'group',
+ description: 'Common fields exported by the result metricset.\n',
+ fields: [
+ {
+ name: 'name',
+ type: 'keyword',
+ description: 'The name of the query that generated this event.\n',
+ },
+ {
+ name: 'action',
+ type: 'keyword',
+ description:
+ 'For incremental data, marks whether the entry was added or removed. It can be one of "added", "removed", or "snapshot".\n',
+ },
+ {
+ name: 'host_identifier',
+ type: 'keyword',
+ description:
+ 'The identifier for the host on which the osquery agent is running. Normally the hostname.\n',
+ },
+ {
+ name: 'unix_time',
+ type: 'long',
+ description:
+ 'Unix timestamp of the event, in seconds since the epoch. Used for computing the `@timestamp` column.\n',
+ },
+ {
+ name: 'calendar_time',
+ type: 'keyword',
+ description:
+ 'String representation of the collection time, as formatted by osquery.\n',
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'postgresql',
+ title: 'PostgreSQL',
+ description: 'Module for parsing the PostgreSQL log files.\n',
+ short_config: true,
+ fields: [
+ {
+ name: 'postgresql',
+ type: 'group',
+ description: 'Fields from PostgreSQL logs.\n',
+ fields: [
+ {
+ name: 'log',
+ type: 'group',
+ description: 'Fields from the PostgreSQL log files.\n',
+ fields: [
+ {
+ name: 'timestamp',
+ deprecated: '7.3.0',
+ description: 'The timestamp from the log line.\n',
+ },
+ {
+ name: 'core_id',
+ type: 'long',
+ description: 'Core id\n',
+ },
+ {
+ name: 'database',
+ example: 'mydb',
+ description: 'Name of database\n',
+ },
+ {
+ name: 'query',
+ example: 'SELECT * FROM users;',
+ description: 'Query statement.\n',
+ },
+ {
+ name: 'query_step',
+ example: 'parse',
+ description:
+ 'Statement step when using extended query protocol (one of statement, parse, bind or execute)\n',
+ },
+ {
+ name: 'query_name',
+ example: 'pdo_stmt_00000001',
+ description:
+ 'Name given to a query when using extended query protocol. If it is "", or not present, this field is ignored.\n',
+ },
+ {
+ name: 'error.code',
+ type: 'long',
+ description: 'Error code returned by Postgres (if any)',
+ },
+ {
+ name: 'timezone',
+ type: 'alias',
+ path: 'event.timezone',
+ migration: true,
+ },
+ {
+ name: 'thread_id',
+ type: 'alias',
+ path: 'process.pid',
+ migration: true,
+ },
+ {
+ name: 'user',
+ type: 'alias',
+ path: 'user.name',
+ migration: true,
+ },
+ {
+ name: 'level',
+ type: 'alias',
+ path: 'log.level',
+ migration: true,
+ },
+ {
+ name: 'message',
+ type: 'alias',
+ path: 'message',
+ migration: true,
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'redis',
+ title: 'Redis',
+ description: 'Redis Module\n',
+ fields: [
+ {
+ name: 'redis',
+ type: 'group',
+ description: '\n',
+ fields: [
+ {
+ name: 'log',
+ type: 'group',
+ description: 'Redis log files\n',
+ fields: [
+ {
+ name: 'role',
+ type: 'keyword',
+ description:
+ 'The role of the Redis instance. Can be one of `master`, `slave`, `child` (for RDF/AOF writing child), or `sentinel`.\n',
+ },
+ {
+ name: 'pid',
+ type: 'alias',
+ path: 'process.pid',
+ migration: true,
+ },
+ {
+ name: 'level',
+ type: 'alias',
+ path: 'log.level',
+ migration: true,
+ },
+ {
+ name: 'message',
+ type: 'alias',
+ path: 'message',
+ migration: true,
+ },
+ ],
+ },
+ {
+ name: 'slowlog',
+ type: 'group',
+ description: 'Slow logs are retrieved from Redis via a network connection.\n',
+ fields: [
+ {
+ name: 'cmd',
+ type: 'keyword',
+ description: 'The command executed.\n',
+ },
+ {
+ name: 'duration.us',
+ type: 'long',
+ description: 'How long it took to execute the command in microseconds.\n',
+ },
+ {
+ name: 'id',
+ type: 'long',
+ description: 'The ID of the query.\n',
+ },
+ {
+ name: 'key',
+ type: 'keyword',
+ description: 'The key on which the command was executed.\n',
+ },
+ {
+ name: 'args',
+ type: 'keyword',
+ description: 'The arguments with which the command was called.\n',
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'santa',
+ title: 'Google Santa',
+ description: 'Santa Module\n',
+ fields: [
+ {
+ name: 'santa',
+ type: 'group',
+ description: '\n',
+ fields: [
+ {
+ name: 'action',
+ type: 'keyword',
+ example: 'EXEC',
+ description: 'Action',
+ },
+ {
+ name: 'decision',
+ type: 'keyword',
+ example: 'ALLOW',
+ description: 'Decision that santad took.',
+ },
+ {
+ name: 'reason',
+ type: 'keyword',
+ example: 'CERT',
+ description: 'Reason for the decsision.',
+ },
+ {
+ name: 'mode',
+ type: 'keyword',
+ example: 'M',
+ description: 'Operating mode of Santa.',
+ },
+ {
+ name: 'disk',
+ type: 'group',
+ description: 'Fields for DISKAPPEAR actions.',
+ fields: [
+ {
+ name: 'volume',
+ description: 'The volume name.',
+ },
+ {
+ name: 'bus',
+ description: 'The disk bus protocol.',
+ },
+ {
+ name: 'serial',
+ description: 'The disk serial number.',
+ },
+ {
+ name: 'bsdname',
+ example: 'disk1s3',
+ description: 'The disk BSD name.',
+ },
+ {
+ name: 'model',
+ example: 'APPLE SSD SM0512L',
+ description: 'The disk model.',
+ },
+ {
+ name: 'fs',
+ example: 'apfs',
+ description: 'The disk volume kind (filesystem type).',
+ },
+ {
+ name: 'mount',
+ description: 'The disk volume path.',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'certificate.common_name',
+ type: 'keyword',
+ description: 'Common name from code signing certificate.',
+ },
+ {
+ name: 'certificate.sha256',
+ type: 'keyword',
+ description: 'SHA256 hash of code signing certificate.',
+ },
+ ],
+ },
+ {
+ key: 'system',
+ title: 'System',
+ description: 'Module for parsing system log files.\n',
+ short_config: true,
+ fields: [
+ {
+ name: 'system',
+ type: 'group',
+ description: 'Fields from the system log files.\n',
+ fields: [
+ {
+ name: 'auth',
+ type: 'group',
+ description: 'Fields from the Linux authorization logs.\n',
+ fields: [
+ {
+ name: 'timestamp',
+ type: 'alias',
+ path: '@timestamp',
+ migration: true,
+ },
+ {
+ name: 'hostname',
+ type: 'alias',
+ path: 'host.hostname',
+ migration: true,
+ },
+ {
+ name: 'program',
+ type: 'alias',
+ path: 'process.name',
+ migration: true,
+ },
+ {
+ name: 'pid',
+ type: 'alias',
+ path: 'process.pid',
+ migration: true,
+ },
+ {
+ name: 'message',
+ type: 'alias',
+ path: 'message',
+ migration: true,
+ },
+ {
+ name: 'user',
+ type: 'alias',
+ path: 'user.name',
+ migration: true,
+ },
+ {
+ name: 'ssh',
+ type: 'group',
+ fields: [
+ {
+ name: 'method',
+ description:
+ 'The SSH authentication method. Can be one of "password" or "publickey".\n',
+ },
+ {
+ name: 'signature',
+ description: 'The signature of the client public key.\n',
+ },
+ {
+ name: 'dropped_ip',
+ type: 'ip',
+ description:
+ 'The client IP from SSH connections that are open and immediately dropped.\n',
+ },
+ {
+ name: 'event',
+ example: 'Accepted',
+ description:
+ 'The SSH event as found in the logs (Accepted, Invalid, Failed, etc.)\n',
+ },
+ {
+ name: 'ip',
+ type: 'alias',
+ path: 'source.ip',
+ migration: true,
+ },
+ {
+ name: 'port',
+ type: 'alias',
+ path: 'source.port',
+ migration: true,
+ },
+ {
+ name: 'geoip',
+ type: 'group',
+ fields: [
+ {
+ name: 'continent_name',
+ type: 'alias',
+ path: 'source.geo.continent_name',
+ migration: true,
+ },
+ {
+ name: 'country_iso_code',
+ type: 'alias',
+ path: 'source.geo.country_iso_code',
+ migration: true,
+ },
+ {
+ name: 'location',
+ type: 'alias',
+ path: 'source.geo.location',
+ migration: true,
+ },
+ {
+ name: 'region_name',
+ type: 'alias',
+ path: 'source.geo.region_name',
+ migration: true,
+ },
+ {
+ name: 'city_name',
+ type: 'alias',
+ path: 'source.geo.city_name',
+ migration: true,
+ },
+ {
+ name: 'region_iso_code',
+ type: 'alias',
+ path: 'source.geo.region_iso_code',
+ migration: true,
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'sudo',
+ type: 'group',
+ description: 'Fields specific to events created by the `sudo` command.\n',
+ fields: [
+ {
+ name: 'error',
+ example: 'user NOT in sudoers',
+ description: 'The error message in case the sudo command failed.\n',
+ },
+ {
+ name: 'tty',
+ description: 'The TTY where the sudo command is executed.\n',
+ },
+ {
+ name: 'pwd',
+ description: 'The current directory where the sudo command is executed.\n',
+ },
+ {
+ name: 'user',
+ example: 'root',
+ description: 'The target user to which the sudo command is switching.\n',
+ },
+ {
+ name: 'command',
+ description: 'The command executed via sudo.\n',
+ },
+ ],
+ },
+ {
+ name: 'useradd',
+ type: 'group',
+ description: 'Fields specific to events created by the `useradd` command.\n',
+ fields: [
+ {
+ name: 'home',
+ description: 'The home folder for the new user.',
+ },
+ {
+ name: 'shell',
+ description: 'The default shell for the new user.',
+ },
+ {
+ name: 'name',
+ type: 'alias',
+ path: 'user.name',
+ migration: true,
+ },
+ {
+ name: 'uid',
+ type: 'alias',
+ path: 'user.id',
+ migration: true,
+ },
+ {
+ name: 'gid',
+ type: 'alias',
+ path: 'group.id',
+ migration: true,
+ },
+ ],
+ },
+ {
+ name: 'groupadd',
+ type: 'group',
+ description: 'Fields specific to events created by the `groupadd` command.\n',
+ fields: [
+ {
+ name: 'name',
+ type: 'alias',
+ path: 'group.name',
+ migration: true,
+ },
+ {
+ name: 'gid',
+ type: 'alias',
+ path: 'group.id',
+ migration: true,
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'syslog',
+ type: 'group',
+ description: 'Contains fields from the syslog system logs.\n',
+ fields: [
+ {
+ name: 'timestamp',
+ type: 'alias',
+ path: '@timestamp',
+ migration: true,
+ },
+ {
+ name: 'hostname',
+ type: 'alias',
+ path: 'host.hostname',
+ migration: true,
+ },
+ {
+ name: 'program',
+ type: 'alias',
+ path: 'process.name',
+ migration: true,
+ },
+ {
+ name: 'pid',
+ type: 'alias',
+ path: 'process.pid',
+ migration: true,
+ },
+ {
+ name: 'message',
+ type: 'alias',
+ path: 'message',
+ migration: true,
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'traefik',
+ title: 'Traefik',
+ description: 'Module for parsing the Traefik log files.\n',
+ fields: [
+ {
+ name: 'traefik',
+ type: 'group',
+ description: 'Fields from the Traefik log files.\n',
+ fields: [
+ {
+ name: 'access',
+ type: 'group',
+ description: 'Contains fields for the Traefik access logs.\n',
+ fields: [
+ {
+ name: 'user_identifier',
+ type: 'keyword',
+ description: 'Is the RFC 1413 identity of the client\n',
+ },
+ {
+ name: 'request_count',
+ type: 'long',
+ description: 'The number of requests\n',
+ },
+ {
+ name: 'frontend_name',
+ type: 'keyword',
+ description: 'The name of the frontend used\n',
+ },
+ {
+ name: 'backend_url',
+ type: 'keyword',
+ description: 'The url of the backend where request is forwarded',
+ },
+ {
+ name: 'body_sent.bytes',
+ type: 'alias',
+ path: 'http.response.body.bytes',
+ migration: true,
+ },
+ {
+ name: 'remote_ip',
+ type: 'alias',
+ path: 'source.address',
+ migration: true,
+ },
+ {
+ name: 'user_name',
+ type: 'alias',
+ path: 'user.name',
+ migration: true,
+ },
+ {
+ name: 'method',
+ type: 'alias',
+ path: 'http.request.method',
+ migration: true,
+ },
+ {
+ name: 'url',
+ type: 'alias',
+ path: 'url.original',
+ migration: true,
+ },
+ {
+ name: 'http_version',
+ type: 'alias',
+ path: 'http.version',
+ migration: true,
+ },
+ {
+ name: 'response_code',
+ type: 'alias',
+ path: 'http.response.status_code',
+ migration: true,
+ },
+ {
+ name: 'referrer',
+ type: 'alias',
+ path: 'http.request.referrer',
+ migration: true,
+ },
+ {
+ name: 'agent',
+ type: 'alias',
+ path: 'user_agent.original',
+ migration: true,
+ },
+ {
+ name: 'user_agent',
+ type: 'group',
+ fields: [
+ {
+ name: 'device',
+ type: 'alias',
+ path: 'user_agent.device.name',
+ },
+ {
+ name: 'name',
+ type: 'alias',
+ path: 'user_agent.name',
+ },
+ {
+ name: 'os',
+ type: 'alias',
+ path: 'user_agent.os.full_name',
+ },
+ {
+ name: 'os_name',
+ type: 'alias',
+ path: 'user_agent.os.name',
+ },
+ {
+ name: 'original',
+ type: 'alias',
+ path: 'user_agent.original',
+ },
+ ],
+ },
+ {
+ name: 'geoip',
+ type: 'group',
+ fields: [
+ {
+ name: 'continent_name',
+ type: 'alias',
+ path: 'source.geo.continent_name',
+ },
+ {
+ name: 'country_iso_code',
+ type: 'alias',
+ path: 'source.geo.country_iso_code',
+ },
+ {
+ name: 'location',
+ type: 'alias',
+ path: 'source.geo.location',
+ },
+ {
+ name: 'region_name',
+ type: 'alias',
+ path: 'source.geo.region_name',
+ },
+ {
+ name: 'city_name',
+ type: 'alias',
+ path: 'source.geo.city_name',
+ },
+ {
+ name: 'region_iso_code',
+ type: 'alias',
+ path: 'source.geo.region_iso_code',
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'activemq',
+ title: 'activemq',
+ release: 'ga',
+ description: 'Module for parsing ActiveMQ log files.\n',
+ fields: [
+ {
+ name: 'activemq',
+ type: 'group',
+ description: '\n',
+ fields: [
+ {
+ name: 'caller',
+ type: 'keyword',
+ description: 'Name of the caller issuing the logging request (class or resource).\n',
+ },
+ {
+ name: 'thread',
+ type: 'keyword',
+ description: 'Thread that generated the logging event.\n',
+ },
+ {
+ name: 'user',
+ type: 'keyword',
+ description: 'User that generated the logging event.\n',
+ },
+ {
+ name: 'audit',
+ type: 'group',
+ description: 'Fields from ActiveMQ audit logs.\n',
+ fields: [],
+ },
+ {
+ name: 'log',
+ type: 'group',
+ description: 'Fields from ActiveMQ application logs.\n',
+ fields: [
+ {
+ name: 'stack_trace',
+ type: 'keyword',
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'aws',
+ title: 'AWS',
+ release: 'beta',
+ description: 'Module for handling logs from AWS.\n',
+ fields: [
+ {
+ name: 'aws',
+ type: 'group',
+ description: 'Fields from AWS logs.\n',
+ fields: [
+ {
+ name: 'cloudtrail',
+ type: 'group',
+ release: 'beta',
+ default_field: false,
+ description: 'Fields for AWS CloudTrail logs.\n',
+ fields: [
+ {
+ name: 'event_version',
+ type: 'keyword',
+ description: 'The CloudTrail version of the log event format.\n',
+ },
+ {
+ name: 'user_identity',
+ type: 'group',
+ description:
+ 'The userIdentity element contains details about the type of IAM identity that made the request, and which credentials were used. If temporary credentials were used, the element shows how the credentials were obtained.',
+ fields: [
+ {
+ name: 'type',
+ type: 'keyword',
+ description: 'The type of the identity\n',
+ },
+ {
+ name: 'arn',
+ type: 'keyword',
+ description:
+ 'The Amazon Resource Name (ARN) of the principal that made the call.',
+ },
+ {
+ name: 'access_key_id',
+ type: 'keyword',
+ description: 'The access key ID that was used to sign the request.',
+ },
+ {
+ name: 'session_context',
+ type: 'group',
+ description:
+ 'If the request was made with temporary security credentials, an element that provides information about the session that was created for those credentials',
+ fields: [
+ {
+ name: 'mfa_authenticated',
+ type: 'keyword',
+ description:
+ 'The value is true if the root user or IAM user whose credentials were used for the request also was authenticated with an MFA device; otherwise, false.',
+ },
+ {
+ name: 'creation_date',
+ type: 'date',
+ description:
+ 'The date and time when the temporary security credentials were issued.',
+ },
+ ],
+ },
+ {
+ name: 'invoked_by',
+ type: 'keyword',
+ description:
+ 'The name of the AWS service that made the request, such as Amazon EC2 Auto Scaling or AWS Elastic Beanstalk.',
+ },
+ {
+ name: 'session_issuer',
+ type: 'group',
+ description:
+ 'If the request was made with temporary security credentials, an element that provides information about how the credentials were obtained.',
+ fields: [
+ {
+ name: 'type',
+ type: 'keyword',
+ description:
+ 'The source of the temporary security credentials, such as Root, IAMUser, or Role.',
+ },
+ {
+ name: 'principal_id',
+ type: 'keyword',
+ description:
+ 'The internal ID of the entity that was used to get credentials.',
+ },
+ {
+ name: 'arn',
+ type: 'keyword',
+ description:
+ 'The ARN of the source (account, IAM user, or role) that was used to get temporary security credentials.',
+ },
+ {
+ name: 'account_id',
+ type: 'keyword',
+ description:
+ 'The account that owns the entity that was used to get credentials.',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'error_code',
+ type: 'keyword',
+ description: 'The AWS service error if the request returns an error.',
+ },
+ {
+ name: 'error_message',
+ type: 'keyword',
+ description: 'If the request returns an error, the description of the error.',
+ },
+ {
+ name: 'request_parameters',
+ type: 'keyword',
+ description: 'The parameters, if any, that were sent with the request.',
+ },
+ {
+ name: 'response_elements',
+ type: 'keyword',
+ description:
+ 'The response element for actions that make changes (create, update, or delete actions).',
+ },
+ {
+ name: 'additional_eventdata',
+ type: 'keyword',
+ description:
+ 'Additional data about the event that was not part of the request or response.',
+ },
+ {
+ name: 'request_id',
+ type: 'keyword',
+ description:
+ 'The value that identifies the request. The service being called generates this value.',
+ },
+ {
+ name: 'event_type',
+ type: 'keyword',
+ description: 'Identifies the type of event that generated the event record.',
+ },
+ {
+ name: 'api_version',
+ type: 'keyword',
+ description:
+ 'Identifies the API version associated with the AwsApiCall eventType value.',
+ },
+ {
+ name: 'management_event',
+ type: 'keyword',
+ description:
+ 'A Boolean value that identifies whether the event is a management event.',
+ },
+ {
+ name: 'read_only',
+ type: 'keyword',
+ description: 'Identifies whether this operation is a read-only operation.',
+ },
+ {
+ name: 'resources',
+ type: 'group',
+ description: 'A list of resources accessed in the event.',
+ fields: [
+ {
+ name: 'arn',
+ type: 'keyword',
+ description: 'Resource ARNs',
+ },
+ {
+ name: 'account_id',
+ type: 'keyword',
+ description: 'Account ID of the resource owner',
+ },
+ {
+ name: 'type',
+ type: 'keyword',
+ description:
+ 'Resource type identifier in the format: AWS::aws-service-name::data-type-name',
+ },
+ ],
+ },
+ {
+ name: 'recipient_account_id',
+ type: 'keyword',
+ description: 'Represents the account ID that received this event.',
+ },
+ {
+ name: 'service_event_details',
+ type: 'keyword',
+ description:
+ 'Identifies the service event, including what triggered the event and the result.',
+ },
+ {
+ name: 'shared_event_id',
+ type: 'keyword',
+ description:
+ 'GUID generated by CloudTrail to uniquely identify CloudTrail events from the same AWS action that is sent to different AWS accounts.',
+ },
+ {
+ name: 'vpc_endpoint_id',
+ type: 'keyword',
+ description:
+ 'Identifies the VPC endpoint in which requests were made from a VPC to another AWS service, such as Amazon S3.',
+ },
+ {
+ name: 'console_login',
+ type: 'group',
+ description: 'Fields specific to ConsoleLogin events',
+ fields: [
+ {
+ name: 'additional_eventdata',
+ type: 'group',
+ description: 'Additional Event Data for ConsoleLogin events\n',
+ fields: [
+ {
+ name: 'mobile_version',
+ type: 'boolean',
+ description: 'Identifies whether ConsoleLogin was from mobile version',
+ },
+ {
+ name: 'login_to',
+ type: 'keyword',
+ description: 'URL for ConsoleLogin',
+ },
+ {
+ name: 'mfa_used',
+ type: 'boolean',
+ description:
+ 'Identifies whether multi factor authentication was used during ConsoleLogin',
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'cloudwatch',
+ type: 'group',
+ release: 'beta',
+ default_field: false,
+ description: 'Fields for AWS CloudWatch logs.\n',
+ fields: [],
+ },
+ {
+ name: 'ec2',
+ type: 'group',
+ release: 'beta',
+ default_field: false,
+ description: 'Fields for AWS EC2 logs in CloudWatch.\n',
+ fields: [
+ {
+ name: 'ip_address',
+ type: 'keyword',
+ description: 'The internet address of the requester.\n',
+ },
+ ],
+ },
+ {
+ name: 'elb',
+ type: 'group',
+ release: 'ga',
+ description: 'Fields for AWS ELB logs.\n',
+ fields: [
+ {
+ name: 'name',
+ type: 'keyword',
+ description: 'The name of the load balancer.\n',
+ },
+ {
+ name: 'type',
+ type: 'keyword',
+ description: 'The type of the load balancer for v2 Load Balancers.\n',
+ },
+ {
+ name: 'target_group.arn',
+ type: 'keyword',
+ description: 'The ARN of the target group handling the request.\n',
+ },
+ {
+ name: 'listener',
+ type: 'keyword',
+ description: 'The ELB listener that received the connection.\n',
+ },
+ {
+ name: 'protocol',
+ type: 'keyword',
+ description: 'The protocol of the load balancer (http or tcp).\n',
+ },
+ {
+ name: 'request_processing_time.sec',
+ type: 'float',
+ description:
+ 'The total time in seconds since the connection or request is received until it is sent to a registered backend.\n',
+ },
+ {
+ name: 'backend_processing_time.sec',
+ type: 'float',
+ description:
+ 'The total time in seconds since the connection is sent to the backend till the backend starts responding.\n',
+ },
+ {
+ name: 'response_processing_time.sec',
+ type: 'float',
+ description:
+ 'The total time in seconds since the response is received from the backend till it is sent to the client.\n',
+ },
+ {
+ name: 'connection_time.ms',
+ type: 'long',
+ description:
+ 'The total time of the connection in milliseconds, since it is opened till it is closed.\n',
+ },
+ {
+ name: 'tls_handshake_time.ms',
+ type: 'long',
+ description:
+ 'The total time for the TLS handshake to complete in milliseconds once the connection has been established.\n',
+ },
+ {
+ name: 'backend.ip',
+ type: 'keyword',
+ description: 'The IP address of the backend processing this connection.\n',
+ },
+ {
+ name: 'backend.port',
+ type: 'keyword',
+ description: 'The port in the backend processing this connection.\n',
+ },
+ {
+ name: 'backend.http.response.status_code',
+ type: 'keyword',
+ description:
+ 'The status code from the backend (status code sent to the client from ELB is stored in `http.response.status_code`\n',
+ },
+ {
+ name: 'ssl_cipher',
+ type: 'keyword',
+ description: 'The SSL cipher used in TLS/SSL connections.\n',
+ },
+ {
+ name: 'ssl_protocol',
+ type: 'keyword',
+ description: 'The SSL protocol used in TLS/SSL connections.\n',
+ },
+ {
+ name: 'chosen_cert.arn',
+ type: 'keyword',
+ description:
+ 'The ARN of the chosen certificate presented to the client in TLS/SSL connections.\n',
+ },
+ {
+ name: 'chosen_cert.serial',
+ type: 'keyword',
+ description:
+ 'The serial number of the chosen certificate presented to the client in TLS/SSL connections.\n',
+ },
+ {
+ name: 'incoming_tls_alert',
+ type: 'keyword',
+ description:
+ 'The integer value of TLS alerts received by the load balancer from the client, if present.\n',
+ },
+ {
+ name: 'tls_named_group',
+ type: 'keyword',
+ description: 'The TLS named group.\n',
+ },
+ {
+ name: 'trace_id',
+ type: 'keyword',
+ description: 'The contents of the `X-Amzn-Trace-Id` header.\n',
+ },
+ {
+ name: 'matched_rule_priority',
+ type: 'keyword',
+ description:
+ 'The priority value of the rule that matched the request, if a rule matched.\n',
+ },
+ {
+ name: 'action_executed',
+ type: 'keyword',
+ description:
+ 'The action executed when processing the request (forward, fixed-response, authenticate...). It can contain several values.\n',
+ },
+ {
+ name: 'redirect_url',
+ type: 'keyword',
+ description: 'The URL used if a redirection action was executed.\n',
+ },
+ {
+ name: 'error.reason',
+ type: 'keyword',
+ description: 'The error reason if the executed action failed.',
+ },
+ ],
+ },
+ {
+ name: 's3access',
+ type: 'group',
+ release: 'ga',
+ description: 'Fields for AWS S3 server access logs.\n',
+ fields: [
+ {
+ name: 'bucket_owner',
+ type: 'keyword',
+ description: 'The canonical user ID of the owner of the source bucket.\n',
+ },
+ {
+ name: 'bucket',
+ type: 'keyword',
+ description: 'The name of the bucket that the request was processed against.\n',
+ },
+ {
+ name: 'remote_ip',
+ type: 'ip',
+ description: 'The apparent internet address of the requester.\n',
+ },
+ {
+ name: 'requester',
+ type: 'keyword',
+ description:
+ 'The canonical user ID of the requester, or a - for unauthenticated requests.\n',
+ },
+ {
+ name: 'request_id',
+ type: 'keyword',
+ description: 'A string generated by Amazon S3 to uniquely identify each request.\n',
+ },
+ {
+ name: 'operation',
+ type: 'keyword',
+ description:
+ 'The operation listed here is declared as SOAP.operation, REST.HTTP_method.resource_type, WEBSITE.HTTP_method.resource_type, or BATCH.DELETE.OBJECT.\n',
+ },
+ {
+ name: 'key',
+ type: 'keyword',
+ description:
+ 'The "key" part of the request, URL encoded, or "-" if the operation does not take a key parameter.\n',
+ },
+ {
+ name: 'request_uri',
+ type: 'keyword',
+ description: 'The Request-URI part of the HTTP request message.\n',
+ },
+ {
+ name: 'http_status',
+ type: 'long',
+ description: 'The numeric HTTP status code of the response.\n',
+ },
+ {
+ name: 'error_code',
+ type: 'keyword',
+ description: 'The Amazon S3 Error Code, or "-" if no error occurred.\n',
+ },
+ {
+ name: 'bytes_sent',
+ type: 'long',
+ description:
+ 'The number of response bytes sent, excluding HTTP protocol overhead, or "-" if zero.\n',
+ },
+ {
+ name: 'object_size',
+ type: 'long',
+ description: 'The total size of the object in question.\n',
+ },
+ {
+ name: 'total_time',
+ type: 'long',
+ description:
+ "The number of milliseconds the request was in flight from the server's perspective.\n",
+ },
+ {
+ name: 'turn_around_time',
+ type: 'long',
+ description:
+ 'The number of milliseconds that Amazon S3 spent processing your request.\n',
+ },
+ {
+ name: 'referrer',
+ type: 'keyword',
+ description: 'The value of the HTTP Referrer header, if present.\n',
+ },
+ {
+ name: 'user_agent',
+ type: 'keyword',
+ description: 'The value of the HTTP User-Agent header.\n',
+ },
+ {
+ name: 'version_id',
+ type: 'keyword',
+ description:
+ 'The version ID in the request, or "-" if the operation does not take a versionId parameter.\n',
+ },
+ {
+ name: 'host_id',
+ type: 'keyword',
+ description: 'The x-amz-id-2 or Amazon S3 extended request ID.\n',
+ },
+ {
+ name: 'signature_version',
+ type: 'keyword',
+ description:
+ 'The signature version, SigV2 or SigV4, that was used to authenticate the request or a - for unauthenticated requests.\n',
+ },
+ {
+ name: 'cipher_suite',
+ type: 'keyword',
+ description:
+ 'The Secure Sockets Layer (SSL) cipher that was negotiated for HTTPS request or a - for HTTP.\n',
+ },
+ {
+ name: 'authentication_type',
+ type: 'keyword',
+ description:
+ 'The type of request authentication used, AuthHeader for authentication headers, QueryString for query string (pre-signed URL) or a - for unauthenticated requests.\n',
+ },
+ {
+ name: 'host_header',
+ type: 'keyword',
+ description: 'The endpoint used to connect to Amazon S3.\n',
+ },
+ {
+ name: 'tls_version',
+ type: 'keyword',
+ description:
+ 'The Transport Layer Security (TLS) version negotiated by the client.\n',
+ },
+ ],
+ },
+ {
+ name: 'vpcflow',
+ type: 'group',
+ release: 'beta',
+ description: 'Fields for AWS VPC flow logs.\n',
+ fields: [
+ {
+ name: 'version',
+ type: 'keyword',
+ description:
+ 'The VPC Flow Logs version. If you use the default format, the version is 2. If you specify a custom format, the version is 3.\n',
+ },
+ {
+ name: 'account_id',
+ type: 'keyword',
+ description: 'The AWS account ID for the flow log.\n',
+ },
+ {
+ name: 'interface_id',
+ type: 'keyword',
+ description: 'The ID of the network interface for which the traffic is recorded.\n',
+ },
+ {
+ name: 'action',
+ type: 'keyword',
+ description: 'The action that is associated with the traffic, ACCEPT or REJECT.\n',
+ },
+ {
+ name: 'log_status',
+ type: 'keyword',
+ description: 'The logging status of the flow log, OK, NODATA or SKIPDATA.\n',
+ },
+ {
+ name: 'instance_id',
+ type: 'keyword',
+ description:
+ "The ID of the instance that's associated with network interface for which the traffic is recorded, if the instance is owned by you.\n",
+ },
+ {
+ name: 'pkt_srcaddr',
+ type: 'ip',
+ description: 'The packet-level (original) source IP address of the traffic.\n',
+ },
+ {
+ name: 'pkt_dstaddr',
+ type: 'ip',
+ description:
+ 'The packet-level (original) destination IP address for the traffic.\n',
+ },
+ {
+ name: 'vpc_id',
+ type: 'keyword',
+ description:
+ 'The ID of the VPC that contains the network interface for which the traffic is recorded.\n',
+ },
+ {
+ name: 'subnet_id',
+ type: 'keyword',
+ description:
+ 'The ID of the subnet that contains the network interface for which the traffic is recorded.\n',
+ },
+ {
+ name: 'tcp_flags',
+ type: 'keyword',
+ description:
+ 'The bitmask value for the following TCP flags: 2=SYN,18=SYN-ACK,1=FIN,4=RST\n',
+ },
+ {
+ name: 'type',
+ type: 'keyword',
+ description: 'The type of traffic: IPv4, IPv6, or EFA.\n',
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'azure',
+ title: 'Azure',
+ release: 'beta',
+ description: 'Azure Module\n',
+ fields: [
+ {
+ name: 'azure',
+ type: 'group',
+ description: '\n',
+ fields: [
+ {
+ name: 'subscription_id',
+ type: 'keyword',
+ description: 'Azure subscription ID\n',
+ },
+ {
+ name: 'correlation_id',
+ type: 'keyword',
+ description: 'Correlation ID\n',
+ },
+ {
+ name: 'tenant_id',
+ type: 'keyword',
+ description: 'tenant ID\n',
+ },
+ {
+ name: 'resource',
+ type: 'group',
+ description: 'Resource\n',
+ fields: [
+ {
+ name: 'id',
+ type: 'keyword',
+ description: 'Resource ID\n',
+ },
+ {
+ name: 'group',
+ type: 'keyword',
+ description: 'Resource group\n',
+ },
+ {
+ name: 'provider',
+ type: 'keyword',
+ description: 'Resource type/namespace\n',
+ },
+ {
+ name: 'namespace',
+ type: 'keyword',
+ description: 'Resource type/namespace\n',
+ },
+ {
+ name: 'name',
+ type: 'keyword',
+ description: 'Name\n',
+ },
+ {
+ name: 'authorization_rule',
+ type: 'keyword',
+ description: 'Authorization rule\n',
+ },
+ ],
+ },
+ {
+ name: 'activitylogs',
+ type: 'group',
+ release: 'beta',
+ description: 'Fields for Azure activity logs.\n',
+ fields: [
+ {
+ name: 'identity',
+ type: 'group',
+ description: 'Identity\n',
+ fields: [
+ {
+ name: 'claims_initiated_by_user',
+ type: 'group',
+ description: 'Claims initiated by user\n',
+ fields: [
+ {
+ name: 'name',
+ type: 'keyword',
+ description: 'Name\n',
+ },
+ {
+ name: 'givenname',
+ type: 'keyword',
+ description: 'Givenname\n',
+ },
+ {
+ name: 'surname',
+ type: 'keyword',
+ description: 'Surname\n',
+ },
+ {
+ name: 'fullname',
+ type: 'keyword',
+ description: 'Fullname\n',
+ },
+ {
+ name: 'schema',
+ type: 'keyword',
+ description: 'Schema\n',
+ },
+ ],
+ },
+ {
+ name: 'claims.*',
+ type: 'object',
+ object_type: 'keyword',
+ object_type_mapping_type: '*',
+ description: 'Claims\n',
+ },
+ {
+ name: 'authorization',
+ type: 'group',
+ description: 'Authorization\n',
+ fields: [
+ {
+ name: 'scope',
+ type: 'keyword',
+ description: 'Scope\n',
+ },
+ {
+ name: 'action',
+ type: 'keyword',
+ description: 'Action\n',
+ },
+ {
+ name: 'evidence',
+ type: 'group',
+ description: 'Evidence\n',
+ fields: [
+ {
+ name: 'role_assignment_scope',
+ type: 'keyword',
+ description: 'Role assignment scope\n',
+ },
+ {
+ name: 'role_definition_id',
+ type: 'keyword',
+ description: 'Role definition ID\n',
+ },
+ {
+ name: 'role',
+ type: 'keyword',
+ description: 'Role\n',
+ },
+ {
+ name: 'role_assignment_id',
+ type: 'keyword',
+ description: 'Role assignment ID\n',
+ },
+ {
+ name: 'principal_id',
+ type: 'keyword',
+ description: 'Principal ID\n',
+ },
+ {
+ name: 'principal_type',
+ type: 'keyword',
+ description: 'Principal type\n',
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'operation_name',
+ type: 'keyword',
+ description: 'Operation name\n',
+ },
+ {
+ name: 'result_signature',
+ type: 'keyword',
+ description: 'Result signature\n',
+ },
+ {
+ name: 'category',
+ type: 'keyword',
+ description: 'Category\n',
+ },
+ {
+ name: 'properties',
+ type: 'group',
+ description: 'Properties\n',
+ fields: [
+ {
+ name: 'service_request_id',
+ type: 'keyword',
+ description: 'Service Request Id\n',
+ },
+ {
+ name: 'status_code',
+ type: 'keyword',
+ description: 'Status code\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'auditlogs',
+ type: 'group',
+ description: 'Fields for Azure audit logs.\n',
+ fields: [
+ {
+ name: 'operation_name',
+ type: 'keyword',
+ description: 'The operation name\n',
+ },
+ {
+ name: 'operation_version',
+ type: 'keyword',
+ description: 'The operation version\n',
+ },
+ {
+ name: 'identity',
+ type: 'keyword',
+ description: 'Identity\n',
+ },
+ {
+ name: 'tenant_id',
+ type: 'keyword',
+ description: 'Tenant ID\n',
+ },
+ {
+ name: 'result_signature',
+ type: 'keyword',
+ description: 'Result signature\n',
+ },
+ {
+ name: 'properties',
+ type: 'group',
+ description: 'The audit log properties\n',
+ fields: [
+ {
+ name: 'result',
+ type: 'keyword',
+ description: 'Log result\n',
+ },
+ {
+ name: 'activity_display_name',
+ type: 'keyword',
+ description: 'Activity display name\n',
+ },
+ {
+ name: 'result_reason',
+ type: 'keyword',
+ description: 'Reason for the log result\n',
+ },
+ {
+ name: 'correlation_id',
+ type: 'keyword',
+ description: 'Correlation ID\n',
+ },
+ {
+ name: 'logged_by_service',
+ type: 'keyword',
+ description: 'Logged by service\n',
+ },
+ {
+ name: 'operation_type',
+ type: 'keyword',
+ description: 'Operation type\n',
+ },
+ {
+ name: 'id',
+ type: 'keyword',
+ description: 'ID\n',
+ },
+ {
+ name: 'activity_datetime',
+ type: 'date',
+ description: 'Activity timestamp\n',
+ },
+ {
+ name: 'category',
+ type: 'keyword',
+ description: 'category\n',
+ },
+ {
+ name: 'target_resources.*',
+ type: 'group',
+ object_type_mapping_type: '*',
+ description: 'Target resources\n',
+ fields: [
+ {
+ name: 'display_name',
+ type: 'keyword',
+ description: 'Display name\n',
+ },
+ {
+ name: 'id',
+ type: 'keyword',
+ description: 'ID\n',
+ },
+ {
+ name: 'type',
+ type: 'keyword',
+ description: 'Type\n',
+ },
+ {
+ name: 'ip_address',
+ type: 'keyword',
+ description: 'ip Address\n',
+ },
+ {
+ name: 'user_principal_name',
+ type: 'keyword',
+ description: 'User principal name\n',
+ },
+ {
+ name: 'modified_properties.*',
+ type: 'group',
+ object_type: 'keyword',
+ object_type_mapping_type: '*',
+ description: 'Modified properties\n',
+ fields: [
+ {
+ name: 'new_value',
+ type: 'keyword',
+ description: 'New value\n',
+ },
+ {
+ name: 'display_name',
+ type: 'keyword',
+ description: 'Display value\n',
+ },
+ {
+ name: 'old_value',
+ type: 'keyword',
+ description: 'Old value\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'initiated_by',
+ type: 'group',
+ description: 'Information regarding the initiator\n',
+ fields: [
+ {
+ name: 'app',
+ type: 'group',
+ description: 'App\n',
+ fields: [
+ {
+ name: 'servicePrincipalName',
+ type: 'keyword',
+ description: 'Service principal name\n',
+ },
+ {
+ name: 'displayName',
+ type: 'keyword',
+ description: 'Display name\n',
+ },
+ {
+ name: 'appId',
+ type: 'keyword',
+ description: 'App ID\n',
+ },
+ {
+ name: 'servicePrincipalId',
+ type: 'keyword',
+ description: 'Service principal ID\n',
+ },
+ ],
+ },
+ {
+ name: 'user',
+ type: 'group',
+ description: 'User\n',
+ fields: [
+ {
+ name: 'userPrincipalName',
+ type: 'keyword',
+ description: 'User principal name\n',
+ },
+ {
+ name: 'displayName',
+ type: 'keyword',
+ description: 'Display name\n',
+ },
+ {
+ name: 'id',
+ type: 'keyword',
+ description: 'ID\n',
+ },
+ {
+ name: 'ipAddress',
+ type: 'keyword',
+ description: 'ip Address\n',
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'signinlogs',
+ type: 'group',
+ description: 'Fields for Azure sign-in logs.\n',
+ fields: [
+ {
+ name: 'operation_name',
+ type: 'keyword',
+ description: 'The operation name\n',
+ },
+ {
+ name: 'operation_version',
+ type: 'keyword',
+ description: 'The operation version\n',
+ },
+ {
+ name: 'tenant_id',
+ type: 'keyword',
+ description: 'Tenant ID\n',
+ },
+ {
+ name: 'result_signature',
+ type: 'keyword',
+ description: 'Result signature\n',
+ },
+ {
+ name: 'result_description',
+ type: 'keyword',
+ description: 'Result description\n',
+ },
+ {
+ name: 'identity',
+ type: 'keyword',
+ description: 'Identity\n',
+ },
+ {
+ name: 'properties',
+ type: 'group',
+ description: 'The signin log properties\n',
+ fields: [
+ {
+ name: 'id',
+ type: 'keyword',
+ description: 'ID\n',
+ },
+ {
+ name: 'created_at',
+ type: 'date',
+ description: 'Created date time\n',
+ },
+ {
+ name: 'user_display_name',
+ type: 'keyword',
+ description: 'User display name\n',
+ },
+ {
+ name: 'correlation_id',
+ type: 'keyword',
+ description: 'Correlation ID\n',
+ },
+ {
+ name: 'user_principal_name',
+ type: 'keyword',
+ description: 'User principal name\n',
+ },
+ {
+ name: 'user_id',
+ type: 'keyword',
+ description: 'User ID\n',
+ },
+ {
+ name: 'app_id',
+ type: 'keyword',
+ description: 'App ID\n',
+ },
+ {
+ name: 'app_display_name',
+ type: 'keyword',
+ description: 'App display name\n',
+ },
+ {
+ name: 'ip_address',
+ type: 'keyword',
+ description: 'Ip address\n',
+ },
+ {
+ name: 'client_app_used',
+ type: 'keyword',
+ description: 'Client app used\n',
+ },
+ {
+ name: 'conditional_access_status',
+ type: 'keyword',
+ description: 'Conditional access status\n',
+ },
+ {
+ name: 'original_request_id',
+ type: 'keyword',
+ description: 'Original request ID\n',
+ },
+ {
+ name: 'is_interactive',
+ type: 'keyword',
+ description: 'Is interactive\n',
+ },
+ {
+ name: 'token_issuer_name',
+ type: 'keyword',
+ description: 'Token issuer name\n',
+ },
+ {
+ name: 'token_issuer_type',
+ type: 'keyword',
+ description: 'Token issuer type\n',
+ },
+ {
+ name: 'processing_time_ms',
+ type: 'float',
+ description: 'Processing time in milliseconds\n',
+ },
+ {
+ name: 'risk_detail',
+ type: 'keyword',
+ description: 'Risk detail\n',
+ },
+ {
+ name: 'risk_level_aggregated',
+ type: 'keyword',
+ description: 'Risk level aggregated\n',
+ },
+ {
+ name: 'risk_level_during_signin',
+ type: 'keyword',
+ description: 'Risk level during signIn\n',
+ },
+ {
+ name: 'risk_state',
+ type: 'keyword',
+ description: 'Risk state\n',
+ },
+ {
+ name: 'resource_display_name',
+ type: 'keyword',
+ description: 'Resource display name\n',
+ },
+ {
+ name: 'status',
+ type: 'group',
+ description: 'Status\n',
+ fields: [
+ {
+ name: 'error_code',
+ type: 'keyword',
+ description: 'Error code\n',
+ },
+ ],
+ },
+ {
+ name: 'device_detail',
+ type: 'group',
+ description: 'Status\n',
+ fields: [
+ {
+ name: 'device_id',
+ type: 'keyword',
+ description: 'Device ID\n',
+ },
+ {
+ name: 'operating_system',
+ type: 'keyword',
+ description: 'Operating system\n',
+ },
+ {
+ name: 'browser',
+ type: 'keyword',
+ description: 'Browser\n',
+ },
+ {
+ name: 'display_name',
+ type: 'keyword',
+ description: 'Display name\n',
+ },
+ {
+ name: 'trust_type',
+ type: 'keyword',
+ description: 'Trust type\n',
+ },
+ ],
+ },
+ {
+ name: 'service_principal_id',
+ type: 'keyword',
+ description: 'Status\n',
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'cef-module',
+ title: 'CEF',
+ description:
+ 'Module for receiving CEF logs over Syslog. The module adds vendor specific fields in addition to the fields the decode_cef processor provides.\n',
+ fields: [
+ {
+ name: 'forcepoint',
+ type: 'group',
+ default_field: false,
+ description: 'Fields for Forcepoint Custom String mappings\n',
+ fields: [
+ {
+ name: 'virus_id',
+ type: 'keyword',
+ description: 'Virus ID\n',
+ },
+ ],
+ },
+ {
+ name: 'checkpoint',
+ type: 'group',
+ default_field: false,
+ description: 'Fields for Check Point custom string mappings.\n',
+ fields: [
+ {
+ name: 'app_risk',
+ type: 'keyword',
+ description: 'Application risk.',
+ },
+ {
+ name: 'app_severity',
+ type: 'keyword',
+ description: 'Application threat severity.',
+ },
+ {
+ name: 'app_sig_id',
+ type: 'keyword',
+ description: 'The signature ID which the application was detected by.',
+ },
+ {
+ name: 'auth_method',
+ type: 'keyword',
+ description: 'Password authentication protocol used.',
+ },
+ {
+ name: 'category',
+ type: 'keyword',
+ description: 'Category.',
+ },
+ {
+ name: 'confidence_level',
+ type: 'keyword',
+ description: 'Confidence level determined.',
+ },
+ {
+ name: 'connectivity_state',
+ type: 'keyword',
+ description: 'Connectivity state.',
+ },
+ {
+ name: 'cookie',
+ type: 'keyword',
+ description: 'IKE cookie.',
+ },
+ {
+ name: 'dst_phone_number',
+ type: 'keyword',
+ description: 'Destination IP-Phone.',
+ },
+ {
+ name: 'email_control',
+ type: 'keyword',
+ description: 'Engine name.',
+ },
+ {
+ name: 'email_id',
+ type: 'keyword',
+ description: 'Internal email ID.',
+ },
+ {
+ name: 'email_recipients_num',
+ type: 'long',
+ description: 'Number of recipients.',
+ },
+ {
+ name: 'email_session_id',
+ type: 'keyword',
+ description: 'Internal email session ID.',
+ },
+ {
+ name: 'email_spool_id',
+ type: 'keyword',
+ description: 'Internal email spool ID.',
+ },
+ {
+ name: 'email_subject',
+ type: 'keyword',
+ description: 'Email subject.',
+ },
+ {
+ name: 'event_count',
+ type: 'long',
+ description: 'Number of events associated with the log.',
+ },
+ {
+ name: 'file_hash',
+ type: 'keyword',
+ description: 'File hash (SHA1 or MD5).',
+ },
+ {
+ name: 'frequency',
+ type: 'keyword',
+ description: 'Scan frequency.',
+ },
+ {
+ name: 'icmp_type',
+ type: 'long',
+ description: 'ICMP type.',
+ },
+ {
+ name: 'icmp_code',
+ type: 'long',
+ description: 'ICMP code.',
+ },
+ {
+ name: 'identity_type',
+ type: 'keyword',
+ description: 'Identity type.',
+ },
+ {
+ name: 'incident_extension',
+ type: 'keyword',
+ description: 'Format of original data.',
+ },
+ {
+ name: 'integrity_av_invoke_type',
+ type: 'keyword',
+ description: 'Scan invoke type.',
+ },
+ {
+ name: 'peer_gateway',
+ type: 'ip',
+ description: 'Main IP of the peer Security Gateway.',
+ },
+ {
+ name: 'performance_impact',
+ type: 'keyword',
+ description: 'Protection performance impact.',
+ },
+ {
+ name: 'protection_id',
+ type: 'keyword',
+ description: 'Protection malware ID.',
+ },
+ {
+ name: 'protection_name',
+ type: 'keyword',
+ description: 'Specific signature name of the attack.',
+ },
+ {
+ name: 'protection_type',
+ type: 'keyword',
+ description: 'Type of protection used to detect the attack.',
+ },
+ {
+ name: 'scan_result',
+ type: 'keyword',
+ description: 'Scan result.',
+ },
+ {
+ name: 'sensor_mode',
+ type: 'keyword',
+ description: 'Sensor mode.',
+ },
+ {
+ name: 'severity',
+ type: 'keyword',
+ description: 'Threat severity.',
+ },
+ {
+ name: 'malware_status',
+ type: 'keyword',
+ description: 'Malware status.',
+ },
+ {
+ name: 'subscription_expiration',
+ type: 'date',
+ description: 'The expiration date of the subscription.',
+ },
+ {
+ name: 'tcp_flags',
+ type: 'keyword',
+ description: 'TCP packet flags.',
+ },
+ {
+ name: 'termination_reason',
+ type: 'keyword',
+ description: 'Termination reason.',
+ },
+ {
+ name: 'update_status',
+ type: 'keyword',
+ description: 'Update status.',
+ },
+ {
+ name: 'user_status',
+ type: 'keyword',
+ description: 'User response.',
+ },
+ {
+ name: 'uuid',
+ type: 'keyword',
+ description: 'External ID.',
+ },
+ {
+ name: 'virus_name',
+ type: 'keyword',
+ description: 'Virus name.',
+ },
+ {
+ name: 'malware_name',
+ type: 'keyword',
+ description: 'Malware name.',
+ },
+ {
+ name: 'malware_family',
+ type: 'keyword',
+ description: 'Malware family.',
+ },
+ {
+ name: 'voip_log_type',
+ type: 'keyword',
+ description: 'VoIP log types.',
+ },
+ ],
+ },
+ {
+ name: 'cef.extensions',
+ type: 'group',
+ default_field: false,
+ description: 'Extra vendor-specific extensions.\n',
+ fields: [
+ {
+ name: 'cp_app_risk',
+ type: 'keyword',
+ },
+ {
+ name: 'cp_severity',
+ type: 'keyword',
+ },
+ {
+ name: 'ifname',
+ type: 'keyword',
+ },
+ {
+ name: 'inzone',
+ type: 'keyword',
+ },
+ {
+ name: 'layer_uuid',
+ type: 'keyword',
+ },
+ {
+ name: 'layer_name',
+ type: 'keyword',
+ },
+ {
+ name: 'logid',
+ type: 'keyword',
+ },
+ {
+ name: 'loguid',
+ type: 'keyword',
+ },
+ {
+ name: 'match_id',
+ type: 'keyword',
+ },
+ {
+ name: 'nat_addtnl_rulenum',
+ type: 'keyword',
+ },
+ {
+ name: 'nat_rulenum',
+ type: 'keyword',
+ },
+ {
+ name: 'origin',
+ type: 'keyword',
+ },
+ {
+ name: 'originsicname',
+ type: 'keyword',
+ },
+ {
+ name: 'outzone',
+ type: 'keyword',
+ },
+ {
+ name: 'parent_rule',
+ type: 'keyword',
+ },
+ {
+ name: 'product',
+ type: 'keyword',
+ },
+ {
+ name: 'rule_action',
+ type: 'keyword',
+ },
+ {
+ name: 'rule_uid',
+ type: 'keyword',
+ },
+ {
+ name: 'sequencenum',
+ type: 'keyword',
+ },
+ {
+ name: 'service_id',
+ type: 'keyword',
+ },
+ {
+ name: 'version',
+ type: 'keyword',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'cisco',
+ title: 'Cisco',
+ description: 'Module for handling Cisco network device logs.\n',
+ fields: [
+ {
+ name: 'cisco',
+ type: 'group',
+ description: 'Fields from Cisco logs.\n',
+ fields: [
+ {
+ name: 'asa',
+ type: 'group',
+ description: 'Fields for Cisco ASA Firewall.\n',
+ fields: [
+ {
+ name: 'message_id',
+ type: 'keyword',
+ description: 'The Cisco ASA message identifier.\n',
+ },
+ {
+ name: 'suffix',
+ type: 'keyword',
+ example: 'session',
+ description: 'Optional suffix after %ASA identifier.\n',
+ },
+ {
+ name: 'source_interface',
+ type: 'keyword',
+ description: 'Source interface for the flow or event.\n',
+ },
+ {
+ name: 'destination_interface',
+ type: 'keyword',
+ description: 'Destination interface for the flow or event.\n',
+ },
+ {
+ name: 'rule_name',
+ type: 'keyword',
+ description: 'Name of the Access Control List rule that matched this event.\n',
+ },
+ {
+ name: 'source_username',
+ type: 'keyword',
+ description: 'Name of the user that is the source for this event.\n',
+ },
+ {
+ name: 'destination_username',
+ type: 'keyword',
+ description: 'Name of the user that is the destination for this event.\n',
+ },
+ {
+ name: 'mapped_source_ip',
+ type: 'ip',
+ description: 'The translated source IP address.\n',
+ },
+ {
+ name: 'mapped_source_port',
+ type: 'long',
+ description: 'The translated source port.\n',
+ },
+ {
+ name: 'mapped_destination_ip',
+ type: 'ip',
+ description: 'The translated destination IP address.\n',
+ },
+ {
+ name: 'mapped_destination_port',
+ type: 'long',
+ description: 'The translated destination port.\n',
+ },
+ {
+ name: 'threat_level',
+ type: 'keyword',
+ description:
+ 'Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high.\n',
+ },
+ {
+ name: 'threat_category',
+ type: 'keyword',
+ description:
+ 'Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc.\n',
+ },
+ {
+ name: 'connection_id',
+ type: 'keyword',
+ description: 'Unique identifier for a flow.\n',
+ },
+ {
+ name: 'icmp_type',
+ type: 'short',
+ description: 'ICMP type.\n',
+ },
+ {
+ name: 'icmp_code',
+ type: 'short',
+ description: 'ICMP code.\n',
+ },
+ {
+ name: 'connection_type',
+ type: 'keyword',
+ default_field: false,
+ description: 'The VPN connection type\n',
+ },
+ {
+ name: 'dap_records',
+ default_field: false,
+ type: 'keyword',
+ description: 'The assigned DAP records\n',
+ },
+ ],
+ },
+ {
+ name: 'ftd',
+ type: 'group',
+ description: 'Fields for Cisco Firepower Threat Defense Firewall.\n',
+ fields: [
+ {
+ name: 'message_id',
+ type: 'keyword',
+ description: 'The Cisco FTD message identifier.\n',
+ },
+ {
+ name: 'suffix',
+ type: 'keyword',
+ example: 'session',
+ description: 'Optional suffix after %FTD identifier.\n',
+ },
+ {
+ name: 'source_interface',
+ type: 'keyword',
+ description: 'Source interface for the flow or event.\n',
+ },
+ {
+ name: 'destination_interface',
+ type: 'keyword',
+ description: 'Destination interface for the flow or event.\n',
+ },
+ {
+ name: 'rule_name',
+ type: 'keyword',
+ description: 'Name of the Access Control List rule that matched this event.\n',
+ },
+ {
+ name: 'source_username',
+ type: 'keyword',
+ description: 'Name of the user that is the source for this event.\n',
+ },
+ {
+ name: 'destination_username',
+ type: 'keyword',
+ description: 'Name of the user that is the destination for this event.\n',
+ },
+ {
+ name: 'mapped_source_ip',
+ type: 'ip',
+ description: 'The translated source IP address. Use ECS source.nat.ip.\n',
+ },
+ {
+ name: 'mapped_source_port',
+ type: 'long',
+ description: 'The translated source port. Use ECS source.nat.port.\n',
+ },
+ {
+ name: 'mapped_destination_ip',
+ type: 'ip',
+ description: 'The translated destination IP address. Use ECS destination.nat.ip.\n',
+ },
+ {
+ name: 'mapped_destination_port',
+ type: 'long',
+ description: 'The translated destination port. Use ECS destination.nat.port.\n',
+ },
+ {
+ name: 'threat_level',
+ type: 'keyword',
+ description:
+ 'Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high.\n',
+ },
+ {
+ name: 'threat_category',
+ type: 'keyword',
+ description:
+ 'Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc.\n',
+ },
+ {
+ name: 'connection_id',
+ type: 'keyword',
+ description: 'Unique identifier for a flow.\n',
+ },
+ {
+ name: 'icmp_type',
+ type: 'short',
+ description: 'ICMP type.\n',
+ },
+ {
+ name: 'icmp_code',
+ type: 'short',
+ description: 'ICMP code.\n',
+ },
+ {
+ name: 'security',
+ type: 'object',
+ description: 'Raw fields for Security Events.',
+ },
+ {
+ name: 'connection_type',
+ type: 'keyword',
+ default_field: false,
+ description: 'The VPN connection type\n',
+ },
+ {
+ name: 'dap_records',
+ type: 'keyword',
+ default_field: false,
+ description: 'The assigned DAP records\n',
+ },
+ ],
+ },
+ {
+ name: 'ios',
+ type: 'group',
+ description: 'Fields for Cisco IOS logs.\n',
+ fields: [
+ {
+ name: 'access_list',
+ type: 'keyword',
+ description: 'Name of the IP access list.\n',
+ },
+ {
+ name: 'facility',
+ type: 'keyword',
+ example: 'SEC',
+ description:
+ 'The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message.\n',
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'coredns',
+ title: 'Coredns',
+ description: 'Module for handling logs produced by coredns\n',
+ fields: [
+ {
+ name: 'coredns',
+ type: 'group',
+ description: 'coredns fields after normalization\n',
+ fields: [
+ {
+ name: 'id',
+ type: 'keyword',
+ description: 'id of the DNS transaction\n',
+ },
+ {
+ name: 'query.size',
+ type: 'integer',
+ format: 'bytes',
+ description: 'size of the DNS query\n',
+ },
+ {
+ name: 'query.class',
+ type: 'keyword',
+ description: 'DNS query class\n',
+ },
+ {
+ name: 'query.name',
+ type: 'keyword',
+ description: 'DNS query name\n',
+ },
+ {
+ name: 'query.type',
+ type: 'keyword',
+ description: 'DNS query type\n',
+ },
+ {
+ name: 'response.code',
+ type: 'keyword',
+ description: 'DNS response code\n',
+ },
+ {
+ name: 'response.flags',
+ type: 'keyword',
+ description: 'DNS response flags\n',
+ },
+ {
+ name: 'response.size',
+ type: 'integer',
+ format: 'bytes',
+ description: 'size of the DNS response\n',
+ },
+ {
+ name: 'dnssec_ok',
+ type: 'boolean',
+ description: 'dnssec flag\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'envoyproxy',
+ title: 'Envoyproxy',
+ description: 'Module for handling logs produced by envoy\n',
+ fields: [
+ {
+ name: 'envoyproxy',
+ type: 'group',
+ description: 'Fields from envoy proxy logs after normalization\n',
+ fields: [
+ {
+ name: 'log_type',
+ type: 'keyword',
+ description: 'Envoy log type, normally ACCESS\n',
+ },
+ {
+ name: 'response_flags',
+ type: 'keyword',
+ description: 'Response flags\n',
+ },
+ {
+ name: 'upstream_service_time',
+ type: 'long',
+ format: 'duration',
+ input_format: 'nanoseconds',
+ description: 'Upstream service time in nanoseconds\n',
+ },
+ {
+ name: 'request_id',
+ type: 'keyword',
+ description: 'ID of the request\n',
+ },
+ {
+ name: 'authority',
+ type: 'keyword',
+ description: 'Envoy proxy authority field\n',
+ },
+ {
+ name: 'proxy_type',
+ type: 'keyword',
+ description: 'Envoy proxy type, tcp or http\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'googlecloud',
+ title: 'Google Cloud',
+ description: 'Module for handling logs from Google Cloud.\n',
+ fields: [
+ {
+ name: 'googlecloud',
+ type: 'group',
+ description: 'Fields from Google Cloud logs.\n',
+ fields: [
+ {
+ name: 'destination.instance',
+ type: 'group',
+ description:
+ 'If the destination of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project.\n',
+ fields: [
+ {
+ name: 'project_id',
+ type: 'keyword',
+ description: 'ID of the project containing the VM.\n',
+ },
+ {
+ name: 'region',
+ type: 'keyword',
+ description: 'Region of the VM.\n',
+ },
+ {
+ name: 'zone',
+ type: 'keyword',
+ description: 'Zone of the VM.\n',
+ },
+ ],
+ },
+ {
+ name: 'destination.vpc',
+ type: 'group',
+ description:
+ 'If the destination of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project.\n',
+ fields: [
+ {
+ name: 'project_id',
+ type: 'keyword',
+ description: 'ID of the project containing the VM.\n',
+ },
+ {
+ name: 'vpc_name',
+ type: 'keyword',
+ description: 'VPC on which the VM is operating.\n',
+ },
+ {
+ name: 'subnetwork_name',
+ type: 'keyword',
+ description: 'Subnetwork on which the VM is operating.\n',
+ },
+ ],
+ },
+ {
+ name: 'source.instance',
+ type: 'group',
+ description:
+ 'If the source of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project.\n',
+ fields: [
+ {
+ name: 'project_id',
+ type: 'keyword',
+ description: 'ID of the project containing the VM.\n',
+ },
+ {
+ name: 'region',
+ type: 'keyword',
+ description: 'Region of the VM.\n',
+ },
+ {
+ name: 'zone',
+ type: 'keyword',
+ description: 'Zone of the VM.\n',
+ },
+ ],
+ },
+ {
+ name: 'source.vpc',
+ type: 'group',
+ description:
+ 'If the source of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project.\n',
+ fields: [
+ {
+ name: 'project_id',
+ type: 'keyword',
+ description: 'ID of the project containing the VM.\n',
+ },
+ {
+ name: 'vpc_name',
+ type: 'keyword',
+ description: 'VPC on which the VM is operating.\n',
+ },
+ {
+ name: 'subnetwork_name',
+ type: 'keyword',
+ description: 'Subnetwork on which the VM is operating.\n',
+ },
+ ],
+ },
+ {
+ name: 'audit',
+ type: 'group',
+ description: 'Fields for Google Cloud audit logs.\n',
+ fields: [
+ {
+ name: 'type',
+ type: 'keyword',
+ description: 'Type property.\n',
+ },
+ {
+ name: 'authentication_info',
+ type: 'group',
+ description: 'Authentication information.\n',
+ fields: [
+ {
+ name: 'principal_email',
+ type: 'keyword',
+ description:
+ 'The email address of the authenticated user making the request.\n',
+ },
+ {
+ name: 'authority_selector',
+ type: 'keyword',
+ description:
+ 'The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority.\n',
+ },
+ ],
+ },
+ {
+ name: 'authorization_info',
+ type: 'array',
+ description: 'Authorization information for the operation.\n',
+ fields: [
+ {
+ name: 'permission',
+ type: 'keyword',
+ description: 'The required IAM permission.\n',
+ },
+ {
+ name: 'granted',
+ type: 'boolean',
+ description:
+ 'Whether or not authorization for resource and permission was granted.\n',
+ },
+ {
+ name: 'resource_attributes',
+ type: 'group',
+ description: 'The attributes of the resource.\n',
+ fields: [
+ {
+ name: 'service',
+ type: 'keyword',
+ description: 'The name of the service.\n',
+ },
+ {
+ name: 'name',
+ type: 'keyword',
+ description: 'The name of the resource.\n',
+ },
+ {
+ name: 'type',
+ type: 'keyword',
+ description: 'The type of the resource.\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'method_name',
+ type: 'keyword',
+ description:
+ "The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'.\n",
+ },
+ {
+ name: 'num_response_items',
+ type: 'long',
+ description:
+ 'The number of items returned from a List or Query API method, if applicable.\n',
+ },
+ {
+ name: 'request',
+ type: 'group',
+ description: 'The operation request.\n',
+ fields: [
+ {
+ name: 'proto_name',
+ type: 'keyword',
+ description: 'Type property of the request.\n',
+ },
+ {
+ name: 'filter',
+ type: 'keyword',
+ description: 'Filter of the request.\n',
+ },
+ {
+ name: 'name',
+ type: 'keyword',
+ description: 'Name of the request.\n',
+ },
+ {
+ name: 'resource_name',
+ type: 'keyword',
+ description: 'Name of the request resource.\n',
+ },
+ ],
+ },
+ {
+ name: 'request_metadata',
+ type: 'group',
+ description: 'Metadata about the request.\n',
+ fields: [
+ {
+ name: 'caller_ip',
+ type: 'ip',
+ description: 'The IP address of the caller.\n',
+ },
+ {
+ name: 'caller_supplied_user_agent',
+ type: 'keyword',
+ description:
+ 'The user agent of the caller. This information is not authenticated and should be treated accordingly.\n',
+ },
+ ],
+ },
+ {
+ name: 'resource_name',
+ type: 'keyword',
+ description:
+ "The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'.\n",
+ },
+ {
+ name: 'resource_location',
+ type: 'group',
+ description: 'The location of the resource.\n',
+ fields: [
+ {
+ name: 'current_locations',
+ type: 'keyword',
+ description: 'Current locations of the resource.\n',
+ },
+ ],
+ },
+ {
+ name: 'service_name',
+ type: 'keyword',
+ description:
+ 'The name of the API service performing the operation. For example, datastore.googleapis.com.\n',
+ },
+ {
+ name: 'status',
+ type: 'group',
+ description: 'The status of the overall operation.\n',
+ fields: [
+ {
+ name: 'code',
+ type: 'integer',
+ description:
+ 'The status code, which should be an enum value of google.rpc.Code.\n',
+ },
+ {
+ name: 'message',
+ type: 'keyword',
+ description:
+ 'A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'firewall',
+ type: 'group',
+ description: 'Fields for Google Cloud Firewall logs.\n',
+ fields: [
+ {
+ name: 'rule_details',
+ type: 'group',
+ description: 'Description of the firewall rule that matched this connection.\n',
+ fields: [
+ {
+ name: 'priority',
+ type: 'long',
+ description: 'The priority for the firewall rule.',
+ },
+ {
+ name: 'action',
+ type: 'keyword',
+ description: 'Action that the rule performs on match.',
+ },
+ {
+ name: 'direction',
+ type: 'keyword',
+ description: 'Direction of traffic that matches this rule.',
+ },
+ {
+ name: 'reference',
+ type: 'keyword',
+ description: 'Reference to the firewall rule.',
+ },
+ {
+ name: 'source_range',
+ type: 'keyword',
+ description: 'List of source ranges that the firewall rule applies to.',
+ },
+ {
+ name: 'destination_range',
+ type: 'keyword',
+ description: 'List of destination ranges that the firewall applies to.',
+ },
+ {
+ name: 'source_tag',
+ type: 'keyword',
+ description: 'List of all the source tags that the firewall rule applies to.\n',
+ },
+ {
+ name: 'target_tag',
+ type: 'keyword',
+ description: 'List of all the target tags that the firewall rule applies to.\n',
+ },
+ {
+ name: 'ip_port_info',
+ type: 'array',
+ description: 'List of ip protocols and applicable port ranges for rules.\n',
+ },
+ {
+ name: 'source_service_account',
+ type: 'keyword',
+ description:
+ 'List of all the source service accounts that the firewall rule applies to.\n',
+ },
+ {
+ name: 'target_service_account',
+ type: 'keyword',
+ description:
+ 'List of all the target service accounts that the firewall rule applies to.\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'vpcflow',
+ type: 'group',
+ description: 'Fields for Google Cloud VPC flow logs.\n',
+ fields: [
+ {
+ name: 'reporter',
+ type: 'keyword',
+ description: "The side which reported the flow. Can be either 'SRC' or 'DEST'.\n",
+ },
+ {
+ name: 'rtt.ms',
+ type: 'long',
+ description:
+ 'Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay.\n',
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'ibmmq',
+ title: 'ibmmq',
+ description: 'ibmmq Module\n',
+ release: 'ga',
+ fields: [
+ {
+ name: 'ibmmq',
+ type: 'group',
+ description: '\n',
+ fields: [
+ {
+ name: 'errorlog',
+ description: 'IBM MQ error logs',
+ type: 'group',
+ fields: [
+ {
+ name: 'installation',
+ description:
+ 'This is the installation name which can be given at installation time.\nEach installation of IBM MQ on UNIX, Linux, and Windows, has a unique identifier known as an installation name. The installation name is used to associate things such as queue managers and configuration files with an installation.\n',
+ type: 'keyword',
+ },
+ {
+ name: 'qmgr',
+ description:
+ 'Name of the queue manager. Queue managers provide queuing services to applications, and manages the queues that belong to them.\n',
+ type: 'keyword',
+ },
+ {
+ name: 'arithinsert',
+ description: 'Changing content based on error.id',
+ type: 'keyword',
+ },
+ {
+ name: 'commentinsert',
+ description: 'Changing content based on error.id',
+ type: 'keyword',
+ },
+ {
+ name: 'errordescription',
+ description: 'Please add description',
+ example: 'Please add example',
+ type: 'text',
+ },
+ {
+ name: 'explanation',
+ description: 'Explaines the error in more detail',
+ type: 'keyword',
+ },
+ {
+ name: 'action',
+ description: 'Defines what to do when the error occurs',
+ type: 'keyword',
+ },
+ {
+ name: 'code',
+ description: 'Error code.',
+ type: 'keyword',
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'iptables',
+ title: 'iptables',
+ description: 'Module for handling the iptables logs.\n',
+ fields: [
+ {
+ name: 'iptables',
+ type: 'group',
+ description: 'Fields from the iptables logs.\n',
+ fields: [
+ {
+ name: 'ether_type',
+ type: 'long',
+ description:
+ 'Value of the ethernet type field identifying the network layer protocol.\n',
+ },
+ {
+ name: 'flow_label',
+ type: 'integer',
+ description: 'IPv6 flow label.\n',
+ },
+ {
+ name: 'fragment_flags',
+ type: 'keyword',
+ description: 'IP fragment flags. A combination of CE, DF and MF.\n',
+ },
+ {
+ name: 'fragment_offset',
+ type: 'long',
+ description: 'Offset of the current IP fragment.\n',
+ },
+ {
+ name: 'icmp',
+ type: 'group',
+ description: 'ICMP fields.\n',
+ fields: [
+ {
+ name: 'code',
+ type: 'long',
+ description: 'ICMP code.\n',
+ },
+ {
+ name: 'id',
+ type: 'long',
+ description: 'ICMP ID.\n',
+ },
+ {
+ name: 'parameter',
+ type: 'long',
+ description: 'ICMP parameter.\n',
+ },
+ {
+ name: 'redirect',
+ type: 'ip',
+ description: 'ICMP redirect address.\n',
+ },
+ {
+ name: 'seq',
+ type: 'long',
+ description: 'ICMP sequence number.\n',
+ },
+ {
+ name: 'type',
+ type: 'long',
+ description: 'ICMP type.\n',
+ },
+ ],
+ },
+ {
+ name: 'id',
+ type: 'long',
+ description: 'Packet identifier.\n',
+ },
+ {
+ name: 'incomplete_bytes',
+ type: 'long',
+ description: 'Number of incomplete bytes.\n',
+ },
+ {
+ name: 'input_device',
+ type: 'keyword',
+ description: 'Device that received the packet.\n',
+ },
+ {
+ name: 'precedence_bits',
+ type: 'short',
+ description: 'IP precedence bits.\n',
+ },
+ {
+ name: 'tos',
+ type: 'long',
+ description: 'IP Type of Service field.\n',
+ },
+ {
+ name: 'length',
+ type: 'long',
+ description: 'Packet length.\n',
+ },
+ {
+ name: 'output_device',
+ type: 'keyword',
+ description: 'Device that output the packet.\n',
+ },
+ {
+ name: 'tcp',
+ type: 'group',
+ description: 'TCP fields.\n',
+ fields: [
+ {
+ name: 'flags',
+ type: 'keyword',
+ description: 'TCP flags.\n',
+ },
+ {
+ name: 'reserved_bits',
+ type: 'short',
+ description: 'TCP reserved bits.\n',
+ },
+ {
+ name: 'seq',
+ type: 'long',
+ description: 'TCP sequence number.\n',
+ },
+ {
+ name: 'ack',
+ type: 'long',
+ description: 'TCP Acknowledgment number.\n',
+ },
+ {
+ name: 'window',
+ type: 'long',
+ description: 'Advertised TCP window size.\n',
+ },
+ ],
+ },
+ {
+ name: 'ttl',
+ type: 'integer',
+ description: 'Time To Live field.\n',
+ },
+ {
+ name: 'udp',
+ type: 'group',
+ description: 'UDP fields.\n',
+ fields: [
+ {
+ name: 'length',
+ type: 'long',
+ description: 'Length of the UDP header and payload.\n',
+ },
+ ],
+ },
+ {
+ name: 'ubiquiti',
+ type: 'group',
+ description: 'Fields for Ubiquiti network devices.\n',
+ fields: [
+ {
+ name: 'input_zone',
+ type: 'keyword',
+ description: 'Input zone.\n',
+ },
+ {
+ name: 'output_zone',
+ type: 'keyword',
+ description: 'Output zone.\n',
+ },
+ {
+ name: 'rule_number',
+ type: 'keyword',
+ description: 'The rule number within the rule set.',
+ },
+ {
+ name: 'rule_set',
+ type: 'keyword',
+ description: 'The rule set name.',
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'misp',
+ title: 'MISP',
+ description: 'Module for handling threat information from MISP.\n',
+ fields: [
+ {
+ name: 'misp',
+ type: 'group',
+ description: 'Fields from MISP threat information.\n',
+ fields: [
+ {
+ name: 'attack_pattern',
+ title: 'Attack Pattern',
+ short: 'Fields that let you store attack patterns',
+ description:
+ 'Fields provide support for specifying information about attack patterns.\n',
+ type: 'group',
+ fields: [
+ {
+ name: 'id',
+ level: 'core',
+ type: 'keyword',
+ description: 'Identifier of the threat indicator.\n',
+ },
+ {
+ name: 'name',
+ level: 'core',
+ type: 'keyword',
+ description: 'Name of the attack pattern.\n',
+ },
+ {
+ name: 'description',
+ level: 'extended',
+ type: 'text',
+ description: 'Description of the attack pattern.\n',
+ },
+ {
+ name: 'kill_chain_phases',
+ level: 'extended',
+ type: 'keyword',
+ description: 'The kill chain phase(s) to which this attack pattern corresponds.\n',
+ },
+ ],
+ },
+ {
+ name: 'campaign',
+ title: 'Campaign',
+ short: 'Fields that let you store campaign information',
+ description: 'Fields provide support for specifying information about campaigns.\n',
+ type: 'group',
+ fields: [
+ {
+ name: 'id',
+ level: 'core',
+ type: 'keyword',
+ description: 'Identifier of the campaign.\n',
+ },
+ {
+ name: 'name',
+ level: 'core',
+ type: 'keyword',
+ description: 'Name of the campaign.\n',
+ },
+ {
+ name: 'description',
+ level: 'extended',
+ type: 'text',
+ description: 'Description of the campaign.\n',
+ },
+ {
+ name: 'aliases',
+ level: 'extended',
+ type: 'text',
+ description: 'Alternative names used to identify this campaign.\n',
+ },
+ {
+ name: 'first_seen',
+ level: 'core',
+ type: 'date',
+ description: 'The time that this Campaign was first seen, in RFC3339 format.\n',
+ },
+ {
+ name: 'last_seen',
+ level: 'core',
+ type: 'date',
+ description: 'The time that this Campaign was last seen, in RFC3339 format.\n',
+ },
+ {
+ name: 'objective',
+ level: 'core',
+ type: 'keyword',
+ description:
+ "This field defines the Campaign's primary goal, objective, desired outcome, or intended effect.\n",
+ },
+ ],
+ },
+ {
+ name: 'course_of_action',
+ title: 'Course of Action',
+ short: 'Fields that let you store information about course of action.',
+ description:
+ 'A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress.\n',
+ type: 'group',
+ fields: [
+ {
+ name: 'id',
+ level: 'core',
+ type: 'keyword',
+ description: 'Identifier of the Course of Action.\n',
+ },
+ {
+ name: 'name',
+ level: 'core',
+ type: 'keyword',
+ description: 'The name used to identify the Course of Action.\n',
+ },
+ {
+ name: 'description',
+ level: 'extended',
+ type: 'text',
+ description: 'Description of the Course of Action.\n',
+ },
+ ],
+ },
+ {
+ name: 'identity',
+ title: 'Identity',
+ short: 'Fields that let you store information about identity.',
+ description:
+ 'Identity can represent actual individuals, organizations, or groups, as well as classes of individuals, organizations, or groups.\n',
+ type: 'group',
+ fields: [
+ {
+ name: 'id',
+ level: 'core',
+ type: 'keyword',
+ description: 'Identifier of the Identity.\n',
+ },
+ {
+ name: 'name',
+ level: 'core',
+ type: 'keyword',
+ description: 'The name used to identify the Identity.\n',
+ },
+ {
+ name: 'description',
+ level: 'extended',
+ type: 'text',
+ description: 'Description of the Identity.\n',
+ },
+ {
+ name: 'identity_class',
+ level: 'core',
+ type: 'keyword',
+ description:
+ 'The type of entity that this Identity describes, e.g., an individual or organization. Open Vocab - identity-class-ov\n',
+ },
+ {
+ name: 'labels',
+ level: 'extended',
+ type: 'keyword',
+ description: 'The list of roles that this Identity performs.\n',
+ example: 'CEO\n',
+ },
+ {
+ name: 'sectors',
+ level: 'extended',
+ type: 'keyword',
+ description:
+ 'The list of sectors that this Identity belongs to. Open Vocab - industry-sector-ov\n',
+ },
+ {
+ name: 'contact_information',
+ level: 'extended',
+ type: 'text',
+ description:
+ 'The contact information (e-mail, phone number, etc.) for this Identity.\n',
+ },
+ ],
+ },
+ {
+ name: 'intrusion_set',
+ title: 'Intrusion Set',
+ short: 'Fields that let you store information about Intrusion Set.',
+ description:
+ 'An Intrusion Set is a grouped set of adversary behavior and resources with common properties that is believed to be orchestrated by a single organization.\n',
+ type: 'group',
+ fields: [
+ {
+ name: 'id',
+ level: 'core',
+ type: 'keyword',
+ description: 'Identifier of the Intrusion Set.\n',
+ },
+ {
+ name: 'name',
+ level: 'core',
+ type: 'keyword',
+ description: 'The name used to identify the Intrusion Set.\n',
+ },
+ {
+ name: 'description',
+ level: 'extended',
+ type: 'text',
+ description: 'Description of the Intrusion Set.\n',
+ },
+ {
+ name: 'aliases',
+ level: 'extended',
+ type: 'text',
+ description: 'Alternative names used to identify the Intrusion Set.\n',
+ },
+ {
+ name: 'first_seen',
+ level: 'extended',
+ type: 'date',
+ description:
+ 'The time that this Intrusion Set was first seen, in RFC3339 format.\n',
+ },
+ {
+ name: 'last_seen',
+ level: 'extended',
+ type: 'date',
+ description: 'The time that this Intrusion Set was last seen, in RFC3339 format.\n',
+ },
+ {
+ name: 'goals',
+ level: 'extended',
+ type: 'text',
+ description:
+ 'The high level goals of this Intrusion Set, namely, what are they trying to do.\n',
+ },
+ {
+ name: 'resource_level',
+ level: 'extended',
+ type: 'text',
+ description:
+ 'This defines the organizational level at which this Intrusion Set typically works. Open Vocab - attack-resource-level-ov\n',
+ },
+ {
+ name: 'primary_motivation',
+ level: 'extended',
+ type: 'text',
+ description:
+ 'The primary reason, motivation, or purpose behind this Intrusion Set. Open Vocab - attack-motivation-ov\n',
+ },
+ {
+ name: 'secondary_motivations',
+ level: 'extended',
+ type: 'text',
+ description:
+ 'The secondary reasons, motivations, or purposes behind this Intrusion Set. Open Vocab - attack-motivation-ov\n',
+ },
+ ],
+ },
+ {
+ name: 'malware',
+ title: 'Malware',
+ short: 'Fields that let you store information about Malware.',
+ description:
+ "Malware is a type of TTP that is also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim.\n",
+ type: 'group',
+ fields: [
+ {
+ name: 'id',
+ level: 'core',
+ type: 'keyword',
+ description: 'Identifier of the Malware.\n',
+ },
+ {
+ name: 'name',
+ level: 'core',
+ type: 'keyword',
+ description: 'The name used to identify the Malware.\n',
+ },
+ {
+ name: 'description',
+ level: 'extended',
+ type: 'text',
+ description: 'Description of the Malware.\n',
+ },
+ {
+ name: 'labels',
+ level: 'core',
+ type: 'keyword',
+ description:
+ 'The type of malware being described. Open Vocab - malware-label-ov. adware,backdoor,bot,ddos,dropper,exploit-kit,keylogger,ransomware, remote-access-trojan,resource-exploitation,rogue-security-software,rootkit, screen-capture,spyware,trojan,virus,worm\n',
+ },
+ {
+ name: 'kill_chain_phases',
+ format: 'string',
+ level: 'extended',
+ type: 'keyword',
+ description:
+ 'The list of kill chain phases for which this Malware instance can be used.\n',
+ },
+ ],
+ },
+ {
+ name: 'note',
+ title: 'Note',
+ short: 'Fields that let you store information about Malware.',
+ description:
+ 'A Note is a comment or note containing informative text to help explain the context of one or more STIX Objects (SDOs or SROs) or to provide additional analysis that is not contained in the original object.\n',
+ type: 'group',
+ fields: [
+ {
+ name: 'id',
+ level: 'core',
+ type: 'keyword',
+ description: 'Identifier of the Note.\n',
+ },
+ {
+ name: 'summary',
+ level: 'extended',
+ type: 'keyword',
+ description: 'A brief description used as a summary of the Note.\n',
+ },
+ {
+ name: 'description',
+ level: 'extended',
+ type: 'text',
+ description: 'The content of the Note.\n',
+ },
+ {
+ name: 'authors',
+ level: 'extended',
+ type: 'keyword',
+ description: 'The name of the author(s) of this Note.\n',
+ },
+ {
+ name: 'object_refs',
+ level: 'extended',
+ type: 'keyword',
+ description:
+ 'The STIX Objects (SDOs and SROs) that the note is being applied to.\n',
+ },
+ ],
+ },
+ {
+ name: 'threat_indicator',
+ title: 'Threat Indicator',
+ short: 'Fields that let you store Threat Indicators',
+ description:
+ 'Fields provide support for specifying information about threat indicators, and related matching patterns.\n',
+ type: 'group',
+ fields: [
+ {
+ name: 'labels',
+ level: 'core',
+ type: 'keyword',
+ description: 'list of type open-vocab that specifies the type of indicator.\n',
+ example: 'Domain Watchlist\n',
+ },
+ {
+ name: 'id',
+ level: 'core',
+ type: 'keyword',
+ description: 'Identifier of the threat indicator.\n',
+ },
+ {
+ name: 'version',
+ level: 'core',
+ type: 'keyword',
+ description: 'Version of the threat indicator.\n',
+ },
+ {
+ name: 'type',
+ level: 'core',
+ type: 'keyword',
+ description: 'Type of the threat indicator.\n',
+ },
+ {
+ name: 'description',
+ level: 'core',
+ type: 'text',
+ description: 'Description of the threat indicator.\n',
+ },
+ {
+ name: 'feed',
+ level: 'core',
+ type: 'text',
+ description: 'Name of the threat feed.\n',
+ },
+ {
+ name: 'valid_from',
+ level: 'core',
+ type: 'date',
+ description:
+ 'The time from which this Indicator should be considered valuable intelligence, in RFC3339 format.\n',
+ },
+ {
+ name: 'valid_until',
+ level: 'core',
+ type: 'date',
+ description:
+ 'The time at which this Indicator should no longer be considered valuable intelligence. If the valid_until property is omitted, then there is no constraint on the latest time for which the indicator should be used, in RFC3339 format.\n',
+ },
+ {
+ name: 'severity',
+ format: 'string',
+ level: 'core',
+ type: 'keyword',
+ description: 'Threat severity to which this indicator corresponds.\n',
+ example: 'high',
+ },
+ {
+ name: 'confidence',
+ level: 'core',
+ type: 'keyword',
+ description: 'Confidence level to which this indicator corresponds.\n',
+ example: 'high',
+ },
+ {
+ name: 'kill_chain_phases',
+ format: 'string',
+ level: 'extended',
+ type: 'keyword',
+ description: 'The kill chain phase(s) to which this indicator corresponds.\n',
+ },
+ {
+ name: 'mitre_tactic',
+ format: 'string',
+ level: 'extended',
+ type: 'keyword',
+ description: 'MITRE tactics to which this indicator corresponds.\n',
+ example: 'Initial Access',
+ },
+ {
+ name: 'mitre_technique',
+ format: 'string',
+ level: 'extended',
+ type: 'keyword',
+ description: 'MITRE techniques to which this indicator corresponds.\n',
+ example: 'Drive-by Compromise',
+ },
+ {
+ name: 'attack_pattern',
+ level: 'core',
+ type: 'keyword',
+ description:
+ 'The attack_pattern for this indicator is a STIX Pattern as specified in STIX Version 2.0 Part 5 - STIX Patterning.\n',
+ example: "[destination:ip = '91.219.29.188/32']\n",
+ },
+ {
+ name: 'attack_pattern_kql',
+ level: 'core',
+ type: 'keyword',
+ description:
+ 'The attack_pattern for this indicator is KQL query that matches the attack_pattern specified in the STIX Pattern format.\n',
+ example: 'destination.ip: "91.219.29.188/32"\n',
+ },
+ {
+ name: 'negate',
+ level: 'core',
+ type: 'boolean',
+ description: 'When set to true, it specifies the absence of the attack_pattern.\n',
+ },
+ {
+ name: 'intrusion_set',
+ level: 'extended',
+ type: 'keyword',
+ description: 'Name of the intrusion set if known.\n',
+ },
+ {
+ name: 'campaign',
+ level: 'extended',
+ type: 'keyword',
+ description: 'Name of the attack campaign if known.\n',
+ },
+ {
+ name: 'threat_actor',
+ level: 'extended',
+ type: 'keyword',
+ description: 'Name of the threat actor if known.\n',
+ },
+ ],
+ },
+ {
+ name: 'observed_data',
+ title: 'Observed Data',
+ short: 'Fields that let you store information about Observed Data.',
+ description:
+ 'Observed data conveys information that was observed on systems and networks, such as log data or network traffic, using the Cyber Observable specification.\n',
+ type: 'group',
+ fields: [
+ {
+ name: 'id',
+ level: 'core',
+ type: 'keyword',
+ description: 'Identifier of the Observed Data.\n',
+ },
+ {
+ name: 'first_observed',
+ level: 'core',
+ type: 'date',
+ description:
+ 'The beginning of the time window that the data was observed, in RFC3339 format.\n',
+ },
+ {
+ name: 'last_observed',
+ level: 'core',
+ type: 'date',
+ description:
+ 'The end of the time window that the data was observed, in RFC3339 format.\n',
+ },
+ {
+ name: 'number_observed',
+ level: 'core',
+ type: 'integer',
+ description:
+ 'The number of times the data represented in the objects property was observed. This MUST be an integer between 1 and 999,999,999 inclusive.\n',
+ },
+ {
+ name: 'objects',
+ level: 'core',
+ type: 'keyword',
+ description:
+ 'A dictionary of Cyber Observable Objects that describes the single fact that was observed.\n',
+ },
+ ],
+ },
+ {
+ name: 'report',
+ title: 'Report',
+ short: 'Fields that let you store information about Report.',
+ description:
+ 'Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details.\n',
+ type: 'group',
+ fields: [
+ {
+ name: 'id',
+ level: 'core',
+ type: 'keyword',
+ description: 'Identifier of the Report.\n',
+ },
+ {
+ name: 'labels',
+ level: 'core',
+ type: 'keyword',
+ description:
+ 'This field is an Open Vocabulary that specifies the primary subject of this report. Open Vocab - report-label-ov. threat-report,attack-pattern,campaign,identity,indicator,malware,observed-data,threat-actor,tool,vulnerability\n',
+ },
+ {
+ name: 'name',
+ level: 'core',
+ type: 'keyword',
+ description: 'The name used to identify the Report.\n',
+ },
+ {
+ name: 'description',
+ level: 'extended',
+ type: 'text',
+ description: 'A description that provides more details and context about Report.\n',
+ },
+ {
+ name: 'published',
+ level: 'extended',
+ type: 'date',
+ description:
+ 'The date that this report object was officially published by the creator of this report, in RFC3339 format.\n',
+ },
+ {
+ name: 'object_refs',
+ level: 'core',
+ type: 'text',
+ description: 'Specifies the STIX Objects that are referred to by this Report.\n',
+ },
+ ],
+ },
+ {
+ name: 'threat_actor',
+ title: 'Threat Actor',
+ short: 'Fields that let you store information about Threat Actor.',
+ description:
+ 'Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent.\n',
+ type: 'group',
+ fields: [
+ {
+ name: 'id',
+ level: 'core',
+ type: 'keyword',
+ description: 'Identifier of the Threat Actor.\n',
+ },
+ {
+ name: 'labels',
+ level: 'core',
+ type: 'keyword',
+ description:
+ 'This field specifies the type of threat actor. Open Vocab - threat-actor-label-ov. activist,competitor,crime-syndicate,criminal,hacker,insider-accidental,insider-disgruntled,nation-state,sensationalist,spy,terrorist\n',
+ },
+ {
+ name: 'name',
+ level: 'core',
+ type: 'keyword',
+ description: 'The name used to identify this Threat Actor or Threat Actor group.\n',
+ },
+ {
+ name: 'description',
+ level: 'extended',
+ type: 'text',
+ description:
+ 'A description that provides more details and context about the Threat Actor.\n',
+ },
+ {
+ name: 'aliases',
+ level: 'extended',
+ type: 'text',
+ description: 'A list of other names that this Threat Actor is believed to use.\n',
+ },
+ {
+ name: 'roles',
+ level: 'extended',
+ type: 'text',
+ description:
+ 'This is a list of roles the Threat Actor plays. Open Vocab - threat-actor-role-ov. agent,director,independent,sponsor,infrastructure-operator,infrastructure-architect,malware-author\n',
+ },
+ {
+ name: 'goals',
+ level: 'extended',
+ type: 'text',
+ description:
+ 'The high level goals of this Threat Actor, namely, what are they trying to do.\n',
+ },
+ {
+ name: 'sophistication',
+ level: 'extended',
+ type: 'text',
+ description:
+ 'The skill, specific knowledge, special training, or expertise a Threat Actor must have to perform the attack. Open Vocab - threat-actor-sophistication-ov. none,minimal,intermediate,advanced,strategic,expert,innovator\n',
+ },
+ {
+ name: 'resource_level',
+ level: 'extended',
+ type: 'text',
+ description:
+ 'This defines the organizational level at which this Threat Actor typically works. Open Vocab - attack-resource-level-ov. individual,club,contest,team,organization,government\n',
+ },
+ {
+ name: 'primary_motivation',
+ level: 'extended',
+ type: 'text',
+ description:
+ 'The primary reason, motivation, or purpose behind this Threat Actor. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable\n',
+ },
+ {
+ name: 'secondary_motivations',
+ level: 'extended',
+ type: 'text',
+ description:
+ 'The secondary reasons, motivations, or purposes behind this Threat Actor. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable\n',
+ },
+ {
+ name: 'personal_motivations',
+ level: 'extended',
+ type: 'text',
+ description:
+ 'The personal reasons, motivations, or purposes of the Threat Actor regardless of organizational goals. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable\n',
+ },
+ ],
+ },
+ {
+ name: 'tool',
+ title: 'Tool',
+ short: 'Fields that let you store information about Tool.',
+ description:
+ 'Tools are legitimate software that can be used by threat actors to perform attacks.\n',
+ type: 'group',
+ fields: [
+ {
+ name: 'id',
+ level: 'core',
+ type: 'keyword',
+ description: 'Identifier of the Tool.\n',
+ },
+ {
+ name: 'labels',
+ level: 'core',
+ type: 'keyword',
+ description:
+ 'The kind(s) of tool(s) being described. Open Vocab - tool-label-ov. denial-of-service,exploitation,information-gathering,network-capture,credential-exploitation,remote-access,vulnerability-scanning\n',
+ },
+ {
+ name: 'name',
+ level: 'core',
+ type: 'keyword',
+ description: 'The name used to identify the Tool.\n',
+ },
+ {
+ name: 'description',
+ level: 'extended',
+ type: 'text',
+ description:
+ 'A description that provides more details and context about the Tool.\n',
+ },
+ {
+ name: 'tool_version',
+ level: 'extended',
+ type: 'keyword',
+ description: 'The version identifier associated with the Tool.\n',
+ },
+ {
+ name: 'kill_chain_phases',
+ level: 'extended',
+ type: 'text',
+ description:
+ 'The list of kill chain phases for which this Tool instance can be used.\n',
+ },
+ ],
+ },
+ {
+ name: 'vulnerability',
+ title: 'Vulnerability',
+ short: 'Fields that let you store information about Vulnerability.',
+ description:
+ 'A Vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network.\n',
+ type: 'group',
+ fields: [
+ {
+ name: 'id',
+ level: 'core',
+ type: 'keyword',
+ description: 'Identifier of the Vulnerability.\n',
+ },
+ {
+ name: 'name',
+ level: 'core',
+ type: 'keyword',
+ description: 'The name used to identify the Vulnerability.\n',
+ },
+ {
+ name: 'description',
+ level: 'extended',
+ type: 'text',
+ description:
+ 'A description that provides more details and context about the Vulnerability.\n',
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'mssql',
+ title: 'mssql',
+ description: 'MS SQL Filebeat Module',
+ fields: [
+ {
+ name: 'mssql',
+ type: 'group',
+ description: 'Fields from the MSSQL log files',
+ fields: [
+ {
+ name: 'log',
+ description: 'Common log fields',
+ type: 'group',
+ fields: [
+ {
+ name: 'origin',
+ description:
+ 'Origin of the message, usually the server but it can also be a recovery process',
+ type: 'keyword',
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'netflow-module',
+ title: 'NetFlow',
+ description:
+ 'Module for receiving NetFlow and IPFIX flow records over UDP. The module does not add fields beyond what the netflow input provides.\n',
+ fields: [],
+ },
+ {
+ key: 'o365',
+ title: 'Office 365',
+ description: 'Module for handling logs from Office 365.\n',
+ fields: [
+ {
+ name: 'o365.audit',
+ type: 'group',
+ default_field: false,
+ description: 'Fields from Office 365 Management API audit logs.\n',
+ fields: [
+ {
+ name: 'Actor',
+ type: 'array',
+ fields: [
+ {
+ name: 'ID',
+ type: 'keyword',
+ },
+ {
+ name: 'Type',
+ type: 'keyword',
+ },
+ ],
+ },
+ {
+ name: 'ActorContextId',
+ type: 'keyword',
+ },
+ {
+ name: 'ActorIpAddress',
+ type: 'keyword',
+ },
+ {
+ name: 'ActorUserId',
+ type: 'keyword',
+ },
+ {
+ name: 'ActorYammerUserId',
+ type: 'keyword',
+ },
+ {
+ name: 'AlertEntityId',
+ type: 'keyword',
+ },
+ {
+ name: 'AlertId',
+ type: 'keyword',
+ },
+ {
+ name: 'AlertLinks',
+ type: 'array',
+ },
+ {
+ name: 'AlertType',
+ type: 'keyword',
+ },
+ {
+ name: 'AppId',
+ type: 'keyword',
+ },
+ {
+ name: 'ApplicationDisplayName',
+ type: 'keyword',
+ },
+ {
+ name: 'ApplicationId',
+ type: 'keyword',
+ },
+ {
+ name: 'AzureActiveDirectoryEventType',
+ type: 'keyword',
+ },
+ {
+ name: 'ExchangeMetaData.*',
+ type: 'object',
+ },
+ {
+ name: 'Category',
+ type: 'keyword',
+ },
+ {
+ name: 'ClientAppId',
+ type: 'keyword',
+ },
+ {
+ name: 'ClientInfoString',
+ type: 'keyword',
+ },
+ {
+ name: 'ClientIP',
+ type: 'keyword',
+ },
+ {
+ name: 'ClientIPAddress',
+ type: 'keyword',
+ },
+ {
+ name: 'Comments',
+ type: 'text',
+ norms: false,
+ },
+ {
+ name: 'CorrelationId',
+ type: 'keyword',
+ },
+ {
+ name: 'CreationTime',
+ type: 'keyword',
+ },
+ {
+ name: 'CustomUniqueId',
+ type: 'keyword',
+ },
+ {
+ name: 'Data',
+ type: 'keyword',
+ },
+ {
+ name: 'DataType',
+ type: 'keyword',
+ },
+ {
+ name: 'EntityType',
+ type: 'keyword',
+ },
+ {
+ name: 'EventData',
+ type: 'keyword',
+ },
+ {
+ name: 'EventSource',
+ type: 'keyword',
+ },
+ {
+ name: 'ExceptionInfo.*',
+ type: 'object',
+ },
+ {
+ name: 'ExtendedProperties.*',
+ type: 'object',
+ },
+ {
+ name: 'ExternalAccess',
+ type: 'keyword',
+ },
+ {
+ name: 'GroupName',
+ type: 'keyword',
+ },
+ {
+ name: 'Id',
+ type: 'keyword',
+ },
+ {
+ name: 'ImplicitShare',
+ type: 'keyword',
+ },
+ {
+ name: 'IncidentId',
+ type: 'keyword',
+ },
+ {
+ name: 'InternalLogonType',
+ type: 'keyword',
+ },
+ {
+ name: 'InterSystemsId',
+ type: 'keyword',
+ },
+ {
+ name: 'IntraSystemId',
+ type: 'keyword',
+ },
+ {
+ name: 'Item.*',
+ type: 'object',
+ },
+ {
+ name: 'Item.*.*',
+ type: 'object',
+ },
+ {
+ name: 'ItemName',
+ type: 'keyword',
+ },
+ {
+ name: 'ItemType',
+ type: 'keyword',
+ },
+ {
+ name: 'ListId',
+ type: 'keyword',
+ },
+ {
+ name: 'ListItemUniqueId',
+ type: 'keyword',
+ },
+ {
+ name: 'LogonError',
+ type: 'keyword',
+ },
+ {
+ name: 'LogonType',
+ type: 'keyword',
+ },
+ {
+ name: 'LogonUserSid',
+ type: 'keyword',
+ },
+ {
+ name: 'MailboxGuid',
+ type: 'keyword',
+ },
+ {
+ name: 'MailboxOwnerMasterAccountSid',
+ type: 'keyword',
+ },
+ {
+ name: 'MailboxOwnerSid',
+ type: 'keyword',
+ },
+ {
+ name: 'MailboxOwnerUPN',
+ type: 'keyword',
+ },
+ {
+ name: 'Members',
+ type: 'array',
+ },
+ {
+ name: 'Members.*',
+ type: 'object',
+ },
+ {
+ name: 'ModifiedProperties.*.*',
+ type: 'object',
+ },
+ {
+ name: 'Name',
+ type: 'keyword',
+ },
+ {
+ name: 'ObjectId',
+ type: 'keyword',
+ },
+ {
+ name: 'Operation',
+ type: 'keyword',
+ },
+ {
+ name: 'OrganizationId',
+ type: 'keyword',
+ },
+ {
+ name: 'OrganizationName',
+ type: 'keyword',
+ },
+ {
+ name: 'OriginatingServer',
+ type: 'keyword',
+ },
+ {
+ name: 'Parameters.*',
+ type: 'object',
+ },
+ {
+ name: 'PolicyDetails',
+ type: 'array',
+ },
+ {
+ name: 'PolicyId',
+ type: 'keyword',
+ },
+ {
+ name: 'RecordType',
+ type: 'keyword',
+ },
+ {
+ name: 'ResultStatus',
+ type: 'keyword',
+ },
+ {
+ name: 'SensitiveInfoDetectionIsIncluded',
+ type: 'keyword',
+ },
+ {
+ name: 'SharePointMetaData.*',
+ type: 'object',
+ },
+ {
+ name: 'SessionId',
+ type: 'keyword',
+ },
+ {
+ name: 'Severity',
+ type: 'keyword',
+ },
+ {
+ name: 'Site',
+ type: 'keyword',
+ },
+ {
+ name: 'SiteUrl',
+ type: 'keyword',
+ },
+ {
+ name: 'Source',
+ type: 'keyword',
+ },
+ {
+ name: 'SourceFileExtension',
+ type: 'keyword',
+ },
+ {
+ name: 'SourceFileName',
+ type: 'keyword',
+ },
+ {
+ name: 'SourceRelativeUrl',
+ type: 'keyword',
+ },
+ {
+ name: 'Status',
+ type: 'keyword',
+ },
+ {
+ name: 'SupportTicketId',
+ type: 'keyword',
+ },
+ {
+ name: 'Target',
+ type: 'array',
+ fields: [
+ {
+ name: 'ID',
+ type: 'keyword',
+ },
+ {
+ name: 'Type',
+ type: 'keyword',
+ },
+ ],
+ },
+ {
+ name: 'TargetContextId',
+ type: 'keyword',
+ },
+ {
+ name: 'TargetUserOrGroupName',
+ type: 'keyword',
+ },
+ {
+ name: 'TargetUserOrGroupType',
+ type: 'keyword',
+ },
+ {
+ name: 'TeamName',
+ type: 'keyword',
+ },
+ {
+ name: 'TeamGuid',
+ type: 'keyword',
+ },
+ {
+ name: 'UniqueSharingId',
+ type: 'keyword',
+ },
+ {
+ name: 'UserAgent',
+ type: 'keyword',
+ },
+ {
+ name: 'UserId',
+ type: 'keyword',
+ },
+ {
+ name: 'UserKey',
+ type: 'keyword',
+ },
+ {
+ name: 'UserType',
+ type: 'keyword',
+ },
+ {
+ name: 'Version',
+ type: 'keyword',
+ },
+ {
+ name: 'WebId',
+ type: 'keyword',
+ },
+ {
+ name: 'Workload',
+ type: 'keyword',
+ },
+ {
+ name: 'YammerNetworkId',
+ type: 'keyword',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'okta',
+ title: 'Okta',
+ description: 'Module for handling system logs from Okta.\n',
+ fields: [
+ {
+ name: 'okta',
+ type: 'group',
+ default_field: false,
+ description: 'Fields from Okta.\n',
+ fields: [
+ {
+ name: 'uuid',
+ title: 'UUID',
+ short: 'The unique identifier of the Okta LogEvent.',
+ description: 'The unique identifier of the Okta LogEvent.\n',
+ type: 'keyword',
+ },
+ {
+ name: 'event_type',
+ title: 'Event Type',
+ short: 'The type of the LogEvent.',
+ description: 'The type of the LogEvent.\n',
+ type: 'keyword',
+ },
+ {
+ name: 'version',
+ title: 'Version',
+ short: 'The version of the LogEvent.',
+ description: 'The version of the LogEvent.\n',
+ type: 'keyword',
+ },
+ {
+ name: 'severity',
+ title: 'Severity',
+ short: 'The severity of the LogEvent.',
+ description:
+ 'The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR.\n',
+ type: 'keyword',
+ },
+ {
+ name: 'display_message',
+ title: 'Display Message',
+ short: 'The display message of the LogEvent.',
+ description: 'The display message of the LogEvent.\n',
+ type: 'keyword',
+ },
+ {
+ name: 'actor',
+ title: 'Actor',
+ short: 'Fields of the actor for the LogEvent.',
+ description: 'Fields that let you store information of the actor for the LogEvent.\n',
+ type: 'group',
+ fields: [
+ {
+ name: 'id',
+ type: 'keyword',
+ description: 'Identifier of the actor.\n',
+ },
+ {
+ name: 'type',
+ type: 'keyword',
+ description: 'Type of the actor.\n',
+ },
+ {
+ name: 'alternate_id',
+ type: 'keyword',
+ description: 'Alternate identifier of the actor.\n',
+ },
+ {
+ name: 'display_name',
+ type: 'keyword',
+ description: 'Display name of the actor.\n',
+ },
+ ],
+ },
+ {
+ name: 'client',
+ title: 'Client',
+ short: 'Fields about the client of the actor.',
+ description: 'Fields that let you store information about the client of the actor.\n',
+ type: 'group',
+ fields: [
+ {
+ name: 'ip',
+ type: 'ip',
+ description: 'The IP address of the client.\n',
+ },
+ {
+ name: 'user_agent',
+ description: 'Fields about the user agent information of the client.\n',
+ type: 'group',
+ fields: [
+ {
+ name: 'raw_user_agent',
+ type: 'keyword',
+ description: 'The raw informaton of the user agent.\n',
+ },
+ {
+ name: 'os',
+ type: 'keyword',
+ description: 'The OS informaton.\n',
+ },
+ {
+ name: 'browser',
+ type: 'keyword',
+ description: 'The browser informaton of the client.\n',
+ },
+ ],
+ },
+ {
+ name: 'zone',
+ type: 'keyword',
+ description: 'The zone information of the client.\n',
+ },
+ {
+ name: 'device',
+ type: 'keyword',
+ description: 'The information of the client device.\n',
+ },
+ {
+ name: 'id',
+ type: 'keyword',
+ description: 'The identifier of the client.\n',
+ },
+ ],
+ },
+ {
+ name: 'outcome',
+ title: 'Outcome of the LogEvent.',
+ short: 'Fields that let you store information about the outcome.',
+ description: 'Fields that let you store information about the outcome.\n',
+ type: 'group',
+ fields: [
+ {
+ name: 'reason',
+ type: 'keyword',
+ description: 'The reason of the outcome.\n',
+ },
+ {
+ name: 'result',
+ type: 'keyword',
+ description:
+ 'The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.\n',
+ },
+ ],
+ },
+ {
+ name: 'target',
+ title: 'Target',
+ short: 'The list of targets.',
+ description: 'The list of targets.\n',
+ type: 'array',
+ fields: [
+ {
+ name: 'id',
+ type: 'keyword',
+ description: 'Identifier of the actor.\n',
+ },
+ {
+ name: 'type',
+ type: 'keyword',
+ description: 'Type of the actor.\n',
+ },
+ {
+ name: 'alternate_id',
+ type: 'keyword',
+ description: 'Alternate identifier of the actor.\n',
+ },
+ {
+ name: 'display_name',
+ type: 'keyword',
+ description: 'Display name of the actor.\n',
+ },
+ ],
+ },
+ {
+ name: 'transaction',
+ title: 'Transaction',
+ short: 'Fields that let you store information about related transaction.',
+ description: 'Fields that let you store information about related transaction.\n',
+ type: 'group',
+ fields: [
+ {
+ name: 'id',
+ type: 'keyword',
+ description: 'Identifier of the transaction.\n',
+ },
+ {
+ name: 'type',
+ type: 'keyword',
+ description: 'The type of transaction. Must be one of "WEB", "JOB".\n',
+ },
+ ],
+ },
+ {
+ name: 'debug_context',
+ title: 'Debug Context',
+ short: 'Fields that let you store information about the debug context.',
+ description: 'Fields that let you store information about the debug context.\n',
+ type: 'group',
+ fields: [
+ {
+ name: 'debug_data',
+ description: 'The debug data.\n',
+ type: 'group',
+ fields: [
+ {
+ name: 'device_fingerprint',
+ type: 'keyword',
+ description: 'The fingerprint of the device.\n',
+ },
+ {
+ name: 'request_id',
+ type: 'keyword',
+ description: 'The identifier of the request.\n',
+ },
+ {
+ name: 'request_uri',
+ type: 'keyword',
+ description: 'The request URI.\n',
+ },
+ {
+ name: 'threat_suspected',
+ type: 'keyword',
+ description: 'Threat suspected.\n',
+ },
+ {
+ name: 'url',
+ type: 'keyword',
+ description: 'The URL.\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'authentication_context',
+ title: 'Authentication Context',
+ short: 'Fields that let you store information about authentication context.',
+ description: 'Fields that let you store information about authentication context.\n',
+ type: 'group',
+ fields: [
+ {
+ name: 'authentication_provider',
+ type: 'keyword',
+ description:
+ 'The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER.\n',
+ },
+ {
+ name: 'authentication_step',
+ type: 'integer',
+ description: 'The authentication step.\n',
+ },
+ {
+ name: 'credential_provider',
+ type: 'keyword',
+ description:
+ 'The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY.\n',
+ },
+ {
+ name: 'credential_type',
+ type: 'keyword',
+ description:
+ 'The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID.\n',
+ },
+ {
+ name: 'issuer',
+ description: 'The information about the issuer.\n',
+ type: 'array',
+ fields: [
+ {
+ name: 'id',
+ type: 'keyword',
+ description: 'The identifier of the issuer.\n',
+ },
+ {
+ name: 'type',
+ type: 'keyword',
+ description: 'The type of the issuer.\n',
+ },
+ ],
+ },
+ {
+ name: 'external_session_id',
+ type: 'keyword',
+ description: 'The session identifer of the external session if any.\n',
+ },
+ {
+ name: 'interface',
+ type: 'keyword',
+ description: 'The interface used. e.g., Outlook, Office365, wsTrust\n',
+ },
+ ],
+ },
+ {
+ name: 'security_context',
+ title: 'Security Context',
+ short: 'Fields that let you store information about security context.',
+ description: 'Fields that let you store information about security context.\n',
+ type: 'group',
+ fields: [
+ {
+ name: 'as',
+ type: 'group',
+ description: 'The autonomous system.\n',
+ fields: [
+ {
+ name: 'number',
+ type: 'integer',
+ description: 'The AS number.\n',
+ },
+ {
+ name: 'organization',
+ type: 'group',
+ description: 'The organization that owns the AS number.\n',
+ fields: [
+ {
+ name: 'name',
+ type: 'keyword',
+ description: 'The organization name.\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'isp',
+ type: 'keyword',
+ description: 'The Internet Service Provider.\n',
+ },
+ {
+ name: 'domain',
+ type: 'keyword',
+ description: 'The domain name.\n',
+ },
+ {
+ name: 'is_proxy',
+ type: 'boolean',
+ description: 'Whether it is a proxy or not.\n',
+ },
+ ],
+ },
+ {
+ name: 'request',
+ title: 'Request',
+ short: 'Fields that let you store information about the request.',
+ description:
+ 'Fields that let you store information about the request, in the form of list of ip_chain.\n',
+ type: 'group',
+ fields: [
+ {
+ name: 'ip_chain',
+ description: 'List of ip_chain objects.\n',
+ type: 'group',
+ fields: [
+ {
+ name: 'ip',
+ type: 'ip',
+ description: 'IP address.\n',
+ },
+ {
+ name: 'version',
+ type: 'keyword',
+ description: 'IP version. Must be one of V4, V6.\n',
+ },
+ {
+ name: 'source',
+ type: 'keyword',
+ description: 'Source information.\n',
+ },
+ {
+ name: 'geographical_context',
+ description: 'Geographical information.\n',
+ type: 'group',
+ fields: [
+ {
+ name: 'city',
+ type: 'keyword',
+ description: 'The city.',
+ },
+ {
+ name: 'state',
+ type: 'keyword',
+ description: 'The state.',
+ },
+ {
+ name: 'postal_code',
+ type: 'keyword',
+ description: 'The postal code.',
+ },
+ {
+ name: 'country',
+ type: 'keyword',
+ description: 'The country.',
+ },
+ {
+ name: 'geolocation',
+ description: 'Geolocation information.\n',
+ type: 'geo_point',
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'panw',
+ title: 'panw',
+ description: 'Module for Palo Alto Networks (PAN-OS)\n',
+ fields: [
+ {
+ name: 'panw',
+ type: 'group',
+ description: 'Fields from the panw module.\n',
+ fields: [
+ {
+ name: 'panos',
+ type: 'group',
+ description: 'Fields for the Palo Alto Networks PAN-OS logs.\n',
+ fields: [
+ {
+ name: 'ruleset',
+ type: 'keyword',
+ description: 'Name of the rule that matched this session.\n',
+ },
+ {
+ name: 'source',
+ type: 'group',
+ description: 'Fields to extend the top-level source object.\n',
+ fields: [
+ {
+ name: 'zone',
+ type: 'keyword',
+ description: 'Source zone for this session.\n',
+ },
+ {
+ name: 'interface',
+ type: 'keyword',
+ description: 'Source interface for this session.\n',
+ },
+ {
+ name: 'nat',
+ type: 'group',
+ description: 'Post-NAT source address, if source NAT is performed.\n',
+ fields: [
+ {
+ name: 'ip',
+ type: 'ip',
+ description: 'Post-NAT source IP.\n',
+ },
+ {
+ name: 'port',
+ type: 'long',
+ description: 'Post-NAT source port.\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'destination',
+ type: 'group',
+ description: 'Fields to extend the top-level destination object.\n',
+ fields: [
+ {
+ name: 'zone',
+ type: 'keyword',
+ description: 'Destination zone for this session.\n',
+ },
+ {
+ name: 'interface',
+ type: 'keyword',
+ description: 'Destination interface for this session.\n',
+ },
+ {
+ name: 'nat',
+ type: 'group',
+ description: 'Post-NAT destination address, if destination NAT is performed.\n',
+ fields: [
+ {
+ name: 'ip',
+ type: 'ip',
+ description: 'Post-NAT destination IP.\n',
+ },
+ {
+ name: 'port',
+ type: 'long',
+ description: 'Post-NAT destination port.\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'network',
+ type: 'group',
+ description: 'Fields to extend the top-level network object.\n',
+ fields: [
+ {
+ name: 'pcap_id',
+ type: 'keyword',
+ description: 'Packet capture ID for a threat.\n',
+ },
+ {
+ name: 'nat',
+ type: 'group',
+ fields: [
+ {
+ name: 'community_id',
+ type: 'keyword',
+ description: 'Community ID flow-hash for the NAT 5-tuple.\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'file',
+ type: 'group',
+ description: 'Fields to extend the top-level file object.\n',
+ fields: [
+ {
+ name: 'hash',
+ description:
+ 'Binary hash for a threat file sent to be analyzed by the WildFire service.\n',
+ type: 'keyword',
+ },
+ ],
+ },
+ {
+ name: 'url',
+ type: 'group',
+ description: 'Fields to extend the top-level url object.\n',
+ fields: [
+ {
+ name: 'category',
+ type: 'keyword',
+ description:
+ "For threat URLs, it's the URL category. For WildFire, the verdict on the file and is either 'malicious', 'grayware', or 'benign'.\n",
+ },
+ ],
+ },
+ {
+ name: 'flow_id',
+ type: 'keyword',
+ description: 'Internal numeric identifier for each session.\n',
+ },
+ {
+ name: 'sequence_number',
+ type: 'long',
+ description:
+ 'Log entry identifier that is incremented sequentially. Unique for each log type.\n',
+ },
+ {
+ name: 'threat.resource',
+ type: 'keyword',
+ description: 'URL or file name for a threat.\n',
+ },
+ {
+ name: 'threat.id',
+ type: 'keyword',
+ description: 'Palo Alto Networks identifier for the threat.\n',
+ },
+ {
+ name: 'threat.name',
+ type: 'keyword',
+ description: 'Palo Alto Networks name for the threat.\n',
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'rabbitmq',
+ title: 'RabbitMQ',
+ description: 'RabbitMQ Module\n',
+ fields: [
+ {
+ name: 'rabbitmq',
+ type: 'group',
+ description: '\n',
+ fields: [
+ {
+ name: 'log',
+ type: 'group',
+ description: 'RabbitMQ log files\n',
+ fields: [
+ {
+ name: 'pid',
+ type: 'keyword',
+ description: 'The Erlang process id',
+ example: '<0.222.0>',
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'suricata',
+ title: 'Suricata',
+ description: 'Module for handling the EVE JSON logs produced by Suricata.\n',
+ fields: [
+ {
+ name: 'suricata',
+ type: 'group',
+ description: 'Fields from the Suricata EVE log file.\n',
+ fields: [
+ {
+ name: 'eve',
+ type: 'group',
+ description: 'Fields exported by the EVE JSON logs\n',
+ fields: [
+ {
+ name: 'event_type',
+ type: 'keyword',
+ },
+ {
+ name: 'app_proto_orig',
+ type: 'keyword',
+ },
+ {
+ name: 'tcp',
+ type: 'group',
+ fields: [
+ {
+ name: 'tcp_flags',
+ type: 'keyword',
+ },
+ {
+ name: 'psh',
+ type: 'boolean',
+ },
+ {
+ name: 'tcp_flags_tc',
+ type: 'keyword',
+ },
+ {
+ name: 'ack',
+ type: 'boolean',
+ },
+ {
+ name: 'syn',
+ type: 'boolean',
+ },
+ {
+ name: 'state',
+ type: 'keyword',
+ },
+ {
+ name: 'tcp_flags_ts',
+ type: 'keyword',
+ },
+ {
+ name: 'rst',
+ type: 'boolean',
+ },
+ {
+ name: 'fin',
+ type: 'boolean',
+ },
+ ],
+ },
+ {
+ name: 'fileinfo',
+ type: 'group',
+ fields: [
+ {
+ name: 'sha1',
+ type: 'keyword',
+ },
+ {
+ name: 'filename',
+ type: 'alias',
+ path: 'file.path',
+ },
+ {
+ name: 'tx_id',
+ type: 'long',
+ },
+ {
+ name: 'state',
+ type: 'keyword',
+ },
+ {
+ name: 'stored',
+ type: 'boolean',
+ },
+ {
+ name: 'gaps',
+ type: 'boolean',
+ },
+ {
+ name: 'sha256',
+ type: 'keyword',
+ },
+ {
+ name: 'md5',
+ type: 'keyword',
+ },
+ {
+ name: 'size',
+ type: 'alias',
+ path: 'file.size',
+ },
+ ],
+ },
+ {
+ name: 'icmp_type',
+ type: 'long',
+ },
+ {
+ name: 'dest_port',
+ type: 'alias',
+ path: 'destination.port',
+ },
+ {
+ name: 'src_port',
+ type: 'alias',
+ path: 'source.port',
+ },
+ {
+ name: 'proto',
+ type: 'alias',
+ path: 'network.transport',
+ },
+ {
+ name: 'pcap_cnt',
+ type: 'long',
+ },
+ {
+ name: 'src_ip',
+ type: 'alias',
+ path: 'source.ip',
+ },
+ {
+ name: 'dns',
+ type: 'group',
+ fields: [
+ {
+ name: 'type',
+ type: 'keyword',
+ },
+ {
+ name: 'rrtype',
+ type: 'keyword',
+ },
+ {
+ name: 'rrname',
+ type: 'keyword',
+ },
+ {
+ name: 'rdata',
+ type: 'keyword',
+ },
+ {
+ name: 'tx_id',
+ type: 'long',
+ },
+ {
+ name: 'ttl',
+ type: 'long',
+ },
+ {
+ name: 'rcode',
+ type: 'keyword',
+ },
+ {
+ name: 'id',
+ type: 'long',
+ },
+ ],
+ },
+ {
+ name: 'flow_id',
+ type: 'keyword',
+ },
+ {
+ name: 'email',
+ type: 'group',
+ fields: [
+ {
+ name: 'status',
+ type: 'keyword',
+ },
+ ],
+ },
+ {
+ name: 'dest_ip',
+ type: 'alias',
+ path: 'destination.ip',
+ },
+ {
+ name: 'icmp_code',
+ type: 'long',
+ },
+ {
+ name: 'http',
+ type: 'group',
+ fields: [
+ {
+ name: 'status',
+ type: 'alias',
+ path: 'http.response.status_code',
+ },
+ {
+ name: 'redirect',
+ type: 'keyword',
+ },
+ {
+ name: 'http_user_agent',
+ type: 'alias',
+ path: 'user_agent.original',
+ },
+ {
+ name: 'protocol',
+ type: 'keyword',
+ },
+ {
+ name: 'http_refer',
+ type: 'alias',
+ path: 'http.request.referrer',
+ },
+ {
+ name: 'url',
+ type: 'alias',
+ path: 'url.original',
+ },
+ {
+ name: 'hostname',
+ type: 'alias',
+ path: 'url.domain',
+ },
+ {
+ name: 'length',
+ type: 'alias',
+ path: 'http.response.body.bytes',
+ },
+ {
+ name: 'http_method',
+ type: 'alias',
+ path: 'http.request.method',
+ },
+ {
+ name: 'http_content_type',
+ type: 'keyword',
+ },
+ ],
+ },
+ {
+ name: 'timestamp',
+ type: 'alias',
+ path: '@timestamp',
+ },
+ {
+ name: 'in_iface',
+ type: 'keyword',
+ },
+ {
+ name: 'alert',
+ type: 'group',
+ fields: [
+ {
+ name: 'category',
+ type: 'keyword',
+ },
+ {
+ name: 'severity',
+ type: 'alias',
+ path: 'event.severity',
+ },
+ {
+ name: 'rev',
+ type: 'long',
+ },
+ {
+ name: 'gid',
+ type: 'long',
+ },
+ {
+ name: 'signature',
+ type: 'keyword',
+ },
+ {
+ name: 'action',
+ type: 'alias',
+ path: 'event.outcome',
+ },
+ {
+ name: 'signature_id',
+ type: 'long',
+ },
+ ],
+ },
+ {
+ name: 'ssh',
+ type: 'group',
+ fields: [
+ {
+ name: 'client',
+ type: 'group',
+ fields: [
+ {
+ name: 'proto_version',
+ type: 'keyword',
+ },
+ {
+ name: 'software_version',
+ type: 'keyword',
+ },
+ ],
+ },
+ {
+ name: 'server',
+ type: 'group',
+ fields: [
+ {
+ name: 'proto_version',
+ type: 'keyword',
+ },
+ {
+ name: 'software_version',
+ type: 'keyword',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'stats',
+ type: 'group',
+ fields: [
+ {
+ name: 'capture',
+ type: 'group',
+ fields: [
+ {
+ name: 'kernel_packets',
+ type: 'long',
+ },
+ {
+ name: 'kernel_drops',
+ type: 'long',
+ },
+ {
+ name: 'kernel_ifdrops',
+ type: 'long',
+ },
+ ],
+ },
+ {
+ name: 'uptime',
+ type: 'long',
+ },
+ {
+ name: 'detect',
+ type: 'group',
+ fields: [
+ {
+ name: 'alert',
+ type: 'long',
+ },
+ ],
+ },
+ {
+ name: 'http',
+ type: 'group',
+ fields: [
+ {
+ name: 'memcap',
+ type: 'long',
+ },
+ {
+ name: 'memuse',
+ type: 'long',
+ },
+ ],
+ },
+ {
+ name: 'file_store',
+ type: 'group',
+ fields: [
+ {
+ name: 'open_files',
+ type: 'long',
+ },
+ ],
+ },
+ {
+ name: 'defrag',
+ type: 'group',
+ fields: [
+ {
+ name: 'max_frag_hits',
+ type: 'long',
+ },
+ {
+ name: 'ipv4',
+ type: 'group',
+ fields: [
+ {
+ name: 'timeouts',
+ type: 'long',
+ },
+ {
+ name: 'fragments',
+ type: 'long',
+ },
+ {
+ name: 'reassembled',
+ type: 'long',
+ },
+ ],
+ },
+ {
+ name: 'ipv6',
+ type: 'group',
+ fields: [
+ {
+ name: 'timeouts',
+ type: 'long',
+ },
+ {
+ name: 'fragments',
+ type: 'long',
+ },
+ {
+ name: 'reassembled',
+ type: 'long',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'flow',
+ type: 'group',
+ fields: [
+ {
+ name: 'tcp_reuse',
+ type: 'long',
+ },
+ {
+ name: 'udp',
+ type: 'long',
+ },
+ {
+ name: 'memcap',
+ type: 'long',
+ },
+ {
+ name: 'emerg_mode_entered',
+ type: 'long',
+ },
+ {
+ name: 'emerg_mode_over',
+ type: 'long',
+ },
+ {
+ name: 'tcp',
+ type: 'long',
+ },
+ {
+ name: 'icmpv6',
+ type: 'long',
+ },
+ {
+ name: 'icmpv4',
+ type: 'long',
+ },
+ {
+ name: 'spare',
+ type: 'long',
+ },
+ {
+ name: 'memuse',
+ type: 'long',
+ },
+ ],
+ },
+ {
+ name: 'tcp',
+ type: 'group',
+ fields: [
+ {
+ name: 'pseudo_failed',
+ type: 'long',
+ },
+ {
+ name: 'ssn_memcap_drop',
+ type: 'long',
+ },
+ {
+ name: 'insert_data_overlap_fail',
+ type: 'long',
+ },
+ {
+ name: 'sessions',
+ type: 'long',
+ },
+ {
+ name: 'pseudo',
+ type: 'long',
+ },
+ {
+ name: 'synack',
+ type: 'long',
+ },
+ {
+ name: 'insert_data_normal_fail',
+ type: 'long',
+ },
+ {
+ name: 'syn',
+ type: 'long',
+ },
+ {
+ name: 'memuse',
+ type: 'long',
+ },
+ {
+ name: 'invalid_checksum',
+ type: 'long',
+ },
+ {
+ name: 'segment_memcap_drop',
+ type: 'long',
+ },
+ {
+ name: 'overlap',
+ type: 'long',
+ },
+ {
+ name: 'insert_list_fail',
+ type: 'long',
+ },
+ {
+ name: 'rst',
+ type: 'long',
+ },
+ {
+ name: 'stream_depth_reached',
+ type: 'long',
+ },
+ {
+ name: 'reassembly_memuse',
+ type: 'long',
+ },
+ {
+ name: 'reassembly_gap',
+ type: 'long',
+ },
+ {
+ name: 'overlap_diff_data',
+ type: 'long',
+ },
+ {
+ name: 'no_flow',
type: 'long',
},
+ ],
+ },
+ {
+ name: 'decoder',
+ type: 'group',
+ fields: [
{
- name: 'segment_memcap_drop',
+ name: 'avg_pkt_size',
type: 'long',
},
{
- name: 'overlap',
+ name: 'bytes',
type: 'long',
},
{
- name: 'insert_list_fail',
+ name: 'tcp',
type: 'long',
},
{
- name: 'rst',
+ name: 'raw',
type: 'long',
},
{
- name: 'stream_depth_reached',
+ name: 'ppp',
type: 'long',
},
{
- name: 'reassembly_memuse',
+ name: 'vlan_qinq',
type: 'long',
},
{
- name: 'reassembly_gap',
+ name: 'null',
type: 'long',
},
{
- name: 'overlap_diff_data',
+ name: 'ltnull',
+ type: 'group',
+ fields: [
+ {
+ name: 'unsupported_type',
+ type: 'long',
+ },
+ {
+ name: 'pkt_too_small',
+ type: 'long',
+ },
+ ],
+ },
+ {
+ name: 'invalid',
+ type: 'long',
+ },
+ {
+ name: 'gre',
+ type: 'long',
+ },
+ {
+ name: 'ipv4',
+ type: 'long',
+ },
+ {
+ name: 'ipv6',
+ type: 'long',
+ },
+ {
+ name: 'pkts',
+ type: 'long',
+ },
+ {
+ name: 'ipv6_in_ipv6',
+ type: 'long',
+ },
+ {
+ name: 'ipraw',
+ type: 'group',
+ fields: [
+ {
+ name: 'invalid_ip_version',
+ type: 'long',
+ },
+ ],
+ },
+ {
+ name: 'pppoe',
+ type: 'long',
+ },
+ {
+ name: 'udp',
+ type: 'long',
+ },
+ {
+ name: 'dce',
+ type: 'group',
+ fields: [
+ {
+ name: 'pkt_too_small',
+ type: 'long',
+ },
+ ],
+ },
+ {
+ name: 'vlan',
+ type: 'long',
+ },
+ {
+ name: 'sctp',
+ type: 'long',
+ },
+ {
+ name: 'max_pkt_size',
+ type: 'long',
+ },
+ {
+ name: 'teredo',
+ type: 'long',
+ },
+ {
+ name: 'mpls',
+ type: 'long',
+ },
+ {
+ name: 'sll',
+ type: 'long',
+ },
+ {
+ name: 'icmpv6',
+ type: 'long',
+ },
+ {
+ name: 'icmpv4',
+ type: 'long',
+ },
+ {
+ name: 'erspan',
+ type: 'long',
+ },
+ {
+ name: 'ethernet',
+ type: 'long',
+ },
+ {
+ name: 'ipv4_in_ipv6',
+ type: 'long',
+ },
+ {
+ name: 'ieee8021ah',
+ type: 'long',
+ },
+ ],
+ },
+ {
+ name: 'dns',
+ type: 'group',
+ fields: [
+ {
+ name: 'memcap_global',
+ type: 'long',
+ },
+ {
+ name: 'memcap_state',
+ type: 'long',
+ },
+ {
+ name: 'memuse',
+ type: 'long',
+ },
+ ],
+ },
+ {
+ name: 'flow_mgr',
+ type: 'group',
+ fields: [
+ {
+ name: 'rows_busy',
+ type: 'long',
+ },
+ {
+ name: 'flows_timeout',
+ type: 'long',
+ },
+ {
+ name: 'flows_notimeout',
+ type: 'long',
+ },
+ {
+ name: 'rows_skipped',
+ type: 'long',
+ },
+ {
+ name: 'closed_pruned',
+ type: 'long',
+ },
+ {
+ name: 'new_pruned',
+ type: 'long',
+ },
+ {
+ name: 'flows_removed',
+ type: 'long',
+ },
+ {
+ name: 'bypassed_pruned',
+ type: 'long',
+ },
+ {
+ name: 'est_pruned',
+ type: 'long',
+ },
+ {
+ name: 'flows_timeout_inuse',
+ type: 'long',
+ },
+ {
+ name: 'flows_checked',
+ type: 'long',
+ },
+ {
+ name: 'rows_maxlen',
+ type: 'long',
+ },
+ {
+ name: 'rows_checked',
+ type: 'long',
+ },
+ {
+ name: 'rows_empty',
type: 'long',
},
+ ],
+ },
+ {
+ name: 'app_layer',
+ type: 'group',
+ fields: [
+ {
+ name: 'flow',
+ type: 'group',
+ fields: [
+ {
+ name: 'tls',
+ type: 'long',
+ },
+ {
+ name: 'ftp',
+ type: 'long',
+ },
+ {
+ name: 'http',
+ type: 'long',
+ },
+ {
+ name: 'failed_udp',
+ type: 'long',
+ },
+ {
+ name: 'dns_udp',
+ type: 'long',
+ },
+ {
+ name: 'dns_tcp',
+ type: 'long',
+ },
+ {
+ name: 'smtp',
+ type: 'long',
+ },
+ {
+ name: 'failed_tcp',
+ type: 'long',
+ },
+ {
+ name: 'msn',
+ type: 'long',
+ },
+ {
+ name: 'ssh',
+ type: 'long',
+ },
+ {
+ name: 'imap',
+ type: 'long',
+ },
+ {
+ name: 'dcerpc_udp',
+ type: 'long',
+ },
+ {
+ name: 'dcerpc_tcp',
+ type: 'long',
+ },
+ {
+ name: 'smb',
+ type: 'long',
+ },
+ ],
+ },
{
- name: 'no_flow',
- type: 'long',
+ name: 'tx',
+ type: 'group',
+ fields: [
+ {
+ name: 'tls',
+ type: 'long',
+ },
+ {
+ name: 'ftp',
+ type: 'long',
+ },
+ {
+ name: 'http',
+ type: 'long',
+ },
+ {
+ name: 'dns_udp',
+ type: 'long',
+ },
+ {
+ name: 'dns_tcp',
+ type: 'long',
+ },
+ {
+ name: 'smtp',
+ type: 'long',
+ },
+ {
+ name: 'ssh',
+ type: 'long',
+ },
+ {
+ name: 'dcerpc_udp',
+ type: 'long',
+ },
+ {
+ name: 'dcerpc_tcp',
+ type: 'long',
+ },
+ {
+ name: 'smb',
+ type: 'long',
+ },
+ ],
},
],
},
+ ],
+ },
+ {
+ name: 'tls',
+ type: 'group',
+ fields: [
+ {
+ name: 'notbefore',
+ type: 'date',
+ },
+ {
+ name: 'issuerdn',
+ type: 'keyword',
+ },
+ {
+ name: 'sni',
+ type: 'keyword',
+ },
+ {
+ name: 'version',
+ type: 'keyword',
+ },
+ {
+ name: 'session_resumed',
+ type: 'boolean',
+ },
+ {
+ name: 'fingerprint',
+ type: 'keyword',
+ },
+ {
+ name: 'serial',
+ type: 'keyword',
+ },
+ {
+ name: 'notafter',
+ type: 'date',
+ },
+ {
+ name: 'subject',
+ type: 'keyword',
+ },
+ ],
+ },
+ {
+ name: 'app_proto_ts',
+ type: 'keyword',
+ },
+ {
+ name: 'flow',
+ type: 'group',
+ fields: [
+ {
+ name: 'bytes_toclient',
+ type: 'alias',
+ path: 'destination.bytes',
+ },
+ {
+ name: 'start',
+ type: 'alias',
+ path: 'event.start',
+ },
+ {
+ name: 'pkts_toclient',
+ type: 'alias',
+ path: 'destination.packets',
+ },
+ {
+ name: 'age',
+ type: 'long',
+ },
+ {
+ name: 'state',
+ type: 'keyword',
+ },
+ {
+ name: 'bytes_toserver',
+ type: 'alias',
+ path: 'source.bytes',
+ },
+ {
+ name: 'reason',
+ type: 'keyword',
+ },
+ {
+ name: 'pkts_toserver',
+ type: 'alias',
+ path: 'source.packets',
+ },
+ {
+ name: 'end',
+ type: 'date',
+ },
+ {
+ name: 'alerted',
+ type: 'boolean',
+ },
+ ],
+ },
+ {
+ name: 'app_proto',
+ type: 'alias',
+ path: 'network.protocol',
+ },
+ {
+ name: 'tx_id',
+ type: 'long',
+ },
+ {
+ name: 'app_proto_tc',
+ type: 'keyword',
+ },
+ {
+ name: 'smtp',
+ type: 'group',
+ fields: [
+ {
+ name: 'rcpt_to',
+ type: 'keyword',
+ },
+ {
+ name: 'mail_from',
+ type: 'keyword',
+ },
+ {
+ name: 'helo',
+ type: 'keyword',
+ },
+ ],
+ },
+ {
+ name: 'app_proto_expected',
+ type: 'keyword',
+ },
+ {
+ name: 'flags',
+ type: 'group',
+ fields: [],
+ },
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'zeek',
+ title: 'Zeek',
+ description: 'Module for handling logs produced by Zeek/Bro\n',
+ fields: [
+ {
+ name: 'zeek',
+ type: 'group',
+ description: 'Fields from Zeek/Bro logs after normalization\n',
+ fields: [
+ {
+ name: 'session_id',
+ type: 'keyword',
+ description: 'A unique identifier of the session\n',
+ },
+ {
+ name: 'capture_loss',
+ type: 'group',
+ description: 'Fields exported by the Zeek capture_loss log\n',
+ fields: [
+ {
+ name: 'ts_delta',
+ type: 'integer',
+ description: 'The time delay between this measurement and the last.\n',
+ },
+ {
+ name: 'peer',
+ type: 'keyword',
+ description:
+ 'In the event that there are multiple Bro instances logging to the same host, this distinguishes each peer with its individual name.\n',
+ },
+ {
+ name: 'gaps',
+ type: 'integer',
+ description: 'Number of missed ACKs from the previous measurement interval.\n',
+ },
+ {
+ name: 'acks',
+ type: 'integer',
+ description: 'Total number of ACKs seen in the previous measurement interval.\n',
+ },
+ {
+ name: 'percent_lost',
+ type: 'double',
+ description: "Percentage of ACKs seen where the data being ACKed wasn't seen.\n",
+ },
+ ],
+ },
+ {
+ name: 'connection',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek Connection log\n',
+ fields: [
+ {
+ name: 'local_orig',
+ type: 'boolean',
+ description: 'Indicates whether the session is originated locally.\n',
+ },
+ {
+ name: 'local_resp',
+ type: 'boolean',
+ description: 'Indicates whether the session is responded locally.\n',
+ },
+ {
+ name: 'missed_bytes',
+ type: 'long',
+ description: 'Missed bytes for the session.\n',
+ },
+ {
+ name: 'state',
+ type: 'keyword',
+ description: 'Code indicating the state of the session.\n',
+ },
+ {
+ name: 'state_message',
+ type: 'keyword',
+ description: 'The state of the session.\n',
+ },
+ {
+ name: 'icmp',
+ type: 'group',
+ fields: [
+ {
+ name: 'type',
+ type: 'integer',
+ description: 'ICMP message type.\n',
+ },
+ {
+ name: 'code',
+ type: 'integer',
+ description: 'ICMP message code.\n',
+ },
+ ],
+ },
+ {
+ name: 'history',
+ type: 'keyword',
+ description: 'Flags indicating the history of the session.\n',
+ },
+ {
+ name: 'vlan',
+ type: 'integer',
+ description: 'VLAN identifier.\n',
+ },
+ {
+ name: 'inner_vlan',
+ type: 'integer',
+ description: 'VLAN identifier.\n',
+ },
+ ],
+ },
+ {
+ name: 'dce_rpc',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek DCE_RPC log\n',
+ fields: [
+ {
+ name: 'rtt',
+ type: 'integer',
+ description:
+ "Round trip time from the request to the response. If either the request or response wasn't seen, this will be null.\n",
+ },
+ {
+ name: 'named_pipe',
+ type: 'keyword',
+ description: 'Remote pipe name.\n',
+ },
+ {
+ name: 'endpoint',
+ type: 'keyword',
+ description: 'Endpoint name looked up from the uuid.\n',
+ },
+ {
+ name: 'operation',
+ type: 'keyword',
+ description: 'Operation seen in the call.\n',
+ },
+ ],
+ },
+ {
+ name: 'dhcp',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek DHCP log\n',
+ fields: [
+ {
+ name: 'domain',
+ type: 'keyword',
+ description: 'Domain given by the server in option 15.\n',
+ },
+ {
+ name: 'duration',
+ type: 'double',
+ description:
+ 'Duration of the DHCP session representing the time from the first\nmessage to the last, in seconds.\n',
+ },
+ {
+ name: 'hostname',
+ type: 'keyword',
+ description: 'Name given by client in Hostname option 12.\n',
+ },
+ {
+ name: 'client_fqdn',
+ type: 'keyword',
+ description: 'FQDN given by client in Client FQDN option 81.\n',
+ },
+ {
+ name: 'lease_time',
+ type: 'integer',
+ description: 'IP address lease interval in seconds.\n',
+ },
+ {
+ name: 'address',
+ type: 'group',
+ description: 'Addresses seen in this DHCP exchange.\n',
+ fields: [
+ {
+ name: 'assigned',
+ type: 'ip',
+ description: 'IP address assigned by the server.\n',
+ },
+ {
+ name: 'client',
+ type: 'ip',
+ description:
+ 'IP address of the client. If a transaction is only a client sending\nINFORM messages then there is no lease information exchanged so this\nis helpful to know who sent the messages. Getting an address in this\nfield does require that the client sources at least one DHCP message\nusing a non-broadcast address.\n',
+ },
+ {
+ name: 'mac',
+ type: 'keyword',
+ description: "Client's hardware address.\n",
+ },
+ {
+ name: 'requested',
+ type: 'ip',
+ description: 'IP address requested by the client.\n',
+ },
+ {
+ name: 'server',
+ type: 'ip',
+ description: 'IP address of the DHCP server.\n',
+ },
+ ],
+ },
+ {
+ name: 'msg',
+ type: 'group',
+ fields: [
+ {
+ name: 'types',
+ type: 'keyword',
+ description: 'List of DHCP message types seen in this exchange.\n',
+ },
+ {
+ name: 'origin',
+ type: 'ip',
+ description:
+ '(present if policy/protocols/dhcp/msg-orig.bro is loaded)\nThe address that originated each message from the msg.types field.\n',
+ },
+ {
+ name: 'client',
+ type: 'keyword',
+ description:
+ 'Message typically accompanied with a DHCP_DECLINE so the client can\ntell the server why it rejected an address.\n',
+ },
+ {
+ name: 'server',
+ type: 'keyword',
+ description:
+ 'Message typically accompanied with a DHCP_NAK to let the client know\nwhy it rejected the request.\n',
+ },
+ ],
+ },
+ {
+ name: 'software',
+ type: 'group',
+ fields: [
+ {
+ name: 'client',
+ type: 'keyword',
+ description:
+ '(present if policy/protocols/dhcp/software.bro is loaded)\nSoftware reported by the client in the vendor_class option.\n',
+ },
+ {
+ name: 'server',
+ type: 'keyword',
+ description:
+ '(present if policy/protocols/dhcp/software.bro is loaded)\nSoftware reported by the client in the vendor_class option.\n',
+ },
+ ],
+ },
+ {
+ name: 'id',
+ type: 'group',
+ fields: [
+ {
+ name: 'circuit',
+ type: 'keyword',
+ description:
+ '(present if policy/protocols/dhcp/sub-opts.bro is loaded)\nAdded by DHCP relay agents which terminate switched or permanent\ncircuits. It encodes an agent-local identifier of the circuit from\nwhich a DHCP client-to-server packet was received. Typically it\nshould represent a router or switch interface number.\n',
+ },
+ {
+ name: 'remote_agent',
+ type: 'keyword',
+ description:
+ '(present if policy/protocols/dhcp/sub-opts.bro is loaded)\nA globally unique identifier added by relay agents to identify the\nremote host end of the circuit.\n',
+ },
+ {
+ name: 'subscriber',
+ type: 'keyword',
+ description:
+ "(present if policy/protocols/dhcp/sub-opts.bro is loaded)\nThe subscriber ID is a value independent of the physical network\nconfiguration so that a customer's DHCP configuration can be given\nto them correctly no matter where they are physically connected.\n",
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'dnp3',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek SSH log\n',
+ fields: [
+ {
+ name: 'function',
+ type: 'group',
+ fields: [
+ {
+ name: 'request',
+ type: 'keyword',
+ description: 'The name of the function message in the request.\n',
+ },
+ {
+ name: 'reply',
+ type: 'keyword',
+ description: 'The name of the function message in the reply.\n',
+ },
+ ],
+ },
+ {
+ name: 'id',
+ type: 'integer',
+ description: "The response's internal indication number.\n",
+ },
+ ],
+ },
+ {
+ name: 'dns',
+ type: 'group',
+ description: 'Fields exported by the Zeek DNS log\n',
+ fields: [
+ {
+ name: 'trans_id',
+ type: 'keyword',
+ description: 'DNS transaction identifier.\n',
+ },
+ {
+ name: 'rtt',
+ type: 'double',
+ description: 'Round trip time for the query and response.\n',
+ },
+ {
+ name: 'query',
+ type: 'keyword',
+ description: 'The domain name that is the subject of the DNS query.\n',
+ },
+ {
+ name: 'qclass',
+ type: 'long',
+ description: 'The QCLASS value specifying the class of the query.\n',
+ },
+ {
+ name: 'qclass_name',
+ type: 'keyword',
+ description: 'A descriptive name for the class of the query.\n',
+ },
+ {
+ name: 'qtype',
+ type: 'long',
+ description: 'A QTYPE value specifying the type of the query.\n',
+ },
+ {
+ name: 'qtype_name',
+ type: 'keyword',
+ description: 'A descriptive name for the type of the query.\n',
+ },
+ {
+ name: 'rcode',
+ type: 'long',
+ description: 'The response code value in DNS response messages.\n',
+ },
+ {
+ name: 'rcode_name',
+ type: 'keyword',
+ description: 'A descriptive name for the response code value.\n',
+ },
+ {
+ name: 'AA',
+ type: 'boolean',
+ description:
+ 'The Authoritative Answer bit for response messages specifies that the responding\nname server is an authority for the domain name in the question section.\n',
+ },
+ {
+ name: 'TC',
+ type: 'boolean',
+ description: 'The Truncation bit specifies that the message was truncated.\n',
+ },
+ {
+ name: 'RD',
+ type: 'boolean',
+ description:
+ 'The Recursion Desired bit in a request message indicates that the client\nwants recursive service for this query.\n',
+ },
+ {
+ name: 'RA',
+ type: 'boolean',
+ description:
+ 'The Recursion Available bit in a response message indicates that the name\nserver supports recursive queries.\n',
+ },
+ {
+ name: 'answers',
+ type: 'keyword',
+ description: 'The set of resource descriptions in the query answer.\n',
+ },
+ {
+ name: 'TTLs',
+ type: 'double',
+ description:
+ 'The caching intervals of the associated RRs described by the answers field.\n',
+ },
+ {
+ name: 'rejected',
+ type: 'boolean',
+ description: 'Indicates whether the DNS query was rejected by the server.\n',
+ },
+ {
+ name: 'total_answers',
+ type: 'integer',
+ description: 'The total number of resource records in the reply.\n',
+ },
+ {
+ name: 'total_replies',
+ type: 'integer',
+ description: 'The total number of resource records in the reply message.\n',
+ },
+ {
+ name: 'saw_query',
+ type: 'boolean',
+ description: 'Whether the full DNS query has been seen.\n',
+ },
+ {
+ name: 'saw_reply',
+ type: 'boolean',
+ description: 'Whether the full DNS reply has been seen.\n',
+ },
+ ],
+ },
+ {
+ name: 'dpd',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek DPD log\n',
+ fields: [
+ {
+ name: 'analyzer',
+ type: 'keyword',
+ description: 'The analyzer that generated the violation.\n',
+ },
+ {
+ name: 'failure_reason',
+ type: 'keyword',
+ description: 'The textual reason for the analysis failure.\n',
+ },
+ {
+ name: 'packet_segment',
+ type: 'keyword',
+ description:
+ '(present if policy/frameworks/dpd/packet-segment-logging.bro is loaded)\nA chunk of the payload that most likely resulted in the protocol violation.\n',
+ },
+ ],
+ },
+ {
+ name: 'files',
+ type: 'group',
+ description: 'Fields exported by the Zeek Files log.\n',
+ fields: [
+ {
+ name: 'fuid',
+ type: 'keyword',
+ description: 'A file unique identifier.\n',
+ },
+ {
+ name: 'tx_host',
+ type: 'ip',
+ description: 'The host that transferred the file.\n',
+ },
+ {
+ name: 'rx_host',
+ type: 'ip',
+ description: 'The host that received the file.\n',
+ },
+ {
+ name: 'session_ids',
+ type: 'keyword',
+ description: 'The sessions that have this file.\n',
+ },
+ {
+ name: 'source',
+ type: 'keyword',
+ description:
+ 'An identification of the source of the file data. E.g. it may be a network protocol\nover which it was transferred, or a local file path which was read, or some other\ninput source.\n',
+ },
+ {
+ name: 'depth',
+ type: 'long',
+ description:
+ 'A value to represent the depth of this file in relation to its source. In SMTP, it\nis the depth of the MIME attachment on the message. In HTTP, it is the depth of the\nrequest within the TCP connection.\n',
+ },
+ {
+ name: 'analyzers',
+ type: 'keyword',
+ description: 'A set of analysis types done during the file analysis.\n',
+ },
+ {
+ name: 'mime_type',
+ type: 'keyword',
+ description: 'Mime type of the file.\n',
+ },
+ {
+ name: 'filename',
+ type: 'keyword',
+ description: 'Name of the file if available.\n',
+ },
+ {
+ name: 'local_orig',
+ type: 'boolean',
+ description:
+ 'If the source of this file is a network connection, this field indicates if the data\noriginated from the local network or not.\n',
+ },
+ {
+ name: 'is_orig',
+ type: 'boolean',
+ description:
+ 'If the source of this file is a network connection, this field indicates if the file is\nbeing sent by the originator of the connection or the responder.\n',
+ },
+ {
+ name: 'duration',
+ type: 'double',
+ description:
+ 'The duration the file was analyzed for. Not the duration of the session.\n',
+ },
+ {
+ name: 'seen_bytes',
+ type: 'long',
+ description: 'Number of bytes provided to the file analysis engine for the file.\n',
+ },
+ {
+ name: 'total_bytes',
+ type: 'long',
+ description: 'Total number of bytes that are supposed to comprise the full file.\n',
+ },
+ {
+ name: 'missing_bytes',
+ type: 'long',
+ description:
+ 'The number of bytes in the file stream that were completely missed during the process\nof analysis.\n',
+ },
+ {
+ name: 'overflow_bytes',
+ type: 'long',
+ description:
+ "The number of bytes in the file stream that were not delivered to stream file analyzers.\nThis could be overlapping bytes or bytes that couldn't be reassembled.\n",
+ },
+ {
+ name: 'timedout',
+ type: 'boolean',
+ description: 'Whether the file analysis timed out at least once for the file.\n',
+ },
+ {
+ name: 'parent_fuid',
+ type: 'keyword',
+ description:
+ 'Identifier associated with a container file from which this one was extracted as part of\nthe file analysis.\n',
+ },
+ {
+ name: 'md5',
+ type: 'keyword',
+ description: 'An MD5 digest of the file contents.\n',
+ },
+ {
+ name: 'sha1',
+ type: 'keyword',
+ description: 'A SHA1 digest of the file contents.\n',
+ },
+ {
+ name: 'sha256',
+ type: 'keyword',
+ description: 'A SHA256 digest of the file contents.\n',
+ },
+ {
+ name: 'extracted',
+ type: 'keyword',
+ description: 'Local filename of extracted file.\n',
+ },
+ {
+ name: 'extracted_cutoff',
+ type: 'boolean',
+ description:
+ 'Indicate whether the file being extracted was cut off hence not extracted completely.\n',
+ },
+ {
+ name: 'extracted_size',
+ type: 'long',
+ description: 'The number of bytes extracted to disk.\n',
+ },
+ {
+ name: 'entropy',
+ type: 'double',
+ description: 'The information density of the contents of the file.\n',
+ },
+ ],
+ },
+ {
+ name: 'ftp',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek FTP log\n',
+ fields: [
+ {
+ name: 'user',
+ type: 'keyword',
+ description: 'User name for the current FTP session.\n',
+ },
+ {
+ name: 'password',
+ type: 'keyword',
+ description: 'Password for the current FTP session if captured.\n',
+ },
+ {
+ name: 'command',
+ type: 'keyword',
+ description: 'Command given by the client.\n',
+ },
+ {
+ name: 'arg',
+ type: 'keyword',
+ description: 'Argument for the command if one is given.\n',
+ },
+ {
+ name: 'file',
+ type: 'group',
+ fields: [
+ {
+ name: 'size',
+ type: 'long',
+ description: 'Size of the file if the command indicates a file transfer.\n',
+ },
{
- name: 'decoder',
- type: 'group',
- fields: [
- {
- name: 'avg_pkt_size',
- type: 'long',
- },
- {
- name: 'bytes',
- type: 'long',
- },
- {
- name: 'tcp',
- type: 'long',
- },
- {
- name: 'raw',
- type: 'long',
- },
- {
- name: 'ppp',
- type: 'long',
- },
- {
- name: 'vlan_qinq',
- type: 'long',
- },
- {
- name: 'null',
- type: 'long',
- },
- {
- name: 'ltnull',
- type: 'group',
- fields: [
- {
- name: 'unsupported_type',
- type: 'long',
- },
- {
- name: 'pkt_too_small',
- type: 'long',
- },
- ],
- },
- {
- name: 'invalid',
- type: 'long',
- },
- {
- name: 'gre',
- type: 'long',
- },
- {
- name: 'ipv4',
- type: 'long',
- },
- {
- name: 'ipv6',
- type: 'long',
- },
- {
- name: 'pkts',
- type: 'long',
- },
- {
- name: 'ipv6_in_ipv6',
- type: 'long',
- },
- {
- name: 'ipraw',
- type: 'group',
- fields: [
- {
- name: 'invalid_ip_version',
- type: 'long',
- },
- ],
- },
- {
- name: 'pppoe',
- type: 'long',
- },
- {
- name: 'udp',
- type: 'long',
- },
- {
- name: 'dce',
- type: 'group',
- fields: [
- {
- name: 'pkt_too_small',
- type: 'long',
- },
- ],
- },
- {
- name: 'vlan',
- type: 'long',
- },
- {
- name: 'sctp',
- type: 'long',
- },
- {
- name: 'max_pkt_size',
- type: 'long',
- },
- {
- name: 'teredo',
- type: 'long',
- },
- {
- name: 'mpls',
- type: 'long',
- },
- {
- name: 'sll',
- type: 'long',
- },
- {
- name: 'icmpv6',
- type: 'long',
- },
- {
- name: 'icmpv4',
- type: 'long',
- },
- {
- name: 'erspan',
- type: 'long',
- },
- {
- name: 'ethernet',
- type: 'long',
- },
- {
- name: 'ipv4_in_ipv6',
- type: 'long',
- },
- {
- name: 'ieee8021ah',
- type: 'long',
- },
- ],
+ name: 'mime_type',
+ type: 'keyword',
+ description: 'Sniffed mime type of file.\n',
+ },
+ {
+ name: 'fuid',
+ type: 'keyword',
+ description:
+ '(present if base/protocols/ftp/files.bro is loaded)\nFile unique ID.\n',
+ },
+ ],
+ },
+ {
+ name: 'reply',
+ type: 'group',
+ fields: [
+ {
+ name: 'code',
+ type: 'integer',
+ description: 'Reply code from the server in response to the command.\n',
},
{
- name: 'dns',
- type: 'group',
- fields: [
- {
- name: 'memcap_global',
- type: 'long',
- },
- {
- name: 'memcap_state',
- type: 'long',
- },
- {
- name: 'memuse',
- type: 'long',
- },
- ],
+ name: 'msg',
+ type: 'keyword',
+ description: 'Reply message from the server in response to the command.\n',
},
+ ],
+ },
+ {
+ name: 'data_channel',
+ type: 'group',
+ description: 'Expected FTP data channel.\n',
+ fields: [
{
- name: 'flow_mgr',
- type: 'group',
- fields: [
- {
- name: 'rows_busy',
- type: 'long',
- },
- {
- name: 'flows_timeout',
- type: 'long',
- },
- {
- name: 'flows_notimeout',
- type: 'long',
- },
- {
- name: 'rows_skipped',
- type: 'long',
- },
- {
- name: 'closed_pruned',
- type: 'long',
- },
- {
- name: 'new_pruned',
- type: 'long',
- },
- {
- name: 'flows_removed',
- type: 'long',
- },
- {
- name: 'bypassed_pruned',
- type: 'long',
- },
- {
- name: 'est_pruned',
- type: 'long',
- },
- {
- name: 'flows_timeout_inuse',
- type: 'long',
- },
- {
- name: 'flows_checked',
- type: 'long',
- },
- {
- name: 'rows_maxlen',
- type: 'long',
- },
- {
- name: 'rows_checked',
- type: 'long',
- },
- {
- name: 'rows_empty',
- type: 'long',
- },
- ],
+ name: 'passive',
+ type: 'boolean',
+ description: 'Whether PASV mode is toggled for control channel.\n',
},
{
- name: 'app_layer',
- type: 'group',
- fields: [
- {
- name: 'flow',
- type: 'group',
- fields: [
- {
- name: 'tls',
- type: 'long',
- },
- {
- name: 'ftp',
- type: 'long',
- },
- {
- name: 'http',
- type: 'long',
- },
- {
- name: 'failed_udp',
- type: 'long',
- },
- {
- name: 'dns_udp',
- type: 'long',
- },
- {
- name: 'dns_tcp',
- type: 'long',
- },
- {
- name: 'smtp',
- type: 'long',
- },
- {
- name: 'failed_tcp',
- type: 'long',
- },
- {
- name: 'msn',
- type: 'long',
- },
- {
- name: 'ssh',
- type: 'long',
- },
- {
- name: 'imap',
- type: 'long',
- },
- {
- name: 'dcerpc_udp',
- type: 'long',
- },
- {
- name: 'dcerpc_tcp',
- type: 'long',
- },
- {
- name: 'smb',
- type: 'long',
- },
- ],
- },
- {
- name: 'tx',
- type: 'group',
- fields: [
- {
- name: 'tls',
- type: 'long',
- },
- {
- name: 'ftp',
- type: 'long',
- },
- {
- name: 'http',
- type: 'long',
- },
- {
- name: 'dns_udp',
- type: 'long',
- },
- {
- name: 'dns_tcp',
- type: 'long',
- },
- {
- name: 'smtp',
- type: 'long',
- },
- {
- name: 'ssh',
- type: 'long',
- },
- {
- name: 'dcerpc_udp',
- type: 'long',
- },
- {
- name: 'dcerpc_tcp',
- type: 'long',
- },
- {
- name: 'smb',
- type: 'long',
- },
- ],
- },
- ],
+ name: 'originating_host',
+ type: 'ip',
+ description: 'The host that will be initiating the data connection.\n',
+ },
+ {
+ name: 'response_host',
+ type: 'ip',
+ description: 'The host that will be accepting the data connection.\n',
+ },
+ {
+ name: 'response_port',
+ type: 'integer',
+ description:
+ 'The port at which the acceptor is listening for the data connection.\n',
+ },
+ ],
+ },
+ {
+ name: 'cwd',
+ type: 'keyword',
+ description:
+ "Current working directory that this session is in. By making the default value '.', we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use.\n",
+ },
+ {
+ name: 'cmdarg',
+ type: 'group',
+ description: 'Command that is currently waiting for a response.\n',
+ fields: [
+ {
+ name: 'cmd',
+ type: 'keyword',
+ description: 'Command.\n',
+ },
+ {
+ name: 'arg',
+ type: 'keyword',
+ description: 'Argument for the command if one was given.\n',
+ },
+ {
+ name: 'seq',
+ type: 'integer',
+ description: 'Counter to track how many commands have been executed.\n',
},
],
},
{
- name: 'tls',
+ name: 'pending_commands',
+ type: 'integer',
+ description:
+ 'Queue for commands that have been sent but not yet responded to are tracked here.\n',
+ },
+ {
+ name: 'passive',
+ type: 'boolean',
+ description: 'Indicates if the session is in active or passive mode.\n',
+ },
+ {
+ name: 'capture_password',
+ type: 'boolean',
+ description: 'Determines if the password will be captured for this request.\n',
+ },
+ {
+ name: 'last_auth_requested',
+ type: 'keyword',
+ description:
+ 'present if base/protocols/ftp/gridftp.bro is loaded.\nLast authentication/security mechanism that was used.\n',
+ },
+ ],
+ },
+ {
+ name: 'http',
+ type: 'group',
+ description: 'Fields exported by the Zeek HTTP log\n',
+ fields: [
+ {
+ name: 'trans_depth',
+ type: 'integer',
+ description:
+ 'Represents the pipelined depth into the connection of this request/response transaction.\n',
+ },
+ {
+ name: 'status_msg',
+ type: 'keyword',
+ description: 'Status message returned by the server.\n',
+ },
+ {
+ name: 'info_code',
+ type: 'integer',
+ description: 'Last seen 1xx informational reply code returned by the server.\n',
+ },
+ {
+ name: 'info_msg',
+ type: 'keyword',
+ description: 'Last seen 1xx informational reply message returned by the server.\n',
+ },
+ {
+ name: 'tags',
+ type: 'keyword',
+ description:
+ 'A set of indicators of various attributes discovered and related to a particular\nrequest/response pair.\n',
+ },
+ {
+ name: 'password',
+ type: 'keyword',
+ description: 'Password if basic-auth is performed for the request.\n',
+ },
+ {
+ name: 'captured_password',
+ type: 'boolean',
+ description: 'Determines if the password will be captured for this request.\n',
+ },
+ {
+ name: 'proxied',
+ type: 'keyword',
+ description:
+ 'All of the headers that may indicate if the HTTP request was proxied.\n',
+ },
+ {
+ name: 'range_request',
+ type: 'boolean',
+ description:
+ 'Indicates if this request can assume 206 partial content in response.\n',
+ },
+ {
+ name: 'client_header_names',
+ type: 'keyword',
+ description:
+ 'The vector of HTTP header names sent by the client. No header values\nare included here, just the header names.\n',
+ },
+ {
+ name: 'server_header_names',
+ type: 'keyword',
+ description:
+ 'The vector of HTTP header names sent by the server. No header values\nare included here, just the header names.\n',
+ },
+ {
+ name: 'orig_fuids',
+ type: 'keyword',
+ description: 'An ordered vector of file unique IDs from the originator.\n',
+ },
+ {
+ name: 'orig_mime_types',
+ type: 'keyword',
+ description: 'An ordered vector of mime types from the originator.\n',
+ },
+ {
+ name: 'orig_filenames',
+ type: 'keyword',
+ description: 'An ordered vector of filenames from the originator.\n',
+ },
+ {
+ name: 'resp_fuids',
+ type: 'keyword',
+ description: 'An ordered vector of file unique IDs from the responder.\n',
+ },
+ {
+ name: 'resp_mime_types',
+ type: 'keyword',
+ description: 'An ordered vector of mime types from the responder.\n',
+ },
+ {
+ name: 'resp_filenames',
+ type: 'keyword',
+ description: 'An ordered vector of filenames from the responder.\n',
+ },
+ {
+ name: 'orig_mime_depth',
+ type: 'integer',
+ description: 'Current number of MIME entities in the HTTP request message body.\n',
+ },
+ {
+ name: 'resp_mime_depth',
+ type: 'integer',
+ description: 'Current number of MIME entities in the HTTP response message body.\n',
+ },
+ ],
+ },
+ {
+ name: 'intel',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek Intel log.\n',
+ fields: [
+ {
+ name: 'seen',
type: 'group',
fields: [
{
- name: 'notbefore',
- type: 'date',
+ name: 'indicator',
+ type: 'keyword',
+ description: 'The intelligence indicator.\n',
},
{
- name: 'issuerdn',
+ name: 'indicator_type',
type: 'keyword',
+ description: 'The type of data the indicator represents.\n',
},
{
- name: 'sni',
+ name: 'host',
type: 'keyword',
+ description:
+ 'If the indicator type was Intel::ADDR, then this field will be present.\n',
},
{
- name: 'version',
+ name: 'conn',
type: 'keyword',
+ description:
+ 'If the data was discovered within a connection, the connection record should go here to give context to the data.\n',
},
{
- name: 'session_resumed',
- type: 'boolean',
+ name: 'where',
+ type: 'keyword',
+ description: 'Where the data was discovered.\n',
},
{
- name: 'fingerprint',
+ name: 'node',
type: 'keyword',
+ description: 'The name of the node where the match was discovered.\n',
},
{
- name: 'serial',
+ name: 'uid',
type: 'keyword',
+ description:
+ 'If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out.\n',
},
{
- name: 'notafter',
- type: 'date',
+ name: 'f',
+ type: 'object',
+ description:
+ 'If the data was discovered within a file, the file record should go here to provide context to the data.\n',
},
{
- name: 'subject',
+ name: 'fuid',
type: 'keyword',
+ description:
+ 'If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out.\n',
},
],
},
{
- name: 'app_proto_ts',
+ name: 'matched',
type: 'keyword',
+ description:
+ 'Event to represent a match in the intelligence data from data that was seen.\n',
},
{
- name: 'flow',
+ name: 'sources',
+ type: 'keyword',
+ description: 'Sources which supplied data for this match.\n',
+ },
+ {
+ name: 'fuid',
+ type: 'keyword',
+ description:
+ 'If a file was associated with this intelligence hit, this is the uid for the file.\n',
+ },
+ {
+ name: 'file_mime_type',
+ type: 'keyword',
+ description:
+ 'A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out.\n',
+ },
+ {
+ name: 'file_desc',
+ type: 'keyword',
+ description:
+ 'Frequently files can be described to give a bit more context. If the $f field is provided this field will be automatically filled out.\n',
+ },
+ ],
+ },
+ {
+ name: 'irc',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek IRC log\n',
+ fields: [
+ {
+ name: 'nick',
+ type: 'keyword',
+ description: 'Nickname given for the connection.\n',
+ },
+ {
+ name: 'user',
+ type: 'keyword',
+ description: 'Username given for the connection.\n',
+ },
+ {
+ name: 'command',
+ type: 'keyword',
+ description: 'Command given by the client.\n',
+ },
+ {
+ name: 'value',
+ type: 'keyword',
+ description: 'Value for the command given by the client.\n',
+ },
+ {
+ name: 'addl',
+ type: 'keyword',
+ description: 'Any additional data for the command.\n',
+ },
+ {
+ name: 'dcc',
type: 'group',
fields: [
{
- name: 'bytes_toclient',
- type: 'alias',
- path: 'destination.bytes',
+ name: 'file',
+ type: 'group',
+ fields: [
+ {
+ name: 'name',
+ type: 'keyword',
+ description:
+ 'Present if base/protocols/irc/dcc-send.bro is loaded.\nDCC filename requested.\n',
+ },
+ {
+ name: 'size',
+ type: 'long',
+ description:
+ 'Present if base/protocols/irc/dcc-send.bro is loaded.\nSize of the DCC transfer as indicated by the sender.\n',
+ },
+ ],
},
{
- name: 'start',
- type: 'alias',
- path: 'event.start',
+ name: 'mime_type',
+ type: 'keyword',
+ description:
+ 'present if base/protocols/irc/dcc-send.bro is loaded.\nSniffed mime type of the file.\n',
},
+ ],
+ },
+ {
+ name: 'fuid',
+ type: 'keyword',
+ description:
+ 'present if base/protocols/irc/files.bro is loaded.\nFile unique ID.\n',
+ },
+ ],
+ },
+ {
+ name: 'kerberos',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek Kerberos log\n',
+ fields: [
+ {
+ name: 'request_type',
+ type: 'keyword',
+ description:
+ 'Request type - Authentication Service (AS) or Ticket Granting Service (TGS).\n',
+ },
+ {
+ name: 'client',
+ type: 'keyword',
+ description: 'Client name.\n',
+ },
+ {
+ name: 'service',
+ type: 'keyword',
+ description: 'Service name.\n',
+ },
+ {
+ name: 'success',
+ type: 'boolean',
+ description: 'Request result.\n',
+ },
+ {
+ name: 'error',
+ type: 'group',
+ fields: [
{
- name: 'pkts_toclient',
- type: 'alias',
- path: 'destination.packets',
+ name: 'code',
+ type: 'integer',
+ description: 'Error code.\n',
},
{
- name: 'age',
- type: 'long',
+ name: 'msg',
+ type: 'keyword',
+ description: 'Error message.\n',
},
+ ],
+ },
+ {
+ name: 'valid',
+ type: 'group',
+ fields: [
{
- name: 'state',
- type: 'keyword',
+ name: 'from',
+ type: 'date',
+ description: 'Ticket valid from.\n',
},
{
- name: 'bytes_toserver',
- type: 'alias',
- path: 'source.bytes',
+ name: 'until',
+ type: 'date',
+ description: 'Ticket valid until.\n',
},
{
- name: 'reason',
+ name: 'days',
+ type: 'integer',
+ description: 'Number of days the ticket is valid for.\n',
+ },
+ ],
+ },
+ {
+ name: 'cipher',
+ type: 'keyword',
+ description: 'Ticket encryption type.\n',
+ },
+ {
+ name: 'forwardable',
+ type: 'boolean',
+ description: 'Forwardable ticket requested.\n',
+ },
+ {
+ name: 'renewable',
+ type: 'boolean',
+ description: 'Renewable ticket requested.\n',
+ },
+ {
+ name: 'ticket',
+ type: 'group',
+ fields: [
+ {
+ name: 'auth',
type: 'keyword',
+ description: 'Hash of ticket used to authorize request/transaction.\n',
},
{
- name: 'pkts_toserver',
- type: 'alias',
- path: 'source.packets',
+ name: 'new',
+ type: 'keyword',
+ description: 'Hash of ticket returned by the KDC.\n',
},
+ ],
+ },
+ {
+ name: 'cert',
+ type: 'group',
+ fields: [
{
- name: 'end',
- type: 'date',
+ name: 'client',
+ type: 'group',
+ fields: [
+ {
+ name: 'value',
+ type: 'keyword',
+ description: 'Client certificate.\n',
+ },
+ {
+ name: 'fuid',
+ type: 'keyword',
+ description: 'File unique ID of client cert.\n',
+ },
+ {
+ name: 'subject',
+ type: 'keyword',
+ description: 'Subject of client certificate.\n',
+ },
+ ],
},
{
- name: 'alerted',
- type: 'boolean',
+ name: 'server',
+ type: 'group',
+ fields: [
+ {
+ name: 'value',
+ type: 'keyword',
+ description: 'Server certificate.\n',
+ },
+ {
+ name: 'fuid',
+ type: 'keyword',
+ description: 'File unique ID of server certificate.\n',
+ },
+ {
+ name: 'subject',
+ type: 'keyword',
+ description: 'Subject of server certificate.\n',
+ },
+ ],
},
],
},
+ ],
+ },
+ {
+ name: 'modbus',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek modbus log.\n',
+ fields: [
{
- name: 'app_proto',
- type: 'alias',
- path: 'network.protocol',
+ name: 'function',
+ type: 'keyword',
+ description: 'The name of the function message that was sent.\n',
},
{
- name: 'tx_id',
- type: 'long',
+ name: 'exception',
+ type: 'keyword',
+ description: 'The exception if the response was a failure.\n',
+ },
+ {
+ name: 'track_address',
+ type: 'integer',
+ description:
+ 'Present if policy/protocols/modbus/track-memmap.bro is loaded.\nModbus track address.\n',
+ },
+ ],
+ },
+ {
+ name: 'mysql',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek MySQL log.\n',
+ fields: [
+ {
+ name: 'cmd',
+ type: 'keyword',
+ description: 'The command that was issued.\n',
},
{
- name: 'app_proto_tc',
+ name: 'arg',
type: 'keyword',
+ description: 'The argument issued to the command.\n',
},
{
- name: 'smtp',
- type: 'group',
- fields: [
- {
- name: 'rcpt_to',
- type: 'keyword',
- },
- {
- name: 'mail_from',
- type: 'keyword',
- },
- {
- name: 'helo',
- type: 'keyword',
- },
- ],
+ name: 'success',
+ type: 'boolean',
+ description: 'Whether the command succeeded.\n',
},
{
- name: 'app_proto_expected',
- type: 'keyword',
+ name: 'rows',
+ type: 'integer',
+ description: 'The number of affected rows, if any.\n',
},
{
- name: 'flags',
- type: 'group',
+ name: 'response',
+ type: 'keyword',
+ description: 'Server message, if any.\n',
},
],
},
- ],
- },
- ],
- },
- {
- key: 'zeek',
- title: 'Zeek',
- description: 'Module for handling logs produced by Zeek/Bro',
- fields: [
- {
- name: 'zeek',
- type: 'group',
- description: 'Fields from Zeek/Bro logs after normalization',
- fields: [
- {
- name: 'session_id',
- type: 'keyword',
- },
- {
- name: 'connection.local_orig',
- type: 'boolean',
- },
- {
- name: 'connection.local_resp',
- type: 'boolean',
- },
- {
- name: 'connection.missed_bytes',
- type: 'long',
- },
- {
- name: 'connection.state',
- type: 'keyword',
- },
- {
- name: 'connection.history',
- type: 'keyword',
- },
- {
- name: 'connection.orig_l2_addr',
- type: 'keyword',
- },
- {
- name: 'resp_l2_addr',
- type: 'keyword',
- },
- {
- name: 'vlan',
- type: 'keyword',
- },
- {
- name: 'inner_vlan',
- type: 'keyword',
- },
- {
- name: 'dns.trans_id',
- type: 'integer',
- },
- {
- name: 'dns.rtt',
- type: 'double',
- },
- {
- name: 'dns.query',
- type: 'keyword',
- },
- {
- name: 'dns.qclass',
- type: 'long',
- },
- {
- name: 'dns.qclass_name',
- type: 'keyword',
- },
- {
- name: 'dns.qtype',
- type: 'long',
- },
- {
- name: 'dns.qtype_name',
- type: 'keyword',
- },
- {
- name: 'dns.rcode',
- type: 'long',
- },
- {
- name: 'dns.rcode_name',
- type: 'keyword',
- },
- {
- name: 'dns.AA',
- type: 'boolean',
- },
- {
- name: 'dns.TC',
- type: 'boolean',
- },
- {
- name: 'dns.RD',
- type: 'boolean',
- },
- {
- name: 'dns.RA',
- type: 'boolean',
- },
- {
- name: 'dns.answers',
- type: 'keyword',
- },
- {
- name: 'dns.TTLs',
- type: 'double',
- },
- {
- name: 'dns.rejected',
- type: 'boolean',
- },
- {
- name: 'dns.total_answers',
- type: 'integer',
- },
- {
- name: 'dns.total_replies',
- type: 'integer',
- },
- {
- name: 'dns.saw_query',
- type: 'boolean',
- },
- {
- name: 'dns.saw_reply',
- type: 'boolean',
- },
{
- name: 'http.trans_depth',
- type: 'integer',
- },
- {
- name: 'http.status_msg',
- type: 'keyword',
- },
- {
- name: 'http.info_code',
- type: 'integer',
- },
- {
- name: 'http.info_msg',
- type: 'keyword',
- },
- {
- name: 'http.filename',
- type: 'keyword',
- },
- {
- name: 'http.tags',
- type: 'keyword',
- },
- {
- name: 'http.captured_password',
- type: 'boolean',
- },
- {
- name: 'http.proxied',
- type: 'keyword',
- },
- {
- name: 'http.range_request',
- type: 'boolean',
- },
- {
- name: 'http.client_header_names',
- type: 'keyword',
- },
- {
- name: 'http.server_header_names',
- type: 'keyword',
- },
- {
- name: 'http.orig_fuids',
- type: 'keyword',
- },
- {
- name: 'http.orig_mime_types',
- type: 'keyword',
- },
- {
- name: 'http.orig_filenames',
- type: 'keyword',
- },
- {
- name: 'http.resp_fuids',
- type: 'keyword',
- },
- {
- name: 'http.resp_mime_types',
- type: 'keyword',
- },
- {
- name: 'http.resp_filenames',
- type: 'keyword',
- },
- {
- name: 'http.orig_mime_depth',
- type: 'integer',
- },
- {
- name: 'http.resp_mime_depth',
- type: 'integer',
- },
- {
- name: 'files.fuid',
- type: 'keyword',
- },
- {
- name: 'files.tx_host',
- type: 'ip',
- },
- {
- name: 'files.rx_host',
- type: 'ip',
- },
- {
- name: 'files.session_ids',
- type: 'keyword',
- },
- {
- name: 'files.source',
- type: 'keyword',
- },
- {
- name: 'files.depth',
- type: 'long',
- },
- {
- name: 'files.direction',
- type: 'keyword',
- },
- {
- name: 'files.analyzers',
- type: 'keyword',
- },
- {
- name: 'files.mime_type',
- type: 'keyword',
- },
- {
- name: 'files.filename',
- type: 'keyword',
- },
- {
- name: 'files.local_orig',
- type: 'boolean',
- },
- {
- name: 'files.is_orig',
- type: 'boolean',
- },
- {
- name: 'files.duration',
- type: 'double',
- },
- {
- name: 'files.seen_bytes',
- type: 'long',
- },
- {
- name: 'files.total_bytes',
- type: 'long',
- },
- {
- name: 'files.missing_bytes',
- type: 'long',
- },
- {
- name: 'files.overflow_bytes',
- type: 'long',
- },
- {
- name: 'files.timedout',
- type: 'boolean',
- },
- {
- name: 'files.parent_fuid',
- type: 'keyword',
- },
- {
- name: 'files.md5',
- type: 'keyword',
- },
- {
- name: 'files.sha1',
- type: 'keyword',
- },
- {
- name: 'files.sha256',
- type: 'keyword',
- },
- {
- name: 'files.extracted',
- type: 'keyword',
+ name: 'notice',
+ type: 'group',
+ description: 'Fields exported by the Zeek Notice log.\n',
+ fields: [
+ {
+ name: 'connection_id',
+ type: 'keyword',
+ description: 'Identifier of the related connection session.\n',
+ },
+ {
+ name: 'icmp_id',
+ type: 'keyword',
+ description: 'Identifier of the related ICMP session.\n',
+ },
+ {
+ name: 'file.id',
+ type: 'keyword',
+ description:
+ 'An identifier associated with a single file that is related to this notice.\n',
+ },
+ {
+ name: 'file.parent_id',
+ type: 'keyword',
+ description:
+ 'Identifier associated with a container file from which this one was extracted.\n',
+ },
+ {
+ name: 'file.source',
+ type: 'keyword',
+ description:
+ 'An identification of the source of the file data. E.g. it may be a network protocol\nover which it was transferred, or a local file path which was read, or some other\ninput source.\n',
+ },
+ {
+ name: 'file.mime_type',
+ type: 'keyword',
+ description: 'A mime type if the notice is related to a file.\n',
+ },
+ {
+ name: 'file.is_orig',
+ type: 'boolean',
+ description:
+ 'If the source of this file is a network connection, this field indicates if the file is\nbeing sent by the originator of the connection or the responder.\n',
+ },
+ {
+ name: 'file.seen_bytes',
+ type: 'long',
+ description: 'Number of bytes provided to the file analysis engine for the file.\n',
+ },
+ {
+ name: 'ffile.total_bytes',
+ type: 'long',
+ description: 'Total number of bytes that are supposed to comprise the full file.\n',
+ },
+ {
+ name: 'file.missing_bytes',
+ type: 'long',
+ description:
+ 'The number of bytes in the file stream that were completely missed during the process\nof analysis.\n',
+ },
+ {
+ name: 'file.overflow_bytes',
+ type: 'long',
+ description:
+ "The number of bytes in the file stream that were not delivered to stream file analyzers.\nThis could be overlapping bytes or bytes that couldn't be reassembled.\n",
+ },
+ {
+ name: 'fuid',
+ type: 'keyword',
+ description: 'A file unique ID if this notice is related to a file.\n',
+ },
+ {
+ name: 'note',
+ type: 'keyword',
+ description: 'The type of the notice.\n',
+ },
+ {
+ name: 'msg',
+ type: 'keyword',
+ description: 'The human readable message for the notice.\n',
+ },
+ {
+ name: 'sub',
+ type: 'keyword',
+ description: 'The human readable sub-message.\n',
+ },
+ {
+ name: 'n',
+ type: 'long',
+ description: 'Associated count, or a status code.\n',
+ },
+ {
+ name: 'peer_name',
+ type: 'keyword',
+ description: 'Name of remote peer that raised this notice.\n',
+ },
+ {
+ name: 'peer_descr',
+ type: 'text',
+ description: 'Textual description for the peer that raised this notice.\n',
+ },
+ {
+ name: 'actions',
+ type: 'keyword',
+ description: 'The actions which have been applied to this notice.\n',
+ },
+ {
+ name: 'email_body_sections',
+ type: 'text',
+ description:
+ 'By adding chunks of text into this element, other scripts can expand on notices\nthat are being emailed.\n',
+ },
+ {
+ name: 'email_delay_tokens',
+ type: 'keyword',
+ description:
+ 'Adding a string token to this set will cause the built-in emailing functionality\nto delay sending the email either the token has been removed or the email\nhas been delayed for the specified time duration.\n',
+ },
+ {
+ name: 'identifier',
+ type: 'keyword',
+ description:
+ 'This field is provided when a notice is generated for the purpose of deduplicating notices.\n',
+ },
+ {
+ name: 'suppress_for',
+ type: 'double',
+ description:
+ 'This field indicates the length of time that this unique notice should be suppressed.\n',
+ },
+ {
+ name: 'dropped',
+ type: 'boolean',
+ description:
+ 'Indicate if the source IP address was dropped and denied network access.\n',
+ },
+ ],
},
{
- name: 'files.extracted_cutoff',
- type: 'boolean',
+ name: 'ntlm',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek NTLM log.\n',
+ fields: [
+ {
+ name: 'domain',
+ type: 'keyword',
+ description: 'Domain name given by the client.\n',
+ },
+ {
+ name: 'hostname',
+ type: 'keyword',
+ description: 'Hostname given by the client.\n',
+ },
+ {
+ name: 'success',
+ type: 'boolean',
+ description: 'Indicate whether or not the authentication was successful.\n',
+ },
+ {
+ name: 'username',
+ type: 'keyword',
+ description: 'Username given by the client.\n',
+ },
+ {
+ name: 'server',
+ type: 'group',
+ fields: [
+ {
+ name: 'name',
+ type: 'group',
+ fields: [
+ {
+ name: 'dns',
+ type: 'keyword',
+ description: 'DNS name given by the server in a CHALLENGE.\n',
+ },
+ {
+ name: 'netbios',
+ type: 'keyword',
+ description: 'NetBIOS name given by the server in a CHALLENGE.\n',
+ },
+ {
+ name: 'tree',
+ type: 'keyword',
+ description: 'Tree name given by the server in a CHALLENGE.\n',
+ },
+ ],
+ },
+ ],
+ },
+ ],
},
{
- name: 'files.extracted_size',
- type: 'long',
+ name: 'ocsp',
+ type: 'group',
+ default_field: false,
+ description:
+ 'Fields exported by the Zeek OCSP log\nOnline Certificate Status Protocol (OCSP). Only created if policy script is loaded.\n',
+ fields: [
+ {
+ name: 'file_id',
+ type: 'keyword',
+ description: 'File id of the OCSP reply.\n',
+ },
+ {
+ name: 'hash',
+ type: 'group',
+ fields: [
+ {
+ name: 'algorithm',
+ type: 'keyword',
+ description:
+ 'Hash algorithm used to generate issuerNameHash and issuerKeyHash.\n',
+ },
+ {
+ name: 'issuer',
+ type: 'group',
+ fields: [
+ {
+ name: 'name',
+ type: 'keyword',
+ description: "Hash of the issuer's distingueshed name.\n",
+ },
+ {
+ name: 'key',
+ type: 'keyword',
+ description: "Hash of the issuer's public key.\n",
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'serial_number',
+ type: 'keyword',
+ description: 'Serial number of the affected certificate.\n',
+ },
+ {
+ name: 'status',
+ type: 'keyword',
+ description: 'Status of the affected certificate.\n',
+ },
+ {
+ name: 'revoke',
+ type: 'group',
+ fields: [
+ {
+ name: 'time',
+ type: 'date',
+ description: 'Time at which the certificate was revoked.\n',
+ },
+ {
+ name: 'reason',
+ type: 'keyword',
+ description: 'Reason for which the certificate was revoked.\n',
+ },
+ ],
+ },
+ {
+ name: 'update',
+ type: 'group',
+ fields: [
+ {
+ name: 'this',
+ type: 'date',
+ description:
+ 'The time at which the status being shows is known to have been correct.\n',
+ },
+ {
+ name: 'next',
+ type: 'date',
+ description:
+ 'The latest time at which new information about the status of the certificate will be available.\n',
+ },
+ ],
+ },
+ ],
},
{
- name: 'files.entropy',
- type: 'double',
+ name: 'pe',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek pe log.\n',
+ fields: [
+ {
+ name: 'client',
+ type: 'keyword',
+ description: "The client's version string.\n",
+ },
+ {
+ name: 'id',
+ type: 'keyword',
+ description: 'File id of this portable executable file.\n',
+ },
+ {
+ name: 'machine',
+ type: 'keyword',
+ description: 'The target machine that the file was compiled for.\n',
+ },
+ {
+ name: 'compile_time',
+ type: 'date',
+ description: 'The time that the file was created at.\n',
+ },
+ {
+ name: 'os',
+ type: 'keyword',
+ description: 'The required operating system.\n',
+ },
+ {
+ name: 'subsystem',
+ type: 'keyword',
+ description: 'The subsystem that is required to run this file.\n',
+ },
+ {
+ name: 'is_exe',
+ type: 'boolean',
+ description: 'Is the file an executable, or just an object file?\n',
+ },
+ {
+ name: 'is_64bit',
+ type: 'boolean',
+ description: 'Is the file a 64-bit executable?\n',
+ },
+ {
+ name: 'uses_aslr',
+ type: 'boolean',
+ description: 'Does the file support Address Space Layout Randomization?\n',
+ },
+ {
+ name: 'uses_dep',
+ type: 'boolean',
+ description: 'Does the file support Data Execution Prevention?\n',
+ },
+ {
+ name: 'uses_code_integrity',
+ type: 'boolean',
+ description: 'Does the file enforce code integrity checks?\n',
+ },
+ {
+ name: 'uses_seh',
+ type: 'boolean',
+ description: 'Does the file use structured exception handing?\n',
+ },
+ {
+ name: 'has_import_table',
+ type: 'boolean',
+ description: 'Does the file have an import table?\n',
+ },
+ {
+ name: 'has_export_table',
+ type: 'boolean',
+ description: 'Does the file have an export table?\n',
+ },
+ {
+ name: 'has_cert_table',
+ type: 'boolean',
+ description: 'Does the file have an attribute certificate table?\n',
+ },
+ {
+ name: 'has_debug_data',
+ type: 'boolean',
+ description: 'Does the file have a debug table?\n',
+ },
+ {
+ name: 'section_names',
+ type: 'keyword',
+ description: 'The names of the sections, in order.\n',
+ },
+ ],
},
{
- name: 'ssl.version',
- type: 'keyword',
+ name: 'radius',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek Radius log.\n',
+ fields: [
+ {
+ name: 'username',
+ type: 'keyword',
+ description: 'The username, if present.\n',
+ },
+ {
+ name: 'mac',
+ type: 'keyword',
+ description: 'MAC address, if present.\n',
+ },
+ {
+ name: 'framed_addr',
+ type: 'ip',
+ description:
+ 'The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address.\n',
+ },
+ {
+ name: 'remote_ip',
+ type: 'ip',
+ description:
+ 'Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute.\n',
+ },
+ {
+ name: 'connect_info',
+ type: 'keyword',
+ description: 'Connect info, if present.\n',
+ },
+ {
+ name: 'reply_msg',
+ type: 'keyword',
+ description:
+ 'Reply message from the server challenge. This is frequently shown to the user authenticating.\n',
+ },
+ {
+ name: 'result',
+ type: 'keyword',
+ description: 'Successful or failed authentication.\n',
+ },
+ {
+ name: 'ttl',
+ type: 'integer',
+ description:
+ 'The duration between the first request and either the "Access-Accept" message or an error. If the field is empty, it means that either the request or response was not seen.\n',
+ },
+ {
+ name: 'logged',
+ type: 'boolean',
+ description: 'Whether this has already been logged and can be ignored.\n',
+ },
+ ],
},
{
- name: 'ssl.cipher',
- type: 'keyword',
+ name: 'rdp',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek RDP log.\n',
+ fields: [
+ {
+ name: 'cookie',
+ type: 'keyword',
+ description:
+ 'Cookie value used by the client machine. This is typically a username.\n',
+ },
+ {
+ name: 'result',
+ type: 'keyword',
+ description:
+ "Status result for the connection. It's a mix between RDP negotation failure messages and GCC server create response messages.\n",
+ },
+ {
+ name: 'security_protocol',
+ type: 'keyword',
+ description: 'Security protocol chosen by the server.\n',
+ },
+ {
+ name: 'keyboard_layout',
+ type: 'keyword',
+ description: 'Keyboard layout (language) of the client machine.\n',
+ },
+ {
+ name: 'client',
+ type: 'group',
+ fields: [
+ {
+ name: 'build',
+ type: 'keyword',
+ description: 'RDP client version used by the client machine.\n',
+ },
+ {
+ name: 'client_name',
+ type: 'keyword',
+ description: 'Name of the client machine.\n',
+ },
+ {
+ name: 'product_id',
+ type: 'keyword',
+ description: 'Product ID of the client machine.\n',
+ },
+ ],
+ },
+ {
+ name: 'desktop',
+ type: 'group',
+ fields: [
+ {
+ name: 'width',
+ type: 'integer',
+ description: 'Desktop width of the client machine.\n',
+ },
+ {
+ name: 'height',
+ type: 'integer',
+ description: 'Desktop height of the client machine.\n',
+ },
+ {
+ name: 'color_depth',
+ type: 'keyword',
+ description:
+ 'The color depth requested by the client in the high_color_depth field.\n',
+ },
+ ],
+ },
+ {
+ name: 'cert',
+ type: 'group',
+ fields: [
+ {
+ name: 'type',
+ type: 'keyword',
+ description:
+ 'If the connection is being encrypted with native RDP encryption, this is the type of cert being used.\n',
+ },
+ {
+ name: 'count',
+ type: 'integer',
+ description:
+ 'The number of certs seen. X.509 can transfer an entire certificate chain.\n',
+ },
+ {
+ name: 'permanent',
+ type: 'boolean',
+ description:
+ 'Indicates if the provided certificate or certificate chain is permanent or temporary.\n',
+ },
+ ],
+ },
+ {
+ name: 'encryption',
+ type: 'group',
+ fields: [
+ {
+ name: 'level',
+ type: 'keyword',
+ description: 'Encryption level of the connection.\n',
+ },
+ {
+ name: 'method',
+ type: 'keyword',
+ description: 'Encryption method of the connection.\n',
+ },
+ ],
+ },
+ {
+ name: 'done',
+ type: 'boolean',
+ description: 'Track status of logging RDP connections.\n',
+ },
+ {
+ name: 'ssl',
+ type: 'boolean',
+ description:
+ '(present if policy/protocols/rdp/indicate_ssl.bro is loaded)\nFlag the connection if it was seen over SSL.\n',
+ },
+ ],
},
{
- name: 'ssl.curve',
- type: 'keyword',
+ name: 'rfb',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek RFB log.\n',
+ fields: [
+ {
+ name: 'version',
+ type: 'group',
+ fields: [
+ {
+ name: 'client',
+ type: 'group',
+ fields: [
+ {
+ name: 'major',
+ type: 'keyword',
+ description: 'Major version of the client.\n',
+ },
+ {
+ name: 'minor',
+ type: 'keyword',
+ description: 'Minor version of the client.\n',
+ },
+ ],
+ },
+ {
+ name: 'server',
+ type: 'group',
+ fields: [
+ {
+ name: 'major',
+ type: 'keyword',
+ description: 'Major version of the server.\n',
+ },
+ {
+ name: 'minor',
+ type: 'keyword',
+ description: 'Minor version of the server.\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'auth',
+ type: 'group',
+ fields: [
+ {
+ name: 'success',
+ type: 'boolean',
+ description: 'Whether or not authentication was successful.\n',
+ },
+ {
+ name: 'method',
+ type: 'keyword',
+ description: 'Identifier of authentication method used.\n',
+ },
+ ],
+ },
+ {
+ name: 'share_flag',
+ type: 'boolean',
+ description: 'Whether the client has an exclusive or a shared session.\n',
+ },
+ {
+ name: 'desktop_name',
+ type: 'keyword',
+ description: 'Name of the screen that is being shared.\n',
+ },
+ {
+ name: 'width',
+ type: 'integer',
+ description: 'Width of the screen that is being shared.\n',
+ },
+ {
+ name: 'height',
+ type: 'integer',
+ description: 'Height of the screen that is being shared.\n',
+ },
+ ],
},
{
- name: 'ssl.server_name',
- type: 'keyword',
+ name: 'sip',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek SIP log.\n',
+ fields: [
+ {
+ name: 'transaction_depth',
+ type: 'integer',
+ description:
+ 'Represents the pipelined depth into the connection of this request/response transaction.\n',
+ },
+ {
+ name: 'sequence',
+ type: 'group',
+ fields: [
+ {
+ name: 'method',
+ type: 'keyword',
+ description: 'Verb used in the SIP request (INVITE, REGISTER etc.).\n',
+ },
+ {
+ name: 'number',
+ type: 'keyword',
+ description: 'Contents of the CSeq: header from the client.\n',
+ },
+ ],
+ },
+ {
+ name: 'uri',
+ type: 'keyword',
+ description: 'URI used in the request.\n',
+ },
+ {
+ name: 'date',
+ type: 'keyword',
+ description: 'Contents of the Date: header from the client.\n',
+ },
+ {
+ name: 'request',
+ type: 'group',
+ fields: [
+ {
+ name: 'from',
+ type: 'keyword',
+ description:
+ "Contents of the request From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged.\n",
+ },
+ {
+ name: 'to',
+ type: 'keyword',
+ description: 'Contents of the To: header.\n',
+ },
+ {
+ name: 'path',
+ type: 'keyword',
+ description:
+ 'The client message transmission path, as extracted from the headers.\n',
+ },
+ {
+ name: 'body_length',
+ type: 'long',
+ description: 'Contents of the Content-Length: header from the client.\n',
+ },
+ ],
+ },
+ {
+ name: 'response',
+ type: 'group',
+ fields: [
+ {
+ name: 'from',
+ type: 'keyword',
+ description:
+ "Contents of the response From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged.\n",
+ },
+ {
+ name: 'to',
+ type: 'keyword',
+ description: 'Contents of the response To: header.\n',
+ },
+ {
+ name: 'path',
+ type: 'keyword',
+ description:
+ 'The server message transmission path, as extracted from the headers.\n',
+ },
+ {
+ name: 'body_length',
+ type: 'long',
+ description: 'Contents of the Content-Length: header from the server.\n',
+ },
+ ],
+ },
+ {
+ name: 'reply_to',
+ type: 'keyword',
+ description: 'Contents of the Reply-To: header.\n',
+ },
+ {
+ name: 'call_id',
+ type: 'keyword',
+ description: 'Contents of the Call-ID: header from the client.\n',
+ },
+ {
+ name: 'subject',
+ type: 'keyword',
+ description: 'Contents of the Subject: header from the client.\n',
+ },
+ {
+ name: 'user_agent',
+ type: 'keyword',
+ description: 'Contents of the User-Agent: header from the client.\n',
+ },
+ {
+ name: 'status',
+ type: 'group',
+ fields: [
+ {
+ name: 'code',
+ type: 'integer',
+ description: 'Status code returned by the server.\n',
+ },
+ {
+ name: 'msg',
+ type: 'keyword',
+ description: 'Status message returned by the server.\n',
+ },
+ ],
+ },
+ {
+ name: 'warning',
+ type: 'keyword',
+ description: 'Contents of the Warning: header.\n',
+ },
+ {
+ name: 'content_type',
+ type: 'keyword',
+ description: 'Contents of the Content-Type: header from the server.\n',
+ },
+ ],
},
{
- name: 'ssl.resumed',
- type: 'boolean',
+ name: 'smb_cmd',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek smb_cmd log.\n',
+ fields: [
+ {
+ name: 'command',
+ type: 'keyword',
+ description: 'The command sent by the client.\n',
+ },
+ {
+ name: 'sub_command',
+ type: 'keyword',
+ description: 'The subcommand sent by the client, if present.\n',
+ },
+ {
+ name: 'argument',
+ type: 'keyword',
+ description: 'Command argument sent by the client, if any.\n',
+ },
+ {
+ name: 'status',
+ type: 'keyword',
+ description: "Server reply to the client's command.\n",
+ },
+ {
+ name: 'rtt',
+ type: 'double',
+ description: 'Round trip time from the request to the response.\n',
+ },
+ {
+ name: 'version',
+ type: 'keyword',
+ description: 'Version of SMB for the command.\n',
+ },
+ {
+ name: 'username',
+ type: 'keyword',
+ description: 'Authenticated username, if available.\n',
+ },
+ {
+ name: 'tree',
+ type: 'keyword',
+ description:
+ 'If this is related to a tree, this is the tree that was used for the current command.\n',
+ },
+ {
+ name: 'tree_service',
+ type: 'keyword',
+ description: 'The type of tree (disk share, printer share, named pipe, etc.).\n',
+ },
+ {
+ name: 'file',
+ type: 'group',
+ description: 'If the command referenced a file, store it here.\n',
+ fields: [
+ {
+ name: 'name',
+ type: 'keyword',
+ description: 'Filename if one was seen.\n',
+ },
+ {
+ name: 'action',
+ type: 'keyword',
+ description: 'Action this log record represents.\n',
+ },
+ {
+ name: 'uid',
+ type: 'keyword',
+ description: 'UID of the referenced file.\n',
+ },
+ {
+ name: 'host',
+ type: 'group',
+ fields: [
+ {
+ name: 'tx',
+ type: 'ip',
+ description: 'Address of the transmitting host.\n',
+ },
+ {
+ name: 'rx',
+ type: 'ip',
+ description: 'Address of the receiving host.\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'smb1_offered_dialects',
+ type: 'keyword',
+ description:
+ 'Present if base/protocols/smb/smb1-main.bro is loaded.\nDialects offered by the client.\n',
+ },
+ {
+ name: 'smb2_offered_dialects',
+ type: 'integer',
+ description:
+ 'Present if base/protocols/smb/smb2-main.bro is loaded.\nDialects offered by the client.\n',
+ },
+ ],
},
{
- name: 'ssl.next_protocol',
- type: 'keyword',
+ name: 'smb_files',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek SMB Files log.\n',
+ fields: [
+ {
+ name: 'action',
+ type: 'keyword',
+ description: 'Action this log record represents.\n',
+ },
+ {
+ name: 'fid',
+ type: 'integer',
+ description: 'ID referencing this file.\n',
+ },
+ {
+ name: 'name',
+ type: 'keyword',
+ description: 'Filename if one was seen.\n',
+ },
+ {
+ name: 'path',
+ type: 'keyword',
+ description: 'Path pulled from the tree this file was transferred to or from.\n',
+ },
+ {
+ name: 'previous_name',
+ type: 'keyword',
+ description:
+ "If the rename action was seen, this will be the file's previous name.\n",
+ },
+ {
+ name: 'size',
+ type: 'long',
+ description: 'Byte size of the file.\n',
+ },
+ {
+ name: 'times',
+ type: 'group',
+ description: 'Timestamps of the file.\n',
+ fields: [
+ {
+ name: 'accessed',
+ type: 'date',
+ description: "The file's access time.\n",
+ },
+ {
+ name: 'changed',
+ type: 'date',
+ description: "The file's change time.\n",
+ },
+ {
+ name: 'created',
+ type: 'date',
+ description: "The file's create time.\n",
+ },
+ {
+ name: 'modified',
+ type: 'date',
+ description: "The file's modify time.\n",
+ },
+ ],
+ },
+ {
+ name: 'uuid',
+ type: 'keyword',
+ description: 'UUID referencing this file if DCE/RPC.\n',
+ },
+ ],
},
{
- name: 'ssl.established',
- type: 'boolean',
+ name: 'smb_mapping',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek SMB_Mapping log.\n',
+ fields: [
+ {
+ name: 'path',
+ type: 'keyword',
+ description: 'Name of the tree path.\n',
+ },
+ {
+ name: 'service',
+ type: 'keyword',
+ description:
+ 'The type of resource of the tree (disk share, printer share, named pipe, etc.).\n',
+ },
+ {
+ name: 'native_file_system',
+ type: 'keyword',
+ description: 'File system of the tree.\n',
+ },
+ {
+ name: 'share_type',
+ type: 'keyword',
+ description:
+ 'If this is SMB2, a share type will be included. For SMB1, the type of share\nwill be deduced and included as well.\n',
+ },
+ ],
},
{
- name: 'ssl.cert_chain',
- type: 'keyword',
+ name: 'smtp',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek SMTP log.\n',
+ fields: [
+ {
+ name: 'transaction_depth',
+ type: 'integer',
+ description:
+ 'A count to represent the depth of this message transaction in a single connection where multiple messages were transferred.\n',
+ },
+ {
+ name: 'helo',
+ type: 'keyword',
+ description: 'Contents of the Helo header.\n',
+ },
+ {
+ name: 'mail_from',
+ type: 'keyword',
+ description: 'Email addresses found in the MAIL FROM header.\n',
+ },
+ {
+ name: 'rcpt_to',
+ type: 'keyword',
+ description: 'Email addresses found in the RCPT TO header.\n',
+ },
+ {
+ name: 'date',
+ type: 'date',
+ description: 'Contents of the Date header.\n',
+ },
+ {
+ name: 'from',
+ type: 'keyword',
+ description: 'Contents of the From header.\n',
+ },
+ {
+ name: 'to',
+ type: 'keyword',
+ description: 'Contents of the To header.\n',
+ },
+ {
+ name: 'cc',
+ type: 'keyword',
+ description: 'Contents of the CC header.\n',
+ },
+ {
+ name: 'reply_to',
+ type: 'keyword',
+ description: 'Contents of the ReplyTo header.\n',
+ },
+ {
+ name: 'msg_id',
+ type: 'keyword',
+ description: 'Contents of the MsgID header.\n',
+ },
+ {
+ name: 'in_reply_to',
+ type: 'keyword',
+ description: 'Contents of the In-Reply-To header.\n',
+ },
+ {
+ name: 'subject',
+ type: 'keyword',
+ description: 'Contents of the Subject header.\n',
+ },
+ {
+ name: 'x_originating_ip',
+ type: 'keyword',
+ description: 'Contents of the X-Originating-IP header.\n',
+ },
+ {
+ name: 'first_received',
+ type: 'keyword',
+ description: 'Contents of the first Received header.\n',
+ },
+ {
+ name: 'second_received',
+ type: 'keyword',
+ description: 'Contents of the second Received header.\n',
+ },
+ {
+ name: 'last_reply',
+ type: 'keyword',
+ description: 'The last message that the server sent to the client.\n',
+ },
+ {
+ name: 'path',
+ type: 'ip',
+ description: 'The message transmission path, as extracted from the headers.\n',
+ },
+ {
+ name: 'user_agent',
+ type: 'keyword',
+ description: 'Value of the User-Agent header from the client.\n',
+ },
+ {
+ name: 'tls',
+ type: 'boolean',
+ description: 'Indicates that the connection has switched to using TLS.\n',
+ },
+ {
+ name: 'process_received_from',
+ type: 'boolean',
+ description:
+ 'Indicates if the "Received: from" headers should still be processed.\n',
+ },
+ {
+ name: 'has_client_activity',
+ type: 'boolean',
+ description: 'Indicates if client activity has been seen, but not yet logged.\n',
+ },
+ {
+ name: 'fuids',
+ type: 'keyword',
+ description:
+ '(present if base/protocols/smtp/files.bro is loaded)\nAn ordered vector of file unique IDs seen attached to the message.\n',
+ },
+ {
+ name: 'is_webmail',
+ type: 'boolean',
+ description: 'Indicates if the message was sent through a webmail interface.\n',
+ },
+ ],
},
{
- name: 'ssl.cert_chain_fuids',
- type: 'keyword',
+ name: 'snmp',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek SNMP log.\n',
+ fields: [
+ {
+ name: 'duration',
+ type: 'double',
+ description:
+ 'The amount of time between the first packet beloning to the SNMP session and the latest one seen.\n',
+ },
+ {
+ name: 'version',
+ type: 'keyword',
+ description: 'The version of SNMP being used.\n',
+ },
+ {
+ name: 'community',
+ type: 'keyword',
+ description:
+ "The community string of the first SNMP packet associated with the session. This is used as part of SNMP's (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901.\n",
+ },
+ {
+ name: 'get',
+ type: 'group',
+ fields: [
+ {
+ name: 'requests',
+ type: 'integer',
+ description:
+ 'The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session.\n',
+ },
+ {
+ name: 'bulk_requests',
+ type: 'integer',
+ description:
+ 'The number of variable bindings in GetBulkRequest PDUs seen for the session.\n',
+ },
+ {
+ name: 'responses',
+ type: 'integer',
+ description:
+ 'The number of variable bindings in GetResponse/Response PDUs seen for the session.\n',
+ },
+ ],
+ },
+ {
+ name: 'set',
+ type: 'group',
+ fields: [
+ {
+ name: 'requests',
+ type: 'integer',
+ description:
+ 'The number of variable bindings in SetRequest PDUs seen for the session.\n',
+ },
+ ],
+ },
+ {
+ name: 'display_string',
+ type: 'keyword',
+ description: 'A system description of the SNMP responder endpoint.\n',
+ },
+ {
+ name: 'up_since',
+ type: 'date',
+ description:
+ "The time at which the SNMP responder endpoint claims it's been up since.\n",
+ },
+ ],
},
{
- name: 'ssl.client_cert_chain',
- type: 'keyword',
+ name: 'socks',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek SOCKS log.\n',
+ fields: [
+ {
+ name: 'version',
+ type: 'integer',
+ description: 'Protocol version of SOCKS.\n',
+ },
+ {
+ name: 'user',
+ type: 'keyword',
+ description: 'Username used to request a login to the proxy.\n',
+ },
+ {
+ name: 'password',
+ type: 'keyword',
+ description: 'Password used to request a login to the proxy.\n',
+ },
+ {
+ name: 'status',
+ type: 'keyword',
+ description: 'Server status for the attempt at using the proxy.\n',
+ },
+ {
+ name: 'request',
+ type: 'group',
+ fields: [
+ {
+ name: 'host',
+ type: 'keyword',
+ description:
+ 'Client requested SOCKS address. Could be an address, a name or both.\n',
+ },
+ {
+ name: 'port',
+ type: 'integer',
+ description: 'Client requested port.\n',
+ },
+ ],
+ },
+ {
+ name: 'bound',
+ type: 'group',
+ fields: [
+ {
+ name: 'host',
+ type: 'keyword',
+ description: 'Server bound address. Could be an address, a name or both.\n',
+ },
+ {
+ name: 'port',
+ type: 'integer',
+ description: 'Server bound port.\n',
+ },
+ ],
+ },
+ {
+ name: 'capture_password',
+ type: 'boolean',
+ description: 'Determines if the password will be captured for this request.\n',
+ },
+ ],
},
{
- name: 'ssl.client_cert_chain_fuids',
- type: 'keyword',
+ name: 'ssh',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek SSH log.\n',
+ fields: [
+ {
+ name: 'client',
+ type: 'keyword',
+ description: "The client's version string.\n",
+ },
+ {
+ name: 'direction',
+ type: 'keyword',
+ description:
+ 'Direction of the connection. If the client was a local host logging into\nan external host, this would be OUTBOUND. INBOUND would be set for the\nopposite situation.\n',
+ },
+ {
+ name: 'host_key',
+ type: 'keyword',
+ description: "The server's key thumbprint.\n",
+ },
+ {
+ name: 'server',
+ type: 'keyword',
+ description: "The server's version string.\n",
+ },
+ {
+ name: 'version',
+ type: 'integer',
+ description: 'SSH major version (1 or 2).\n',
+ },
+ {
+ name: 'algorithm',
+ type: 'group',
+ description: 'Cipher algorithms used in this session.\n',
+ fields: [
+ {
+ name: 'cipher',
+ type: 'keyword',
+ description: 'The encryption algorithm in use.\n',
+ },
+ {
+ name: 'compression',
+ type: 'keyword',
+ description: 'The compression algorithm in use.\n',
+ },
+ {
+ name: 'host_key',
+ type: 'keyword',
+ description: "The server host key's algorithm.\n",
+ },
+ {
+ name: 'key_exchange',
+ type: 'keyword',
+ description: 'The key exchange algorithm in use.\n',
+ },
+ {
+ name: 'mac',
+ type: 'keyword',
+ description: 'The signing (MAC) algorithm in use.\n',
+ },
+ ],
+ },
+ {
+ name: 'auth',
+ type: 'group',
+ fields: [
+ {
+ name: 'attempts',
+ type: 'integer',
+ description:
+ "The number of authentication attemps we observed. There's always at\nleast one, since some servers might support no authentication at all.\nIt's important to note that not all of these are failures, since some\nservers require two-factor auth (e.g. password AND pubkey).\n",
+ },
+ {
+ name: 'success',
+ type: 'boolean',
+ description: 'Authentication result.\n',
+ },
+ ],
+ },
+ ],
},
{
- name: 'ssl.issuer',
- type: 'keyword',
+ name: 'ssl',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek SSL log.\n',
+ fields: [
+ {
+ name: 'version',
+ type: 'keyword',
+ description: 'SSL/TLS version that was logged.\n',
+ },
+ {
+ name: 'cipher',
+ type: 'keyword',
+ description: 'SSL/TLS cipher suite that was logged.\n',
+ },
+ {
+ name: 'curve',
+ type: 'keyword',
+ description: 'Elliptic curve that was logged when using ECDH/ECDHE.\n',
+ },
+ {
+ name: 'resumed',
+ type: 'boolean',
+ description:
+ 'Flag to indicate if the session was resumed reusing the key material exchanged in an\nearlier connection.\n',
+ },
+ {
+ name: 'next_protocol',
+ type: 'keyword',
+ description:
+ 'Next protocol the server chose using the application layer next protocol extension.\n',
+ },
+ {
+ name: 'established',
+ type: 'boolean',
+ description:
+ 'Flag to indicate if this ssl session has been established successfully.\n',
+ },
+ {
+ name: 'validation',
+ type: 'group',
+ fields: [
+ {
+ name: 'status',
+ type: 'keyword',
+ description: 'Result of certificate validation for this connection.\n',
+ },
+ {
+ name: 'code',
+ type: 'keyword',
+ description:
+ 'Result of certificate validation for this connection, given as OpenSSL validation code.\n',
+ },
+ ],
+ },
+ {
+ name: 'last_alert',
+ type: 'keyword',
+ description: 'Last alert that was seen during the connection.\n',
+ },
+ {
+ name: 'server',
+ type: 'group',
+ fields: [
+ {
+ name: 'name',
+ type: 'keyword',
+ description:
+ 'Value of the Server Name Indicator SSL/TLS extension. It indicates the server name\nthat the client was requesting.\n',
+ },
+ {
+ name: 'cert_chain',
+ type: 'keyword',
+ description:
+ 'Chain of certificates offered by the server to validate its complete signing chain.\n',
+ },
+ {
+ name: 'cert_chain_fuids',
+ type: 'keyword',
+ description:
+ 'An ordered vector of certificate file identifiers for the certificates offered by the server.\n',
+ },
+ {
+ name: 'issuer',
+ type: 'group',
+ description:
+ 'Subject of the signer of the X.509 certificate offered by the server.\n',
+ fields: [
+ {
+ name: 'common_name',
+ type: 'keyword',
+ description:
+ 'Common name of the signer of the X.509 certificate offered by the server.\n',
+ },
+ {
+ name: 'country',
+ type: 'keyword',
+ description:
+ 'Country code of the signer of the X.509 certificate offered by the server.\n',
+ },
+ {
+ name: 'locality',
+ type: 'keyword',
+ description:
+ 'Locality of the signer of the X.509 certificate offered by the server.\n',
+ },
+ {
+ name: 'organization',
+ type: 'keyword',
+ description:
+ 'Organization of the signer of the X.509 certificate offered by the server.\n',
+ },
+ {
+ name: 'organizational_unit',
+ type: 'keyword',
+ description:
+ 'Organizational unit of the signer of the X.509 certificate offered by the server.\n',
+ },
+ {
+ name: 'state',
+ type: 'keyword',
+ description:
+ 'State or province name of the signer of the X.509 certificate offered by the server.\n',
+ },
+ ],
+ },
+ {
+ name: 'subject',
+ type: 'group',
+ description: 'Subject of the X.509 certificate offered by the server.\n',
+ fields: [
+ {
+ name: 'common_name',
+ type: 'keyword',
+ description:
+ 'Common name of the X.509 certificate offered by the server.\n',
+ },
+ {
+ name: 'country',
+ type: 'keyword',
+ description:
+ 'Country code of the X.509 certificate offered by the server.\n',
+ },
+ {
+ name: 'locality',
+ type: 'keyword',
+ description: 'Locality of the X.509 certificate offered by the server.\n',
+ },
+ {
+ name: 'organization',
+ type: 'keyword',
+ description:
+ 'Organization of the X.509 certificate offered by the server.\n',
+ },
+ {
+ name: 'organizational_unit',
+ type: 'keyword',
+ description:
+ 'Organizational unit of the X.509 certificate offered by the server.\n',
+ },
+ {
+ name: 'state',
+ type: 'keyword',
+ description:
+ 'State or province name of the X.509 certificate offered by the server.\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'client',
+ type: 'group',
+ fields: [
+ {
+ name: 'cert_chain',
+ type: 'keyword',
+ description:
+ 'Chain of certificates offered by the client to validate its complete signing chain.\n',
+ },
+ {
+ name: 'cert_chain_fuids',
+ type: 'keyword',
+ description:
+ 'An ordered vector of certificate file identifiers for the certificates offered by the client.\n',
+ },
+ {
+ name: 'issuer',
+ type: 'group',
+ description:
+ 'Subject of the signer of the X.509 certificate offered by the client.\n',
+ fields: [
+ {
+ name: 'common_name',
+ type: 'keyword',
+ description:
+ 'Common name of the signer of the X.509 certificate offered by the client.\n',
+ },
+ {
+ name: 'country',
+ type: 'keyword',
+ description:
+ 'Country code of the signer of the X.509 certificate offered by the client.\n',
+ },
+ {
+ name: 'locality',
+ type: 'keyword',
+ description:
+ 'Locality of the signer of the X.509 certificate offered by the client.\n',
+ },
+ {
+ name: 'organization',
+ type: 'keyword',
+ description:
+ 'Organization of the signer of the X.509 certificate offered by the client.\n',
+ },
+ {
+ name: 'organizational_unit',
+ type: 'keyword',
+ description:
+ 'Organizational unit of the signer of the X.509 certificate offered by the client.\n',
+ },
+ {
+ name: 'state',
+ type: 'keyword',
+ description:
+ 'State or province name of the signer of the X.509 certificate offered by the client.\n',
+ },
+ ],
+ },
+ {
+ name: 'subject',
+ type: 'group',
+ description: 'Subject of the X.509 certificate offered by the client.\n',
+ fields: [
+ {
+ name: 'common_name',
+ type: 'keyword',
+ description:
+ 'Common name of the X.509 certificate offered by the client.\n',
+ },
+ {
+ name: 'country',
+ type: 'keyword',
+ description:
+ 'Country code of the X.509 certificate offered by the client.\n',
+ },
+ {
+ name: 'locality',
+ type: 'keyword',
+ description: 'Locality of the X.509 certificate offered by the client.\n',
+ },
+ {
+ name: 'organization',
+ type: 'keyword',
+ description:
+ 'Organization of the X.509 certificate offered by the client.\n',
+ },
+ {
+ name: 'organizational_unit',
+ type: 'keyword',
+ description:
+ 'Organizational unit of the X.509 certificate offered by the client.\n',
+ },
+ {
+ name: 'state',
+ type: 'keyword',
+ description:
+ 'State or province name of the X.509 certificate offered by the client.\n',
+ },
+ ],
+ },
+ ],
+ },
+ ],
},
{
- name: 'ssl.client_issuer',
- type: 'keyword',
+ name: 'stats',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek stats log.\n',
+ fields: [
+ {
+ name: 'peer',
+ type: 'keyword',
+ description: 'Peer that generated this log. Mostly for clusters.\n',
+ },
+ {
+ name: 'memory',
+ type: 'integer',
+ description: 'Amount of memory currently in use in MB.\n',
+ },
+ {
+ name: 'packets',
+ type: 'group',
+ fields: [
+ {
+ name: 'processed',
+ type: 'long',
+ description: 'Number of packets processed since the last stats interval.\n',
+ },
+ {
+ name: 'dropped',
+ type: 'long',
+ description:
+ 'Number of packets dropped since the last stats interval if reading live traffic.\n',
+ },
+ {
+ name: 'received',
+ type: 'long',
+ description:
+ 'Number of packets seen on the link since the last stats interval if reading live traffic.\n',
+ },
+ ],
+ },
+ {
+ name: 'bytes',
+ type: 'group',
+ fields: [
+ {
+ name: 'received',
+ type: 'long',
+ description:
+ 'Number of bytes received since the last stats interval if reading live traffic.\n',
+ },
+ ],
+ },
+ {
+ name: 'connections',
+ type: 'group',
+ fields: [
+ {
+ name: 'tcp',
+ type: 'group',
+ fields: [
+ {
+ name: 'active',
+ type: 'integer',
+ description: 'TCP connections currently in memory.\n',
+ },
+ {
+ name: 'count',
+ type: 'integer',
+ description: 'TCP connections seen since last stats interval.\n',
+ },
+ ],
+ },
+ {
+ name: 'udp',
+ type: 'group',
+ fields: [
+ {
+ name: 'active',
+ type: 'integer',
+ description: 'UDP connections currently in memory.\n',
+ },
+ {
+ name: 'count',
+ type: 'integer',
+ description: 'UDP connections seen since last stats interval.\n',
+ },
+ ],
+ },
+ {
+ name: 'icmp',
+ type: 'group',
+ fields: [
+ {
+ name: 'active',
+ type: 'integer',
+ description: 'ICMP connections currently in memory.\n',
+ },
+ {
+ name: 'count',
+ type: 'integer',
+ description: 'ICMP connections seen since last stats interval.\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'events',
+ type: 'group',
+ fields: [
+ {
+ name: 'processed',
+ type: 'integer',
+ description: 'Number of events processed since the last stats interval.\n',
+ },
+ {
+ name: 'queued',
+ type: 'integer',
+ description:
+ 'Number of events that have been queued since the last stats interval.\n',
+ },
+ ],
+ },
+ {
+ name: 'timers',
+ type: 'group',
+ fields: [
+ {
+ name: 'count',
+ type: 'integer',
+ description: 'Number of timers scheduled since last stats interval.\n',
+ },
+ {
+ name: 'active',
+ type: 'integer',
+ description: 'Current number of scheduled timers.\n',
+ },
+ ],
+ },
+ {
+ name: 'files',
+ type: 'group',
+ fields: [
+ {
+ name: 'count',
+ type: 'integer',
+ description: 'Number of files seen since last stats interval.\n',
+ },
+ {
+ name: 'active',
+ type: 'integer',
+ description: 'Current number of files actively being seen.\n',
+ },
+ ],
+ },
+ {
+ name: 'dns_requests',
+ type: 'group',
+ fields: [
+ {
+ name: 'count',
+ type: 'integer',
+ description: 'Number of DNS requests seen since last stats interval.\n',
+ },
+ {
+ name: 'active',
+ type: 'integer',
+ description: 'Current number of DNS requests awaiting a reply.\n',
+ },
+ ],
+ },
+ {
+ name: 'reassembly_size',
+ type: 'group',
+ fields: [
+ {
+ name: 'tcp',
+ type: 'integer',
+ description: 'Current size of TCP data in reassembly.\n',
+ },
+ {
+ name: 'file',
+ type: 'integer',
+ description: 'Current size of File data in reassembly.\n',
+ },
+ {
+ name: 'frag',
+ type: 'integer',
+ description: 'Current size of packet fragment data in reassembly.\n',
+ },
+ {
+ name: 'unknown',
+ type: 'integer',
+ description:
+ 'Current size of unknown data in reassembly (this is only PIA buffer right now).\n',
+ },
+ ],
+ },
+ {
+ name: 'timestamp_lag',
+ type: 'integer',
+ description:
+ 'Lag between the wall clock and packet timestamps if reading live traffic.\n',
+ },
+ ],
},
{
- name: 'ssl.validation_status',
- type: 'keyword',
+ name: 'syslog',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek syslog log.\n',
+ fields: [
+ {
+ name: 'facility',
+ type: 'keyword',
+ description: 'Syslog facility for the message.\n',
+ },
+ {
+ name: 'severity',
+ type: 'keyword',
+ description: 'Syslog severity for the message.\n',
+ },
+ {
+ name: 'message',
+ type: 'keyword',
+ description: 'The plain text message.\n',
+ },
+ ],
},
{
- name: 'ssl.subject',
- type: 'keyword',
+ name: 'tunnel',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek SSH log.\n',
+ fields: [
+ {
+ name: 'type',
+ type: 'keyword',
+ description: 'The type of tunnel.\n',
+ },
+ {
+ name: 'action',
+ type: 'keyword',
+ description: 'The type of activity that occurred.\n',
+ },
+ ],
},
{
- name: 'ssl.client_subject',
- type: 'keyword',
+ name: 'weird',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek Weird log.\n',
+ fields: [
+ {
+ name: 'name',
+ type: 'keyword',
+ description: 'The name of the weird that occurred.\n',
+ },
+ {
+ name: 'additional_info',
+ type: 'keyword',
+ description: 'Additional information accompanying the weird if any.\n',
+ },
+ {
+ name: 'notice',
+ type: 'boolean',
+ description: 'Indicate if this weird was also turned into a notice.\n',
+ },
+ {
+ name: 'peer',
+ type: 'keyword',
+ description:
+ 'The peer that originated this weird. This is helpful in cluster deployments if a particular cluster node is having trouble to help identify which node is having trouble.\n',
+ },
+ {
+ name: 'identifier',
+ type: 'keyword',
+ description:
+ 'This field is to be provided when a weird is generated for the purpose of deduplicating weirds. The identifier string should be unique for a single instance of the weird. This field is used to define when a weird is conceptually a duplicate of a previous weird.\n',
+ },
+ ],
},
{
- name: 'ssl.last_alert',
- type: 'keyword',
+ name: 'x509',
+ type: 'group',
+ default_field: false,
+ description: 'Fields exported by the Zeek x509 log.\n',
+ fields: [
+ {
+ name: 'id',
+ type: 'keyword',
+ description: 'File id of this certificate.\n',
+ },
+ {
+ name: 'certificate',
+ type: 'group',
+ description: 'Basic information about the certificate.\n',
+ fields: [
+ {
+ name: 'version',
+ type: 'integer',
+ description: 'Version number.\n',
+ },
+ {
+ name: 'serial',
+ type: 'keyword',
+ description: 'Serial number.\n',
+ },
+ {
+ name: 'subject',
+ type: 'group',
+ description: 'Subject.\n',
+ fields: [
+ {
+ name: 'country',
+ type: 'keyword',
+ description: 'Country provided in the certificate subject.\n',
+ },
+ {
+ name: 'common_name',
+ type: 'keyword',
+ description: 'Common name provided in the certificate subject.\n',
+ },
+ {
+ name: 'locality',
+ type: 'keyword',
+ description: 'Locality provided in the certificate subject.\n',
+ },
+ {
+ name: 'organization',
+ type: 'keyword',
+ description: 'Organization provided in the certificate subject.\n',
+ },
+ {
+ name: 'organizational_unit',
+ type: 'keyword',
+ description: 'Organizational unit provided in the certificate subject.\n',
+ },
+ {
+ name: 'state',
+ type: 'keyword',
+ description: 'State or province provided in the certificate subject.\n',
+ },
+ ],
+ },
+ {
+ name: 'issuer',
+ type: 'group',
+ description: 'Issuer.\n',
+ fields: [
+ {
+ name: 'country',
+ type: 'keyword',
+ description: 'Country provided in the certificate issuer field.\n',
+ },
+ {
+ name: 'common_name',
+ type: 'keyword',
+ description: 'Common name provided in the certificate issuer field.\n',
+ },
+ {
+ name: 'locality',
+ type: 'keyword',
+ description: 'Locality provided in the certificate issuer field.\n',
+ },
+ {
+ name: 'organization',
+ type: 'keyword',
+ description: 'Organization provided in the certificate issuer field.\n',
+ },
+ {
+ name: 'organizational_unit',
+ type: 'keyword',
+ description:
+ 'Organizational unit provided in the certificate issuer field.\n',
+ },
+ {
+ name: 'state',
+ type: 'keyword',
+ description:
+ 'State or province provided in the certificate issuer field.\n',
+ },
+ ],
+ },
+ {
+ name: 'common_name',
+ type: 'keyword',
+ description: 'Last (most specific) common name.\n',
+ },
+ {
+ name: 'valid',
+ type: 'group',
+ description: 'Certificate validity timestamps\n',
+ fields: [
+ {
+ name: 'from',
+ type: 'date',
+ description: 'Timestamp before when certificate is not valid.\n',
+ },
+ {
+ name: 'until',
+ type: 'date',
+ description: 'Timestamp after when certificate is not valid.\n',
+ },
+ ],
+ },
+ {
+ name: 'key',
+ type: 'group',
+ fields: [
+ {
+ name: 'algorithm',
+ type: 'keyword',
+ description: 'Name of the key algorithm.\n',
+ },
+ {
+ name: 'type',
+ type: 'keyword',
+ description:
+ 'Key type, if key parseable by openssl (either rsa, dsa or ec).\n',
+ },
+ {
+ name: 'length',
+ type: 'integer',
+ description: 'Key length in bits.\n',
+ },
+ ],
+ },
+ {
+ name: 'signature_algorithm',
+ type: 'keyword',
+ description: 'Name of the signature algorithm.\n',
+ },
+ {
+ name: 'exponent',
+ type: 'keyword',
+ description: 'Exponent, if RSA-certificate.\n',
+ },
+ {
+ name: 'curve',
+ type: 'keyword',
+ description: 'Curve, if EC-certificate.\n',
+ },
+ ],
+ },
+ {
+ name: 'san',
+ type: 'group',
+ description: 'Subject alternative name extension of the certificate.\n',
+ fields: [
+ {
+ name: 'dns',
+ type: 'keyword',
+ description: 'List of DNS entries in SAN.\n',
+ },
+ {
+ name: 'uri',
+ type: 'keyword',
+ description: 'List of URI entries in SAN.\n',
+ },
+ {
+ name: 'email',
+ type: 'keyword',
+ description: 'List of email entries in SAN.\n',
+ },
+ {
+ name: 'ip',
+ type: 'ip',
+ description: 'List of IP entries in SAN.\n',
+ },
+ {
+ name: 'other_fields',
+ type: 'boolean',
+ description:
+ 'True if the certificate contained other, not recognized or parsed name fields.\n',
+ },
+ ],
+ },
+ {
+ name: 'basic_constraints',
+ type: 'group',
+ description: 'Basic constraints extension of the certificate.\n',
+ fields: [
+ {
+ name: 'certificate_authority',
+ type: 'boolean',
+ description: 'CA flag set or not.\n',
+ },
+ {
+ name: 'path_length',
+ type: 'integer',
+ description: 'Maximum path length.\n',
+ },
+ ],
+ },
+ {
+ name: 'log_cert',
+ type: 'boolean',
+ description:
+ 'Present if policy/protocols/ssl/log-hostcerts-only.bro is loaded\nLogging of certificate is suppressed if set to F.\n',
+ },
+ ],
},
],
},
@@ -7293,47 +18360,47 @@ export const filebeatSchema: Schema = [
{
key: 'netflow',
title: 'NetFlow',
- description: 'Fields from NetFlow and IPFIX flows.',
+ description: 'Fields from NetFlow and IPFIX flows.\n',
fields: [
{
name: 'netflow',
type: 'group',
- description: 'Fields from NetFlow and IPFIX.',
+ description: 'Fields from NetFlow and IPFIX.\n',
fields: [
{
name: 'type',
type: 'keyword',
- description: 'The type of NetFlow record described by this event.',
+ description: 'The type of NetFlow record described by this event.\n',
},
{
name: 'exporter',
type: 'group',
- description: 'Metadata related to the exporter device that generated this record.',
+ description: 'Metadata related to the exporter device that generated this record.\n',
fields: [
{
name: 'address',
type: 'keyword',
- description: "Exporter's network address in IP:port format. ",
+ description: "Exporter's network address in IP:port format.\n",
},
{
name: 'source_id',
type: 'long',
- description: 'Observation domain ID to which this record belongs.',
+ description: 'Observation domain ID to which this record belongs.\n',
},
{
name: 'timestamp',
type: 'date',
- description: 'Time and date of export.',
+ description: 'Time and date of export.\n',
},
{
name: 'uptime_millis',
type: 'long',
- description: 'How long the exporter process has been running, in milliseconds.',
+ description: 'How long the exporter process has been running, in milliseconds.\n',
},
{
name: 'version',
- type: 'long',
- description: 'NetFlow version used.',
+ type: 'integer',
+ description: 'NetFlow version used.\n',
},
],
},
@@ -7539,7 +18606,7 @@ export const filebeatSchema: Schema = [
},
{
name: 'class_id',
- type: 'short',
+ type: 'long',
},
{
name: 'minimum_ttl',
@@ -8118,19 +19185,19 @@ export const filebeatSchema: Schema = [
type: 'long',
},
{
- name: 'post_nast_ource_ipv4_address',
+ name: 'post_nat_source_ipv4_address',
type: 'ip',
},
{
- name: 'post_nadt_estination_ipv4_address',
+ name: 'post_nat_destination_ipv4_address',
type: 'ip',
},
{
- name: 'post_napst_ource_transport_port',
+ name: 'post_napt_source_transport_port',
type: 'integer',
},
{
- name: 'post_napdt_estination_transport_port',
+ name: 'post_napt_destination_transport_port',
type: 'integer',
},
{
@@ -8342,11 +19409,11 @@ export const filebeatSchema: Schema = [
type: 'long',
},
{
- name: 'post_nast_ource_ipv6_address',
+ name: 'post_nat_source_ipv6_address',
type: 'ip',
},
{
- name: 'post_nadt_estination_ipv6_address',
+ name: 'post_nat_destination_ipv6_address',
type: 'ip',
},
{
@@ -8514,11 +19581,11 @@ export const filebeatSchema: Schema = [
type: 'long',
},
{
- name: 'hash_ipp_ayload_offset',
+ name: 'hash_ip_payload_offset',
type: 'long',
},
{
- name: 'hash_ipp_ayload_size',
+ name: 'hash_ip_payload_size',
type: 'long',
},
{
@@ -8550,11 +19617,11 @@ export const filebeatSchema: Schema = [
type: 'keyword',
},
{
- name: 'upper_cli_imit',
+ name: 'upper_ci_limit',
type: 'double',
},
{
- name: 'lower_cli_imit',
+ name: 'lower_ci_limit',
type: 'double',
},
{
@@ -8718,11 +19785,11 @@ export const filebeatSchema: Schema = [
type: 'long',
},
{
- name: 'distinct_count_of_sourc_eipa_ddress',
+ name: 'distinct_count_of_source_ip_address',
type: 'long',
},
{
- name: 'distinct_count_of_destinatio_nipa_ddress',
+ name: 'distinct_count_of_destination_ip_address',
type: 'long',
},
{
@@ -8782,11 +19849,11 @@ export const filebeatSchema: Schema = [
type: 'long',
},
{
- name: 'selector_itd_otal_flows_observed',
+ name: 'selector_id_total_flows_observed',
type: 'long',
},
{
- name: 'selector_itd_otal_flows_selected',
+ name: 'selector_id_total_flows_selected',
type: 'long',
},
{
@@ -8950,7 +20017,7 @@ export const filebeatSchema: Schema = [
type: 'short',
},
{
- name: 'mib_object_valuei_pa_ddress',
+ name: 'mib_object_value_ip_address',
type: 'ip',
},
{
@@ -9078,7 +20145,7 @@ export const filebeatSchema: Schema = [
type: 'long',
},
{
- name: 'max_bieb_ntries',
+ name: 'max_bib_entries',
type: 'long',
},
{
@@ -9125,4 +20192,1052 @@ export const filebeatSchema: Schema = [
},
],
},
+ {
+ key: 's3',
+ title: 's3',
+ description: 'S3 fields from s3 input.\n',
+ release: 'beta',
+ fields: [
+ {
+ name: 'bucket_name',
+ type: 'keyword',
+ description: 'Name of the S3 bucket that this log retrieved from.\n',
+ },
+ {
+ name: 'object_key',
+ type: 'keyword',
+ description: 'Name of the S3 object that this log retrieved from.\n',
+ },
+ ],
+ },
+ {
+ key: 'cef',
+ title: 'Decode CEF processor fields',
+ description: 'Common Event Format (CEF) data.\n',
+ fields: [
+ {
+ name: 'cef',
+ type: 'group',
+ description:
+ 'By default the `decode_cef` processor writes all data from the CEF message to this `cef` object. It contains the CEF header fields and the extension data.\n',
+ fields: [
+ {
+ name: 'version',
+ type: 'keyword',
+ description: 'Version of the CEF specification used by the message.\n',
+ },
+ {
+ name: 'device.vendor',
+ type: 'keyword',
+ description: 'Vendor of the device that produced the message.\n',
+ },
+ {
+ name: 'device.product',
+ type: 'keyword',
+ description: 'Product of the device that produced the message.\n',
+ },
+ {
+ name: 'device.version',
+ type: 'keyword',
+ description: 'Version of the product that produced the message.\n',
+ },
+ {
+ name: 'device.event_class_id',
+ type: 'keyword',
+ description: 'Unique identifier of the event type.\n',
+ },
+ {
+ name: 'severity',
+ type: 'keyword',
+ example: 'Very-High',
+ description:
+ 'Importance of the event. The valid string values are Unknown, Low, Medium, High, and Very-High. The valid integer values are 0-3=Low, 4-6=Medium, 7- 8=High, and 9-10=Very-High.\n',
+ },
+ {
+ name: 'name',
+ type: 'keyword',
+ description: 'Short description of the event.\n',
+ },
+ {
+ name: 'extensions',
+ type: 'group',
+ description: 'Collection of key-value pairs carried in the CEF extension field.\n',
+ default_field: false,
+ fields: [
+ {
+ name: 'agentAddress',
+ type: 'ip',
+ description: 'The IP address of the ArcSight connector that processed the event.',
+ },
+ {
+ name: 'agentDnsDomain',
+ type: 'keyword',
+ description:
+ 'The DNS domain name of the ArcSight connector that processed the event.',
+ },
+ {
+ name: 'agentHostName',
+ type: 'keyword',
+ description: 'The hostname of the ArcSight connector that processed the event.',
+ },
+ {
+ name: 'agentId',
+ type: 'keyword',
+ description: 'The agent ID of the ArcSight connector that processed the event.',
+ },
+ {
+ name: 'agentMacAddress',
+ type: 'keyword',
+ description: 'The MAC address of the ArcSight connector that processed the event.',
+ },
+ {
+ name: 'agentNtDomain',
+ type: 'keyword',
+ description: '',
+ },
+ {
+ name: 'agentReceiptTime',
+ type: 'date',
+ description:
+ 'The time at which information about the event was received by the ArcSight connector.',
+ },
+ {
+ name: 'agentTimeZone',
+ type: 'keyword',
+ description:
+ 'The agent time zone of the ArcSight connector that processed the event.',
+ },
+ {
+ name: 'agentTranslatedAddress',
+ type: 'ip',
+ description: '',
+ },
+ {
+ name: 'agentTranslatedZoneExternalID',
+ type: 'keyword',
+ description: '',
+ },
+ {
+ name: 'agentTranslatedZoneURI',
+ type: 'keyword',
+ description: '',
+ },
+ {
+ name: 'agentType',
+ type: 'keyword',
+ description: 'The agent type of the ArcSight connector that processed the event',
+ },
+ {
+ name: 'agentVersion',
+ type: 'keyword',
+ description: 'The version of the ArcSight connector that processed the event.',
+ },
+ {
+ name: 'agentZoneExternalID',
+ type: 'keyword',
+ description: '',
+ },
+ {
+ name: 'agentZoneURI',
+ type: 'keyword',
+ description: '',
+ },
+ {
+ name: 'applicationProtocol',
+ type: 'keyword',
+ description:
+ 'Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on.',
+ },
+ {
+ name: 'baseEventCount',
+ type: 'long',
+ description:
+ 'A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1.',
+ },
+ {
+ name: 'bytesIn',
+ type: 'long',
+ description:
+ 'Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination.',
+ },
+ {
+ name: 'bytesOut',
+ type: 'long',
+ description:
+ 'Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source.',
+ },
+ {
+ name: 'customerExternalID',
+ type: 'keyword',
+ description: '',
+ },
+ {
+ name: 'customerURI',
+ type: 'keyword',
+ description: '',
+ },
+ {
+ name: 'destinationAddress',
+ type: 'ip',
+ description:
+ 'Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address.',
+ },
+ {
+ name: 'destinationDnsDomain',
+ type: 'keyword',
+ description:
+ 'The DNS domain part of the complete fully qualified domain name (FQDN).',
+ },
+ {
+ name: 'destinationGeoLatitude',
+ type: 'double',
+ description:
+ "The latitudinal value from which the destination's IP address belongs.",
+ },
+ {
+ name: 'destinationGeoLongitude',
+ type: 'double',
+ description:
+ "The longitudinal value from which the destination's IP address belongs.",
+ },
+ {
+ name: 'destinationHostName',
+ type: 'keyword',
+ description:
+ 'Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available.',
+ },
+ {
+ name: 'destinationMacAddress',
+ type: 'keyword',
+ description: 'Six colon-seperated hexadecimal numbers.',
+ },
+ {
+ name: 'destinationNtDomain',
+ type: 'keyword',
+ description: 'The Windows domain name of the destination address.',
+ },
+ {
+ name: 'destinationPort',
+ type: 'long',
+ description: 'The valid port numbers are between 0 and 65535.',
+ },
+ {
+ name: 'destinationProcessId',
+ type: 'long',
+ description:
+ 'Provides the ID of the destination process associated with the event. For example, if an event contains process ID 105, "105" is the process ID.',
+ },
+ {
+ name: 'destinationProcessName',
+ type: 'keyword',
+ description: "The name of the event's destination process.",
+ },
+ {
+ name: 'destinationServiceName',
+ type: 'keyword',
+ description: 'The service targeted by this event.',
+ },
+ {
+ name: 'destinationTranslatedAddress',
+ type: 'ip',
+ description:
+ 'Identifies the translated destination that the event refers to in an IP network.',
+ },
+ {
+ name: 'destinationTranslatedPort',
+ type: 'long',
+ description:
+ 'Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535.',
+ },
+ {
+ name: 'destinationTranslatedZoneExternalID',
+ type: 'keyword',
+ description: '',
+ },
+ {
+ name: 'destinationTranslatedZoneURI',
+ type: 'keyword',
+ description:
+ 'The URI for the Translated Zone that the destination asset has been assigned to in ArcSight.',
+ },
+ {
+ name: 'destinationUserId',
+ type: 'keyword',
+ description:
+ 'Identifies the destination user by ID. For example, in UNIX, the root user is generally associated with user ID 0.',
+ },
+ {
+ name: 'destinationUserName',
+ type: 'keyword',
+ description:
+ "Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field.",
+ },
+ {
+ name: 'destinationUserPrivileges',
+ type: 'keyword',
+ description:
+ 'The typical values are "Administrator", "User", and "Guest". This identifies the destination user\'s privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator".',
+ },
+ {
+ name: 'destinationZoneExternalID',
+ type: 'keyword',
+ description: '',
+ },
+ {
+ name: 'destinationZoneURI',
+ type: 'keyword',
+ description:
+ 'The URI for the Zone that the destination asset has been assigned to in ArcSight.',
+ },
+ {
+ name: 'deviceAction',
+ type: 'keyword',
+ description: 'Action taken by the device.',
+ },
+ {
+ name: 'deviceAddress',
+ type: 'ip',
+ description:
+ 'Identifies the device address that an event refers to in an IP network.',
+ },
+ {
+ name: 'deviceCustomFloatingPoint1Label',
+ type: 'keyword',
+ description:
+ 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.',
+ },
+ {
+ name: 'deviceCustomFloatingPoint3Label',
+ type: 'keyword',
+ description:
+ 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.',
+ },
+ {
+ name: 'deviceCustomFloatingPoint4Label',
+ type: 'keyword',
+ description:
+ 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.',
+ },
+ {
+ name: 'deviceCustomDate1',
+ type: 'date',
+ description:
+ 'One of two timestamp fields available to map fields that do not apply to any other in this dictionary.',
+ },
+ {
+ name: 'deviceCustomDate1Label',
+ type: 'keyword',
+ description:
+ 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.',
+ },
+ {
+ name: 'deviceCustomDate2',
+ type: 'date',
+ description:
+ 'One of two timestamp fields available to map fields that do not apply to any other in this dictionary.',
+ },
+ {
+ name: 'deviceCustomDate2Label',
+ type: 'keyword',
+ description:
+ 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.',
+ },
+ {
+ name: 'deviceCustomFloatingPoint1',
+ type: 'double',
+ description:
+ 'One of four floating point fields available to map fields that do not apply to any other in this dictionary.',
+ },
+ {
+ name: 'deviceCustomFloatingPoint2',
+ type: 'double',
+ description:
+ 'One of four floating point fields available to map fields that do not apply to any other in this dictionary.',
+ },
+ {
+ name: 'deviceCustomFloatingPoint2Label',
+ type: 'keyword',
+ description:
+ 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.',
+ },
+ {
+ name: 'deviceCustomFloatingPoint3',
+ type: 'double',
+ description:
+ 'One of four floating point fields available to map fields that do not apply to any other in this dictionary.',
+ },
+ {
+ name: 'deviceCustomFloatingPoint4',
+ type: 'double',
+ description:
+ 'One of four floating point fields available to map fields that do not apply to any other in this dictionary.',
+ },
+ {
+ name: 'deviceCustomIPv6Address1',
+ type: 'ip',
+ description:
+ 'One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.',
+ },
+ {
+ name: 'deviceCustomIPv6Address1Label',
+ type: 'keyword',
+ description:
+ 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.',
+ },
+ {
+ name: 'deviceCustomIPv6Address2',
+ type: 'ip',
+ description:
+ 'One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.',
+ },
+ {
+ name: 'deviceCustomIPv6Address2Label',
+ type: 'keyword',
+ description:
+ 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.',
+ },
+ {
+ name: 'deviceCustomIPv6Address3',
+ type: 'ip',
+ description:
+ 'One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.',
+ },
+ {
+ name: 'deviceCustomIPv6Address3Label',
+ type: 'keyword',
+ description:
+ 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.',
+ },
+ {
+ name: 'deviceCustomIPv6Address4',
+ type: 'ip',
+ description:
+ 'One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.',
+ },
+ {
+ name: 'deviceCustomIPv6Address4Label',
+ type: 'keyword',
+ description:
+ 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.',
+ },
+ {
+ name: 'deviceCustomNumber1',
+ type: 'long',
+ description:
+ 'One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.',
+ },
+ {
+ name: 'deviceCustomNumber1Label',
+ type: 'keyword',
+ description:
+ 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.',
+ },
+ {
+ name: 'deviceCustomNumber2',
+ type: 'long',
+ description:
+ 'One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.',
+ },
+ {
+ name: 'deviceCustomNumber2Label',
+ type: 'keyword',
+ description:
+ 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.',
+ },
+ {
+ name: 'deviceCustomNumber3',
+ type: 'long',
+ description:
+ 'One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.',
+ },
+ {
+ name: 'deviceCustomNumber3Label',
+ type: 'keyword',
+ description:
+ 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.',
+ },
+ {
+ name: 'deviceCustomString1',
+ type: 'keyword',
+ description:
+ 'One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.',
+ },
+ {
+ name: 'deviceCustomString1Label',
+ type: 'keyword',
+ description:
+ 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.',
+ },
+ {
+ name: 'deviceCustomString2',
+ type: 'keyword',
+ description:
+ 'One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.',
+ },
+ {
+ name: 'deviceCustomString2Label',
+ type: 'keyword',
+ description:
+ 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.',
+ },
+ {
+ name: 'deviceCustomString3',
+ type: 'keyword',
+ description:
+ 'One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.',
+ },
+ {
+ name: 'deviceCustomString3Label',
+ type: 'keyword',
+ description:
+ 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.',
+ },
+ {
+ name: 'deviceCustomString4',
+ type: 'keyword',
+ description:
+ 'One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.',
+ },
+ {
+ name: 'deviceCustomString4Label',
+ type: 'keyword',
+ description:
+ 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.',
+ },
+ {
+ name: 'deviceCustomString5',
+ type: 'keyword',
+ description:
+ 'One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.',
+ },
+ {
+ name: 'deviceCustomString5Label',
+ type: 'keyword',
+ description:
+ 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.',
+ },
+ {
+ name: 'deviceCustomString6',
+ type: 'keyword',
+ description:
+ 'One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.',
+ },
+ {
+ name: 'deviceCustomString6Label',
+ type: 'keyword',
+ description:
+ 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.',
+ },
+ {
+ name: 'deviceDirection',
+ type: 'long',
+ description:
+ 'Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound.',
+ },
+ {
+ name: 'deviceDnsDomain',
+ type: 'keyword',
+ description:
+ 'The DNS domain part of the complete fully qualified domain name (FQDN).',
+ },
+ {
+ name: 'deviceEventCategory',
+ type: 'keyword',
+ description:
+ 'Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read".',
+ },
+ {
+ name: 'deviceExternalId',
+ type: 'keyword',
+ description: 'A name that uniquely identifies the device generating this event.',
+ },
+ {
+ name: 'deviceFacility',
+ type: 'keyword',
+ description:
+ 'The facility generating this event. For example, Syslog has an explicit facility associated with every event.',
+ },
+ {
+ name: 'deviceFlexNumber1',
+ type: 'long',
+ description:
+ 'One of two alternative number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.',
+ },
+ {
+ name: 'deviceFlexNumber1Label',
+ type: 'keyword',
+ description:
+ 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.',
+ },
+ {
+ name: 'deviceFlexNumber2',
+ type: 'long',
+ description:
+ 'One of two alternative number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.',
+ },
+ {
+ name: 'deviceFlexNumber2Label',
+ type: 'keyword',
+ description:
+ 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.',
+ },
+ {
+ name: 'deviceHostName',
+ type: 'keyword',
+ description:
+ 'The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available.',
+ },
+ {
+ name: 'deviceInboundInterface',
+ type: 'keyword',
+ description: 'Interface on which the packet or data entered the device.',
+ },
+ {
+ name: 'deviceMacAddress',
+ type: 'keyword',
+ description: 'Six colon-separated hexadecimal numbers.',
+ },
+ {
+ name: 'deviceNtDomain',
+ type: 'keyword',
+ description: 'The Windows domain name of the device address.',
+ },
+ {
+ name: 'deviceOutboundInterface',
+ type: 'keyword',
+ description: 'Interface on which the packet or data left the device.',
+ },
+ {
+ name: 'devicePayloadId',
+ type: 'keyword',
+ description: 'Unique identifier for the payload associated with the event.',
+ },
+ {
+ name: 'deviceProcessId',
+ type: 'long',
+ description: 'Provides the ID of the process on the device generating the event.',
+ },
+ {
+ name: 'deviceProcessName',
+ type: 'keyword',
+ description:
+ 'Process name associated with the event. An example might be the process generating the syslog entry in UNIX.',
+ },
+ {
+ name: 'deviceReceiptTime',
+ type: 'date',
+ description:
+ 'The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970)',
+ },
+ {
+ name: 'deviceTimeZone',
+ type: 'keyword',
+ description: 'The timezone for the device generating the event.',
+ },
+ {
+ name: 'deviceTranslatedAddress',
+ type: 'ip',
+ description:
+ 'Identifies the translated device address that the event refers to in an IP network.',
+ },
+ {
+ name: 'deviceTranslatedZoneExternalID',
+ type: 'keyword',
+ description: '',
+ },
+ {
+ name: 'deviceTranslatedZoneURI',
+ type: 'keyword',
+ description:
+ 'The URI for the Translated Zone that the device asset has been assigned to in ArcSight.',
+ },
+ {
+ name: 'deviceZoneExternalID',
+ type: 'keyword',
+ description: '',
+ },
+ {
+ name: 'deviceZoneURI',
+ type: 'keyword',
+ description:
+ 'Thee URI for the Zone that the device asset has been assigned to in ArcSight.',
+ },
+ {
+ name: 'endTime',
+ type: 'date',
+ description:
+ 'The time at which the activity related to the event ended. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st1970). An example would be reporting the end of a session.',
+ },
+ {
+ name: 'eventId',
+ type: 'long',
+ description: 'This is a unique ID that ArcSight assigns to each event.',
+ },
+ {
+ name: 'eventOutcome',
+ type: 'keyword',
+ description: "Displays the outcome, usually as 'success' or 'failure'.",
+ },
+ {
+ name: 'externalId',
+ type: 'keyword',
+ description:
+ 'The ID used by an originating device. They are usually increasing numbers, associated with events.',
+ },
+ {
+ name: 'fileCreateTime',
+ type: 'date',
+ description: 'Time when the file was created.',
+ },
+ {
+ name: 'fileHash',
+ type: 'keyword',
+ description: 'Hash of a file.',
+ },
+ {
+ name: 'fileId',
+ type: 'keyword',
+ description: 'An ID associated with a file could be the inode.',
+ },
+ {
+ name: 'fileModificationTime',
+ type: 'date',
+ description: 'Time when the file was last modified.',
+ },
+ {
+ name: 'filename',
+ type: 'keyword',
+ description: 'Name of the file only (without its path).',
+ },
+ {
+ name: 'filePath',
+ type: 'keyword',
+ description: 'Full path to the file, including file name itself.',
+ },
+ {
+ name: 'filePermission',
+ type: 'keyword',
+ description: 'Permissions of the file.',
+ },
+ {
+ name: 'fileSize',
+ type: 'long',
+ description: 'Size of the file.',
+ },
+ {
+ name: 'fileType',
+ type: 'keyword',
+ description: 'Type of file (pipe, socket, etc.)',
+ },
+ {
+ name: 'flexDate1',
+ type: 'date',
+ description:
+ 'A timestamp field available to map a timestamp that does not apply to any other defined timestamp field in this dictionary. Use all flex fields sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.',
+ },
+ {
+ name: 'flexDate1Label',
+ type: 'keyword',
+ description:
+ 'The label field is a string and describes the purpose of the flex field.',
+ },
+ {
+ name: 'flexString1',
+ type: 'keyword',
+ description:
+ 'One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.',
+ },
+ {
+ name: 'flexString2',
+ type: 'keyword',
+ description:
+ 'One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.',
+ },
+ {
+ name: 'flexString1Label',
+ type: 'keyword',
+ description:
+ 'The label field is a string and describes the purpose of the flex field.',
+ },
+ {
+ name: 'flexString2Label',
+ type: 'keyword',
+ description:
+ 'The label field is a string and describes the purpose of the flex field.',
+ },
+ {
+ name: 'message',
+ type: 'keyword',
+ description:
+ 'An arbitrary message giving more details about the event. Multi-line entries can be produced by using \\n as the new line separator.',
+ },
+ {
+ name: 'oldFileCreateTime',
+ type: 'date',
+ description: 'Time when old file was created.',
+ },
+ {
+ name: 'oldFileHash',
+ type: 'keyword',
+ description: 'Hash of the old file.',
+ },
+ {
+ name: 'oldFileId',
+ type: 'keyword',
+ description: 'An ID associated with the old file could be the inode.',
+ },
+ {
+ name: 'oldFileModificationTime',
+ type: 'date',
+ description: 'Time when old file was last modified.',
+ },
+ {
+ name: 'oldFileName',
+ type: 'keyword',
+ description: 'Name of the old file.',
+ },
+ {
+ name: 'oldFilePath',
+ type: 'keyword',
+ description: 'Full path to the old file, including the file name itself.',
+ },
+ {
+ name: 'oldFilePermission',
+ type: 'keyword',
+ description: 'Permissions of the old file.',
+ },
+ {
+ name: 'oldFileSize',
+ type: 'long',
+ description: 'Size of the old file.',
+ },
+ {
+ name: 'oldFileType',
+ type: 'keyword',
+ description: 'Type of the old file (pipe, socket, etc.)',
+ },
+ {
+ name: 'rawEvent',
+ type: 'keyword',
+ description: '',
+ },
+ {
+ name: 'Reason',
+ type: 'keyword',
+ description:
+ 'The reason an audit event was generated. For example "bad password" or "unknown user". This could also be an error or return code. Example "0x1234".',
+ },
+ {
+ name: 'requestClientApplication',
+ type: 'keyword',
+ description: 'The User-Agent associated with the request.',
+ },
+ {
+ name: 'requestContext',
+ type: 'keyword',
+ description:
+ 'Description of the content from which the request originated (for example, HTTP Referrer)',
+ },
+ {
+ name: 'requestCookies',
+ type: 'keyword',
+ description: 'Cookies associated with the request.',
+ },
+ {
+ name: 'requestMethod',
+ type: 'keyword',
+ description: 'The HTTP method used to access a URL.',
+ },
+ {
+ name: 'requestUrl',
+ type: 'keyword',
+ description:
+ 'In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well.',
+ },
+ {
+ name: 'sourceAddress',
+ type: 'ip',
+ description: 'Identifies the source that an event refers to in an IP network.',
+ },
+ {
+ name: 'sourceDnsDomain',
+ type: 'keyword',
+ description:
+ 'The DNS domain part of the complete fully qualified domain name (FQDN).',
+ },
+ {
+ name: 'sourceGeoLatitude',
+ type: 'double',
+ description: '',
+ },
+ {
+ name: 'sourceGeoLongitude',
+ type: 'double',
+ description: '',
+ },
+ {
+ name: 'sourceHostName',
+ type: 'keyword',
+ description:
+ "Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. Examples: 'host' or 'host.domain.com'.\n",
+ },
+ {
+ name: 'sourceMacAddress',
+ type: 'keyword',
+ example: '00:0d:60:af:1b:61',
+ description: 'Six colon-separated hexadecimal numbers.',
+ },
+ {
+ name: 'sourceNtDomain',
+ type: 'keyword',
+ description: 'The Windows domain name for the source address.',
+ },
+ {
+ name: 'sourcePort',
+ type: 'long',
+ description: 'The valid port numbers are 0 to 65535.',
+ },
+ {
+ name: 'sourceProcessId',
+ type: 'long',
+ description: 'The ID of the source process associated with the event.',
+ },
+ {
+ name: 'sourceProcessName',
+ type: 'keyword',
+ description: "The name of the event's source process.",
+ },
+ {
+ name: 'sourceServiceName',
+ type: 'keyword',
+ description: 'The service that is responsible for generating this event.',
+ },
+ {
+ name: 'sourceTranslatedAddress',
+ type: 'ip',
+ description:
+ 'Identifies the translated source that the event refers to in an IP network.',
+ },
+ {
+ name: 'sourceTranslatedPort',
+ type: 'long',
+ description:
+ 'A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535.',
+ },
+ {
+ name: 'sourceTranslatedZoneExternalID',
+ type: 'keyword',
+ description: '',
+ },
+ {
+ name: 'sourceTranslatedZoneURI',
+ type: 'keyword',
+ description:
+ 'The URI for the Translated Zone that the destination asset has been assigned to in ArcSight.',
+ },
+ {
+ name: 'sourceUserId',
+ type: 'keyword',
+ description:
+ 'Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0.',
+ },
+ {
+ name: 'sourceUserName',
+ type: 'keyword',
+ description:
+ 'Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field.',
+ },
+ {
+ name: 'sourceUserPrivileges',
+ type: 'keyword',
+ description:
+ 'The typical values are "Administrator", "User", and "Guest". It identifies the source user\'s privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator".',
+ },
+ {
+ name: 'sourceZoneExternalID',
+ type: 'keyword',
+ description: '',
+ },
+ {
+ name: 'sourceZoneURI',
+ type: 'keyword',
+ description:
+ 'The URI for the Zone that the source asset has been assigned to in ArcSight.',
+ },
+ {
+ name: 'startTime',
+ type: 'date',
+ description:
+ 'The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970)',
+ },
+ {
+ name: 'transportProtocol',
+ type: 'keyword',
+ description:
+ 'Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP.',
+ },
+ {
+ name: 'type',
+ type: 'long',
+ description:
+ '0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0).',
+ },
+ {
+ name: 'categoryDeviceType',
+ type: 'keyword',
+ description: 'Device type. Examples - Proxy, IDS, Web Server',
+ },
+ {
+ name: 'categoryObject',
+ type: 'keyword',
+ description:
+ 'Object that the event is about. For example it can be an operating sytem, database, file, etc.',
+ },
+ {
+ name: 'categoryBehavior',
+ type: 'keyword',
+ description:
+ "Action or a behavior associated with an event. It's what is being done to the object.",
+ },
+ {
+ name: 'categoryTechnique',
+ type: 'keyword',
+ description: 'Technique being used (e.g. /DoS).',
+ },
+ {
+ name: 'categoryDeviceGroup',
+ type: 'keyword',
+ description: 'General device group like Firewall.',
+ },
+ {
+ name: 'categorySignificance',
+ type: 'keyword',
+ description: 'Characterization of the importance of the event.',
+ },
+ {
+ name: 'categoryOutcome',
+ type: 'keyword',
+ description: 'Outcome of the event (e.g. sucess, failure, or attempt).',
+ },
+ {
+ name: 'managerReceiptTime',
+ type: 'date',
+ description: 'When the Arcsight ESM received the event.',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ name: 'source.service.name',
+ type: 'keyword',
+ description: 'Service that is the source of the event.',
+ },
+ {
+ name: 'destination.service.name',
+ type: 'keyword',
+ description: 'Service that is the target of the event.',
+ },
+ ],
+ },
];
diff --git a/x-pack/legacy/plugins/siem/server/utils/beat_schema/8.0.0/packetbeat.ts b/x-pack/legacy/plugins/siem/server/utils/beat_schema/8.0.0/packetbeat.ts
index 6002c9370210ea..0be2e48fe46689 100644
--- a/x-pack/legacy/plugins/siem/server/utils/beat_schema/8.0.0/packetbeat.ts
+++ b/x-pack/legacy/plugins/siem/server/utils/beat_schema/8.0.0/packetbeat.ts
@@ -15,91 +15,129 @@ export const packetbeatSchema: Schema = [
{
key: 'ecs',
title: 'ECS',
- description: 'ECS fields.',
+ description: 'ECS Fields.',
fields: [
{
name: '@timestamp',
- type: 'date',
level: 'core',
required: true,
- example: '2016-05-23T08:05:34.853Z',
+ type: 'date',
description:
- 'Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.',
- },
- {
- name: 'tags',
- level: 'core',
- type: 'keyword',
- example: '["production", "env2"]',
- description: 'List of keywords used to tag each event.',
+ 'Date/time when the event originated.\n\nThis is the date/time extracted from the event, typically representing when\nthe event was generated by the source.\n\nIf the event source has no original timestamp, this value is typically populated\nby the first time the event was received by the pipeline.\n\nRequired field for all events.',
+ example: '2016-05-23T08:05:34.853Z',
},
{
name: 'labels',
level: 'core',
type: 'object',
- example: {
- env: 'production',
- application: 'foo-bar',
- },
+ object_type: 'keyword',
description:
- 'Key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels.',
+ 'Custom key/value pairs.\n\nCan be used to add meta information to events. Should not contain nested objects.\nAll values are stored as keyword.\n\nExample: `docker` and `k8s` labels.',
+ example: '{"application": "foo-bar", "env": "production"}',
},
{
name: 'message',
level: 'core',
type: 'text',
- example: 'Hello World',
description:
- 'For log events the message field contains the log message. In other use cases the message field can be used to concatenate different values which are then freely searchable. If multiple messages exist, they can be combined into one message.',
+ 'For log events the message field contains the log message, optimized\nfor viewing in a log viewer.\n\nFor structured logs without an original message field, other fields can be concatenated\nto form a human-readable summary of the event.\n\nIf multiple messages exist, they can be combined into one message.',
+ example: 'Hello World',
+ },
+ {
+ name: 'tags',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'List of keywords used to tag each event.',
+ example: '["production", "env2"]',
},
{
name: 'agent',
title: 'Agent',
group: 2,
description:
- 'The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.',
+ 'The agent fields contain the data about the software entity, if\nany, that collects, detects, or observes events on a host, or takes measurements\non a host.\n\nExamples include Beats. Agents may also run on observers. ECS agent.* fields\nshall be populated with details of the agent running on the host or observer\nwhere the event happened or the measurement was taken.',
footnote:
- 'Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it is the agent running in the app/service. The agent information does not change if data is sent through queuing systems like Kafka, Redis, or processing systems such as Logstash or APM Server.',
+ 'Examples: In the case of Beats for logs, the agent.name is filebeat.\nFor APM, it is the agent running in the app/service. The agent information does\nnot change if data is sent through queuing systems like Kafka, Redis, or processing\nsystems such as Logstash or APM Server.',
type: 'group',
fields: [
{
- name: 'version',
+ name: 'ephemeral_id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Ephemeral identifier of this agent (if one exists).\n\nThis id normally changes across restarts, but `agent.id` does not.',
+ example: '8a4f500f',
+ },
+ {
+ name: 'id',
level: 'core',
type: 'keyword',
- description: 'Version of the agent.',
- example: '6.0.0-rc2',
+ ignore_above: 1024,
+ description:
+ 'Unique identifier of this agent (if one exists).\n\nExample: For Beats this would be beat.id.',
+ example: '8a4f500d',
},
{
name: 'name',
level: 'core',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.',
+ 'Custom name of the agent.\n\nThis is a name that can be given to an agent. This can be helpful if for example\ntwo Filebeat instances are running on the same host but a human readable separation\nis needed on which Filebeat instance data is coming from.\n\nIf no name is given, the name is often left empty.',
example: 'foo',
},
{
name: 'type',
level: 'core',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Type of the agent. The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.',
+ 'Type of the agent.\n\nThe agent type stays always the same and should be given by the agent used.\nIn case of Filebeat the agent would always be Filebeat also if two Filebeat\ninstances are run on the same machine.',
example: 'filebeat',
},
{
- name: 'id',
+ name: 'version',
level: 'core',
type: 'keyword',
+ ignore_above: 1024,
+ description: 'Version of the agent.',
+ example: '6.0.0-rc2',
+ },
+ ],
+ },
+ {
+ name: 'as',
+ title: 'Autonomous System',
+ group: 2,
+ description:
+ 'An autonomous system (AS) is a collection of connected Internet Protocol\n(IP) routing prefixes under the control of one or more network operators on\nbehalf of a single administrative entity or domain that presents a common, clearly\ndefined routing policy to the internet.',
+ type: 'group',
+ fields: [
+ {
+ name: 'number',
+ level: 'extended',
+ type: 'long',
description:
- 'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.',
- example: '8a4f500d',
+ 'Unique number allocated to the autonomous system. The autonomous\nsystem number (ASN) uniquely identifies each network on the Internet.',
+ example: 15169,
},
{
- name: 'ephemeral_id',
+ name: 'organization.name',
level: 'extended',
type: 'keyword',
- description:
- 'Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not.',
- example: '8a4f500f',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Organization name.',
+ example: 'Google LLC',
},
],
},
@@ -108,2673 +146,6183 @@ export const packetbeatSchema: Schema = [
title: 'Client',
group: 2,
description:
- 'A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.',
+ 'A client is defined as the initiator of a network connection for\nevents regarding sessions, connections, or bidirectional flow records.\n\nFor TCP events, the client is the initiator of the TCP connection that sends\nthe SYN packet(s). For other protocols, the client is generally the initiator\nor requestor in the network transaction. Some systems use the term "originator"\nto refer the client in TCP connections. The client fields describe details about\nthe system acting as the client in the network event. Client fields are usually\npopulated in conjunction with server fields. Client fields are generally not\npopulated for packet-level events.\n\nClient / server representations can add semantic context to an exchange, which\nis helpful to visualize the data in certain situations. If your context falls\nin that category, you should still ensure that source and destination are filled\nappropriately.',
type: 'group',
fields: [
{
name: 'address',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.',
+ 'Some event client addresses are defined ambiguously. The event\nwill sometimes list an IP, a domain or a unix socket. You should always store\nthe raw address in the `.address` field.\n\nThen it should be duplicated to `.ip` or `.domain`, depending on which one\nit is.',
},
{
- name: 'ip',
- level: 'core',
- type: 'ip',
- description: 'IP address of the client. Can be one or multiple IPv4 or IPv6 addresses.',
+ name: 'as.number',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'Unique number allocated to the autonomous system. The autonomous\nsystem number (ASN) uniquely identifies each network on the Internet.',
+ example: 15169,
},
{
- name: 'port',
+ name: 'as.organization.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Organization name.',
+ example: 'Google LLC',
+ },
+ {
+ name: 'bytes',
level: 'core',
type: 'long',
- description: 'Port of the client.',
+ format: 'bytes',
+ description: 'Bytes sent from the client to the server.',
+ example: 184,
},
{
- name: 'mac',
+ name: 'domain',
level: 'core',
type: 'keyword',
- description: 'MAC address of the client.',
+ ignore_above: 1024,
+ description: 'Client domain.',
},
{
- name: 'domain',
+ name: 'geo.city_name',
level: 'core',
type: 'keyword',
- description: 'Client domain.',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
},
{
- name: 'bytes',
+ name: 'geo.continent_name',
level: 'core',
- type: 'long',
- format: 'bytes',
- example: 184,
- description: 'Bytes sent from the client to the server.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
},
{
- name: 'packets',
+ name: 'geo.country_iso_code',
level: 'core',
- type: 'long',
- example: 12,
- description: 'Packets sent from the client to the server.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
},
{
- name: 'geo',
- title: 'Geo',
- group: 2,
- description:
- 'Geo fields can carry data about a specific location related to an event or geo information derived from an IP field.',
- type: 'group',
- fields: [
- {
- name: 'location',
- level: 'core',
- type: 'geo_point',
- description: 'Longitude and latitude.',
- example: '{ "lon": -73.614830, "lat": 45.505918 }',
- },
- {
- name: 'continent_name',
- level: 'core',
- type: 'keyword',
- description: 'Name of the continent.',
- example: 'North America',
- },
- {
- name: 'country_name',
- level: 'core',
- type: 'keyword',
- description: 'Country name.',
- example: 'Canada',
- },
- {
- name: 'region_name',
- level: 'core',
- type: 'keyword',
- description: 'Region name.',
- example: 'Quebec',
- },
- {
- name: 'city_name',
- level: 'core',
- type: 'keyword',
- description: 'City name.',
- example: 'Montreal',
- },
- {
- name: 'country_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Country ISO code.',
- example: 'CA',
- },
- {
- name: 'region_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Region ISO code.',
- example: 'CA-QC',
- },
- {
- name: 'name',
- level: 'extended',
- type: 'keyword',
- description:
- 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.',
- example: 'boston-dc',
- },
- ],
+ name: 'geo.country_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
},
- ],
- },
- {
- name: 'cloud',
- title: 'Cloud',
- group: 2,
- description: 'Fields related to the cloud or infrastructure the events are coming from.',
- footnote:
- 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.',
- type: 'group',
- fields: [
{
- name: 'provider',
+ name: 'geo.location',
+ level: 'core',
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
+ },
+ {
+ name: 'geo.name',
level: 'extended',
- example: 'ec2',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Name of the cloud provider. Example values are ec2, gce, or digitalocean.',
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
},
{
- name: 'availability_zone',
- level: 'extended',
- example: 'us-east-1c',
+ name: 'geo.region_iso_code',
+ level: 'core',
type: 'keyword',
- description: 'Availability zone in which this host is running.',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
},
{
- name: 'region',
- level: 'extended',
+ name: 'geo.region_name',
+ level: 'core',
type: 'keyword',
- example: 'us-east-1',
- description: 'Region in which this host is running.',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
},
{
- name: 'instance.id',
- level: 'extended',
- type: 'keyword',
- example: 'i-1234567890abcdef0',
- description: 'Instance ID of the host machine.',
+ name: 'ip',
+ level: 'core',
+ type: 'ip',
+ description:
+ 'IP address of the client.\n\nCan be one or multiple IPv4 or IPv6 addresses.',
},
{
- name: 'instance.name',
- level: 'extended',
+ name: 'mac',
+ level: 'core',
type: 'keyword',
- description: 'Instance name of the host machine.',
+ ignore_above: 1024,
+ description: 'MAC address of the client.',
},
{
- name: 'machine.type',
+ name: 'nat.ip',
level: 'extended',
- type: 'keyword',
- example: 't2.medium',
- description: 'Machine type of the host machine.',
+ type: 'ip',
+ description:
+ 'Translated IP of source based NAT sessions (e.g. internal client\nto internet).\n\nTypically connections traversing load balancers, firewalls, or routers.',
},
{
- name: 'account.id',
+ name: 'nat.port',
level: 'extended',
- type: 'keyword',
- example: 666777888999,
+ type: 'long',
+ format: 'string',
description:
- 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.',
+ 'Translated port of source based NAT sessions (e.g. internal client\nto internet).\n\nTypically connections traversing load balancers, firewalls, or routers.',
},
- ],
- },
- {
- name: 'container',
- title: 'Container',
- group: 2,
- description:
- 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.',
- type: 'group',
- fields: [
{
- name: 'runtime',
- level: 'extended',
- type: 'keyword',
- description: 'Runtime managing this container.',
- example: 'docker',
+ name: 'packets',
+ level: 'core',
+ type: 'long',
+ description: 'Packets sent from the client to the server.',
+ example: 12,
},
{
- name: 'id',
+ name: 'port',
level: 'core',
+ type: 'long',
+ format: 'string',
+ description: 'Port of the client.',
+ },
+ {
+ name: 'registered_domain',
+ level: 'extended',
type: 'keyword',
- description: 'Unique container id.',
+ ignore_above: 1024,
+ description:
+ 'The highest registered client domain, stripped of the subdomain.\n\nFor example, the registered domain for "foo.google.com" is "google.com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last two labels will not work well for TLDs such as "co.uk".',
+ example: 'google.com',
},
{
- name: 'image.name',
+ name: 'top_level_domain',
level: 'extended',
type: 'keyword',
- description: 'Name of the image the container was built on.',
+ ignore_above: 1024,
+ description:
+ 'The effective top level domain (eTLD), also known as the domain\nsuffix, is the last part of the domain name. For example, the top level domain\nfor google.com is "com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last label will not work well for effective TLDs such as "co.uk".',
+ example: 'co.uk',
},
{
- name: 'image.tag',
+ name: 'user.domain',
level: 'extended',
type: 'keyword',
- description: 'Container image tag.',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the user is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
},
{
- name: 'name',
+ name: 'user.email',
level: 'extended',
type: 'keyword',
- description: 'Container name.',
+ ignore_above: 1024,
+ description: 'User email address.',
},
{
- name: 'labels',
+ name: 'user.full_name',
level: 'extended',
- type: 'object',
- object_type: 'keyword',
- description: 'Image labels.',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: "User's full name, if available.",
+ example: 'Albert Einstein',
},
- ],
- },
- {
- name: 'destination',
- title: 'Destination',
- group: 2,
- description:
- 'Destination fields describe details about the destination of a packet/event. Destination fields are usually populated in conjunction with source fields.',
- type: 'group',
- fields: [
{
- name: 'address',
+ name: 'user.group.domain',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.',
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
},
{
- name: 'ip',
- level: 'core',
- type: 'ip',
- description:
- 'IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.',
+ name: 'user.group.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
},
{
- name: 'port',
- level: 'core',
- type: 'long',
- description: 'Port of the destination.',
+ name: 'user.group.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the group.',
},
{
- name: 'mac',
- level: 'core',
+ name: 'user.hash',
+ level: 'extended',
type: 'keyword',
- description: 'MAC address of the destination.',
+ ignore_above: 1024,
+ description:
+ 'Unique user hash to correlate information for a user in anonymized\nform.\n\nUseful if `user.id` or `user.name` contain confidential information and cannot\nbe used.',
},
{
- name: 'domain',
+ name: 'user.id',
level: 'core',
type: 'keyword',
- description: 'Destination domain.',
+ ignore_above: 1024,
+ description: 'Unique identifiers of the user.',
},
{
- name: 'bytes',
+ name: 'user.name',
level: 'core',
- type: 'long',
- format: 'bytes',
- example: 184,
- description: 'Bytes sent from the destination to the source.',
- },
- {
- name: 'packets',
- level: 'core',
- type: 'long',
- example: 12,
- description: 'Packets sent from the destination to the source.',
- },
- {
- name: 'geo',
- title: 'Geo',
- group: 2,
- description:
- 'Geo fields can carry data about a specific location related to an event or geo information derived from an IP field.',
- type: 'group',
- fields: [
- {
- name: 'location',
- level: 'core',
- type: 'geo_point',
- description: 'Longitude and latitude.',
- example: '{ "lon": -73.614830, "lat": 45.505918 }',
- },
- {
- name: 'continent_name',
- level: 'core',
- type: 'keyword',
- description: 'Name of the continent.',
- example: 'North America',
- },
- {
- name: 'country_name',
- level: 'core',
- type: 'keyword',
- description: 'Country name.',
- example: 'Canada',
- },
- {
- name: 'region_name',
- level: 'core',
- type: 'keyword',
- description: 'Region name.',
- example: 'Quebec',
- },
- {
- name: 'city_name',
- level: 'core',
- type: 'keyword',
- description: 'City name.',
- example: 'Montreal',
- },
- {
- name: 'country_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Country ISO code.',
- example: 'CA',
- },
- {
- name: 'region_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Region ISO code.',
- example: 'CA-QC',
- },
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'name',
- level: 'extended',
- type: 'keyword',
- description:
- 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.',
- example: 'boston-dc',
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
},
],
+ description: 'Short name or login of the user.',
+ example: 'albert',
},
],
},
{
- name: 'ecs',
- title: 'ECS',
+ name: 'cloud',
+ title: 'Cloud',
group: 2,
- description: 'Meta-information specific to ECS.',
+ description: 'Fields related to the cloud or infrastructure the events are coming\nfrom.',
+ footnote:
+ 'Examples: If Metricbeat is running on an EC2 host and fetches data\nfrom its host, the cloud info contains the data about this machine. If Metricbeat\nruns on a remote machine outside the cloud and fetches data from a service running\nin the cloud, the field contains cloud data from the machine the service is\nrunning on.',
type: 'group',
fields: [
{
- name: 'version',
- level: 'core',
+ name: 'account.id',
+ level: 'extended',
type: 'keyword',
- required: true,
+ ignore_above: 1024,
description:
- 'ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. The current version is 1.0.0-beta2 .',
- example: '1.0.0-beta2',
+ 'The cloud account or organization id used to identify different\nentities in a multi-tenant environment.\n\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier.',
+ example: 666777888999,
},
- ],
- },
- {
- name: 'error',
- title: 'Error',
- group: 2,
- description:
- 'These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error.',
- type: 'group',
- fields: [
{
- name: 'id',
- level: 'core',
+ name: 'availability_zone',
+ level: 'extended',
type: 'keyword',
- description: 'Unique identifier for the error.',
+ ignore_above: 1024,
+ description: 'Availability zone in which this host is running.',
+ example: 'us-east-1c',
},
{
- name: 'message',
- level: 'core',
- type: 'text',
- description: 'Error message.',
+ name: 'instance.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Instance ID of the host machine.',
+ example: 'i-1234567890abcdef0',
},
{
- name: 'code',
- level: 'core',
+ name: 'instance.name',
+ level: 'extended',
type: 'keyword',
- description: 'Error code describing the error.',
+ ignore_above: 1024,
+ description: 'Instance name of the host machine.',
},
- ],
- },
- {
- name: 'event',
- title: 'Event',
- group: 2,
- description:
- 'The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host.',
- type: 'group',
- fields: [
{
- name: 'id',
- level: 'core',
+ name: 'machine.type',
+ level: 'extended',
type: 'keyword',
- description: 'Unique ID to describe the event.',
- example: '8a4f500d',
+ ignore_above: 1024,
+ description: 'Machine type of the host machine.',
+ example: 't2.medium',
},
{
- name: 'kind',
+ name: 'provider',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'The kind of the event. This gives information about what type of information the event contains, without being specific to the contents of the event. Examples are `event`, `state`, `alarm`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution.',
- example: 'state',
+ 'Name of the cloud provider. Example values are aws, azure, gcp,\nor digitalocean.',
+ example: 'aws',
},
{
- name: 'category',
- level: 'core',
+ name: 'region',
+ level: 'extended',
type: 'keyword',
- description:
- 'Event category. This contains high-level information about the contents of the event. It is more generic than `event.action`, in the sense that typically a category contains multiple actions. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution.',
- example: 'user-management',
+ ignore_above: 1024,
+ description: 'Region in which this host is running.',
+ example: 'us-east-1',
},
+ ],
+ },
+ {
+ name: 'code_signature',
+ title: 'Code Signature',
+ group: 2,
+ description: 'These fields contain information about binary code signatures.',
+ type: 'group',
+ fields: [
{
- name: 'action',
+ name: 'exists',
level: 'core',
- type: 'keyword',
- description:
- 'The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.',
- example: 'user-password-change',
+ type: 'boolean',
+ description: 'Boolean to capture if a signature is present.',
+ example: 'true',
+ default_field: false,
},
{
- name: 'outcome',
+ name: 'status',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'The outcome of the event. If the event describes an action, this fields contains the outcome of that action. Examples outcomes are `success` and `failure`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution.',
- example: 'success',
- },
- {
- name: 'type',
- level: 'core',
- type: 'keyword',
- description: 'Reserved for future usage. Please avoid using this field for user data.',
+ 'Additional information about the certificate status.\n\nThis is useful for logging cryptographic errors with the certificate validity\nor trust status. Leave unpopulated if the validity or trust of the certificate\nwas unchecked.',
+ example: 'ERROR_UNTRUSTED_ROOT',
+ default_field: false,
},
{
- name: 'module',
+ name: 'subject_name',
level: 'core',
type: 'keyword',
- description:
- 'Name of the module this data is coming from. This information is coming from the modules used in Beats or Logstash.',
- example: 'mysql',
+ ignore_above: 1024,
+ description: 'Subject name of the code signer',
+ example: 'Microsoft Corporation',
+ default_field: false,
},
{
- name: 'dataset',
- level: 'core',
- type: 'keyword',
+ name: 'trusted',
+ level: 'extended',
+ type: 'boolean',
description:
- 'Name of the dataset. The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name.',
- example: 'stats',
+ 'Stores the trust status of the certificate chain.\n\nValidating the trust of the certificate chain may be complicated, and this\nfield should only be populated by tools that actively check the status.',
+ example: 'true',
+ default_field: false,
},
{
- name: 'severity',
- level: 'core',
- type: 'long',
- example: '7',
+ name: 'valid',
+ level: 'extended',
+ type: 'boolean',
description:
- "Severity describes the severity of the event. What the different severity values mean can very different between use cases. It's up to the implementer to make sure severities are consistent across events. ",
+ 'Boolean to capture if the digital signature is verified against\nthe binary content.\n\nLeave unpopulated if a certificate was unchecked.',
+ example: 'true',
+ default_field: false,
},
+ ],
+ },
+ {
+ name: 'container',
+ title: 'Container',
+ group: 2,
+ description:
+ 'Container fields are used for meta information about the specific\ncontainer that is the source of information.\n\nThese fields help correlate data based containers from any runtime.',
+ type: 'group',
+ fields: [
{
- name: 'original',
+ name: 'id',
level: 'core',
type: 'keyword',
- example:
- 'Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232',
- description:
- 'Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`.',
- index: false,
- doc_values: false,
+ ignore_above: 1024,
+ description: 'Unique container id.',
},
{
- name: 'hash',
+ name: 'image.name',
level: 'extended',
type: 'keyword',
- example: '123456789012345678901234567890ABCD',
- description:
- 'Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.',
- },
- {
- name: 'duration',
- level: 'core',
- type: 'long',
- format: 'duration',
- input_format: 'nanoseconds',
- description:
- 'Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time.',
+ ignore_above: 1024,
+ description: 'Name of the image the container was built on.',
},
{
- name: 'timezone',
+ name: 'image.tag',
level: 'extended',
type: 'keyword',
- description:
- 'This field should be populated when the event\'s timestamp does not include timezone information already (e.g. default Syslog timestamps). It\'s optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").',
+ ignore_above: 1024,
+ description: 'Container image tags.',
},
{
- name: 'created',
- level: 'core',
- type: 'date',
- description:
- 'event.created contains the date when the event was created. This timestamp is distinct from @timestamp in that @timestamp contains the processed timestamp. For logs these two timestamps can be different as the timestamp in the log line and when the event is read for example by Filebeat are not identical. `@timestamp` must contain the timestamp extracted from the log line, event.created when the log line is read. The same could apply to package capturing where @timestamp contains the timestamp extracted from the network package and event.created when the event was created. In case the two timestamps are identical, @timestamp should be used.',
- },
- {
- name: 'start',
+ name: 'labels',
level: 'extended',
- type: 'date',
- description:
- 'event.start contains the date when the event started or when the activity was first observed.',
+ type: 'object',
+ object_type: 'keyword',
+ description: 'Image labels.',
},
{
- name: 'end',
+ name: 'name',
level: 'extended',
- type: 'date',
- description:
- 'event.end contains the date when the event ended or when the activity was last observed.',
- },
- {
- name: 'risk_score',
- level: 'core',
- type: 'float',
- description:
- "Risk score or priority of the event (e.g. security solutions). Use your system's original value here. ",
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Container name.',
},
{
- name: 'risk_score_norm',
+ name: 'runtime',
level: 'extended',
- type: 'float',
- description:
- 'Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Runtime managing this container.',
+ example: 'docker',
},
],
},
{
- name: 'file',
+ name: 'destination',
+ title: 'Destination',
group: 2,
- title: 'File',
description:
- 'A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.',
+ 'Destination fields describe details about the destination of a packet/event.\n\nDestination fields are usually populated in conjunction with source fields.',
type: 'group',
fields: [
{
- name: 'path',
+ name: 'address',
level: 'extended',
type: 'keyword',
- description: 'Path to the file.',
+ ignore_above: 1024,
+ description:
+ 'Some event destination addresses are defined ambiguously. The\nevent will sometimes list an IP, a domain or a unix socket. You should always\nstore the raw address in the `.address` field.\n\nThen it should be duplicated to `.ip` or `.domain`, depending on which one\nit is.',
},
{
- name: 'target_path',
+ name: 'as.number',
level: 'extended',
- type: 'keyword',
- description: 'Target path for symlinks.',
+ type: 'long',
+ description:
+ 'Unique number allocated to the autonomous system. The autonomous\nsystem number (ASN) uniquely identifies each network on the Internet.',
+ example: 15169,
},
{
- name: 'extension',
+ name: 'as.organization.name',
level: 'extended',
type: 'keyword',
- description: 'File extension. This should allow easy filtering by file extensions.',
- example: 'png',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Organization name.',
+ example: 'Google LLC',
},
{
- name: 'type',
- level: 'extended',
- type: 'keyword',
- description: 'File type (file, dir, or symlink).',
+ name: 'bytes',
+ level: 'core',
+ type: 'long',
+ format: 'bytes',
+ description: 'Bytes sent from the destination to the source.',
+ example: 184,
},
{
- name: 'device',
- level: 'extended',
+ name: 'domain',
+ level: 'core',
type: 'keyword',
- description: 'Device that is the source of the file.',
+ ignore_above: 1024,
+ description: 'Destination domain.',
},
{
- name: 'inode',
- level: 'extended',
+ name: 'geo.city_name',
+ level: 'core',
type: 'keyword',
- description: 'Inode representing the file in the filesystem.',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
},
{
- name: 'uid',
- level: 'extended',
+ name: 'geo.continent_name',
+ level: 'core',
type: 'keyword',
- description: 'The user ID (UID) or security identifier (SID) of the file owner.',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
},
{
- name: 'owner',
- level: 'extended',
+ name: 'geo.country_iso_code',
+ level: 'core',
type: 'keyword',
- description: "File owner's username.",
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
},
{
- name: 'gid',
- level: 'extended',
+ name: 'geo.country_name',
+ level: 'core',
type: 'keyword',
- description: 'Primary group ID (GID) of the file.',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
},
{
- name: 'group',
- level: 'extended',
- type: 'keyword',
- description: 'Primary group name of the file.',
+ name: 'geo.location',
+ level: 'core',
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
},
{
- name: 'mode',
- level: 'extended',
- type: 'keyword',
- example: 416,
- description: 'Mode of the file in octal representation.',
- },
- {
- name: 'size',
- level: 'extended',
- type: 'long',
- format: 'bytes',
- description: 'File size in bytes (field is only added when `type` is `file`).',
- },
- {
- name: 'mtime',
- level: 'extended',
- type: 'date',
- description: 'Last time file content was modified.',
- },
- {
- name: 'ctime',
- level: 'extended',
- type: 'date',
- description: 'Last time file metadata changed.',
- },
- ],
- },
- {
- name: 'group',
- title: 'Group',
- group: 2,
- description:
- 'The group fields are meant to represent groups that are relevant to the event.',
- type: 'group',
- fields: [
- {
- name: 'id',
+ name: 'geo.name',
level: 'extended',
type: 'keyword',
- description: 'Unique identifier for the group on the system/platform.',
- },
- {
- name: 'name',
- level: 'extended',
- type: 'keyword',
- description: 'Name of the group.',
- },
- ],
- },
- {
- name: 'host',
- title: 'Host',
- group: 2,
- description:
- 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or on which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.',
- type: 'group',
- fields: [
- {
- name: 'hostname',
- level: 'core',
- type: 'keyword',
+ ignore_above: 1024,
description:
- 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.',
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
},
{
- name: 'name',
+ name: 'geo.region_iso_code',
level: 'core',
type: 'keyword',
- description:
- 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
},
{
- name: 'id',
+ name: 'geo.region_name',
level: 'core',
type: 'keyword',
- description:
- 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
},
{
name: 'ip',
level: 'core',
type: 'ip',
- description: 'Host ip address.',
+ description:
+ 'IP address of the destination.\n\nCan be one or multiple IPv4 or IPv6 addresses.',
},
{
name: 'mac',
level: 'core',
type: 'keyword',
- description: 'Host mac address.',
+ ignore_above: 1024,
+ description: 'MAC address of the destination.',
},
{
- name: 'type',
- level: 'core',
- type: 'keyword',
+ name: 'nat.ip',
+ level: 'extended',
+ type: 'ip',
description:
- 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.',
+ 'Translated ip of destination based NAT sessions (e.g. internet\nto private DMZ)\n\nTypically used with load balancers, firewalls, or routers.',
},
{
- name: 'architecture',
- level: 'core',
- type: 'keyword',
- example: 'x86_64',
- description: 'Operating system architecture.',
+ name: 'nat.port',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description:
+ 'Port the source session is translated to by NAT Device.\n\nTypically used with load balancers, firewalls, or routers.',
},
{
- name: 'os',
- title: 'Operating System',
- group: 2,
- description: 'The OS fields contain information about the operating system.',
- reusable: {
- top_level: false,
- expected: ['observer', 'host', 'user_agent'],
- },
- type: 'group',
- fields: [
- {
- name: 'platform',
- level: 'extended',
- type: 'keyword',
- description: 'Operating system platform (such centos, ubuntu, windows).',
- example: 'darwin',
- },
- {
- name: 'name',
- level: 'extended',
- type: 'keyword',
- example: 'Mac OS X',
- description: 'Operating system name, without the version.',
- },
- {
- name: 'full',
- level: 'extended',
- type: 'keyword',
- example: 'Mac OS Mojave',
- description: 'Operating system name, including the version or code name.',
- },
- {
- name: 'family',
- level: 'extended',
- type: 'keyword',
- example: 'debian',
- description: 'OS family (such as redhat, debian, freebsd, windows).',
- },
- {
- name: 'version',
- level: 'extended',
- type: 'keyword',
- example: '10.14.1',
- description: 'Operating system version as a raw string.',
- },
- {
- name: 'kernel',
- level: 'extended',
- type: 'keyword',
- example: '4.4.0-112-generic',
- description: 'Operating system kernel version as a raw string.',
- },
- ],
+ name: 'packets',
+ level: 'core',
+ type: 'long',
+ description: 'Packets sent from the destination to the source.',
+ example: 12,
},
{
- name: 'geo',
- title: 'Geo',
- group: 2,
- description:
- 'Geo fields can carry data about a specific location related to an event or geo information derived from an IP field.',
- type: 'group',
- fields: [
- {
- name: 'location',
- level: 'core',
- type: 'geo_point',
- description: 'Longitude and latitude.',
- example: '{ "lon": -73.614830, "lat": 45.505918 }',
- },
- {
- name: 'continent_name',
- level: 'core',
- type: 'keyword',
- description: 'Name of the continent.',
- example: 'North America',
- },
- {
- name: 'country_name',
- level: 'core',
- type: 'keyword',
- description: 'Country name.',
- example: 'Canada',
- },
- {
- name: 'region_name',
- level: 'core',
- type: 'keyword',
- description: 'Region name.',
- example: 'Quebec',
- },
- {
- name: 'city_name',
- level: 'core',
- type: 'keyword',
- description: 'City name.',
- example: 'Montreal',
- },
- {
- name: 'country_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Country ISO code.',
- example: 'CA',
- },
- {
- name: 'region_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Region ISO code.',
- example: 'CA-QC',
- },
- {
- name: 'name',
- level: 'extended',
- type: 'keyword',
- description:
- 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.',
- example: 'boston-dc',
- },
- ],
+ name: 'port',
+ level: 'core',
+ type: 'long',
+ format: 'string',
+ description: 'Port of the destination.',
},
- ],
- },
- {
- name: 'http',
- title: 'HTTP',
- group: 2,
- description: 'Fields related to HTTP activity.',
- type: 'group',
- fields: [
{
- name: 'request.method',
+ name: 'registered_domain',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Http request method. The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.',
- example: 'get, post, put',
+ 'The highest registered destination domain, stripped of the subdomain.\n\nFor example, the registered domain for "foo.google.com" is "google.com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last two labels will not work well for TLDs such as "co.uk".',
+ example: 'google.com',
},
{
- name: 'request.body.content',
+ name: 'top_level_domain',
level: 'extended',
type: 'keyword',
- description: 'The full http request body.',
- example: 'Hello world',
+ ignore_above: 1024,
+ description:
+ 'The effective top level domain (eTLD), also known as the domain\nsuffix, is the last part of the domain name. For example, the top level domain\nfor google.com is "com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last label will not work well for effective TLDs such as "co.uk".',
+ example: 'co.uk',
},
{
- name: 'request.referrer',
+ name: 'user.domain',
level: 'extended',
type: 'keyword',
- description: 'Referrer for this HTTP request.',
- example: 'https://blog.example.com/',
- },
- {
- name: 'response.status_code',
- level: 'extended',
- type: 'long',
- description: 'Http response status code.',
- example: 404,
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the user is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
},
{
- name: 'response.body.content',
+ name: 'user.email',
level: 'extended',
type: 'keyword',
- description: 'The full http response body.',
- example: 'Hello world',
+ ignore_above: 1024,
+ description: 'User email address.',
},
{
- name: 'version',
+ name: 'user.full_name',
level: 'extended',
type: 'keyword',
- description: 'Http version.',
- example: 1.1,
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: "User's full name, if available.",
+ example: 'Albert Einstein',
},
{
- name: 'request.bytes',
+ name: 'user.group.domain',
level: 'extended',
- type: 'long',
- format: 'bytes',
- description: 'Total size in bytes of the request (body and headers).',
- example: 1437,
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
},
{
- name: 'request.body.bytes',
+ name: 'user.group.id',
level: 'extended',
- type: 'long',
- format: 'bytes',
- description: 'Size in bytes of the request body.',
- example: 887,
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
},
{
- name: 'response.bytes',
+ name: 'user.group.name',
level: 'extended',
- type: 'long',
- format: 'bytes',
- description: 'Total size in bytes of the response (body and headers).',
- example: 1437,
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the group.',
},
{
- name: 'response.body.bytes',
+ name: 'user.hash',
level: 'extended',
- type: 'long',
- format: 'bytes',
- description: 'Size in bytes of the response body.',
- example: 887,
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique user hash to correlate information for a user in anonymized\nform.\n\nUseful if `user.id` or `user.name` contain confidential information and cannot\nbe used.',
},
- ],
- },
- {
- name: 'log',
- title: 'Log',
- description: 'Fields which are specific to log events.',
- type: 'group',
- fields: [
{
- name: 'level',
+ name: 'user.id',
level: 'core',
type: 'keyword',
- description: 'Log level of the log event. Some examples are `WARN`, `ERR`, `INFO`.',
- example: 'ERR',
+ ignore_above: 1024,
+ description: 'Unique identifiers of the user.',
},
{
- name: 'original',
+ name: 'user.name',
level: 'core',
type: 'keyword',
- example: 'Sep 19 08:26:10 localhost My log',
- index: false,
- doc_values: false,
- description:
- " This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. ",
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Short name or login of the user.',
+ example: 'albert',
},
],
},
{
- name: 'network',
- title: 'Network',
+ name: 'dll',
+ title: 'DLL',
group: 2,
description:
- 'The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event.',
+ 'These fields contain information about code libraries dynamically\nloaded into processes.\n\n\nMany operating systems refer to "shared code libraries" with different names,\nbut this field set refers to all of the following:\n\n* Dynamic-link library (`.dll`) commonly used on Windows\n\n* Shared Object (`.so`) commonly used on Unix-like operating systems\n\n* Dynamic library (`.dylib`) commonly used on macOS',
type: 'group',
fields: [
{
- name: 'name',
+ name: 'code_signature.exists',
+ level: 'core',
+ type: 'boolean',
+ description: 'Boolean to capture if a signature is present.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.status',
level: 'extended',
type: 'keyword',
- description: 'Name given by operators to sections of their network.',
- example: 'Guest Wifi',
+ ignore_above: 1024,
+ description:
+ 'Additional information about the certificate status.\n\nThis is useful for logging cryptographic errors with the certificate validity\nor trust status. Leave unpopulated if the validity or trust of the certificate\nwas unchecked.',
+ example: 'ERROR_UNTRUSTED_ROOT',
+ default_field: false,
},
{
- name: 'type',
+ name: 'code_signature.subject_name',
level: 'core',
type: 'keyword',
+ ignore_above: 1024,
+ description: 'Subject name of the code signer',
+ example: 'Microsoft Corporation',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.trusted',
+ level: 'extended',
+ type: 'boolean',
description:
- 'In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.',
- example: 'ipv4',
+ 'Stores the trust status of the certificate chain.\n\nValidating the trust of the certificate chain may be complicated, and this\nfield should only be populated by tools that actively check the status.',
+ example: 'true',
+ default_field: false,
},
{
- name: 'iana_number',
+ name: 'code_signature.valid',
level: 'extended',
- type: 'keyword',
+ type: 'boolean',
description:
- 'IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.',
- example: 6,
+ 'Boolean to capture if the digital signature is verified against\nthe binary content.\n\nLeave unpopulated if a certificate was unchecked.',
+ example: 'true',
+ default_field: false,
},
{
- name: 'transport',
- level: 'core',
+ name: 'hash.md5',
+ level: 'extended',
type: 'keyword',
- description:
- 'Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.',
- example: 'tcp',
+ ignore_above: 1024,
+ description: 'MD5 hash.',
+ default_field: false,
},
{
- name: 'application',
+ name: 'hash.sha1',
level: 'extended',
type: 'keyword',
- description:
- 'A name given to an application. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.',
- example: 'aim',
+ ignore_above: 1024,
+ description: 'SHA1 hash.',
+ default_field: false,
},
{
- name: 'protocol',
- level: 'core',
+ name: 'hash.sha256',
+ level: 'extended',
type: 'keyword',
- description:
- 'L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.',
- example: 'http',
+ ignore_above: 1024,
+ description: 'SHA256 hash.',
+ default_field: false,
},
{
- name: 'direction',
- level: 'core',
+ name: 'hash.sha512',
+ level: 'extended',
type: 'keyword',
- description:
- "Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. ",
- example: 'inbound',
+ ignore_above: 1024,
+ description: 'SHA512 hash.',
+ default_field: false,
},
{
- name: 'forwarded_ip',
+ name: 'name',
level: 'core',
- type: 'ip',
- description: 'Host IP address when the source IP address is the proxy.',
- example: '192.1.1.2',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the library.\n\nThis generally maps to the name of the file on disk.',
+ example: 'kernel32.dll',
+ default_field: false,
},
{
- name: 'community_id',
+ name: 'path',
level: 'extended',
type: 'keyword',
- description:
- 'A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec.',
- example: '1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=',
- },
- {
- name: 'bytes',
- level: 'core',
- type: 'long',
- format: 'bytes',
- description:
- 'Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.',
- example: 368,
- },
- {
- name: 'packets',
- level: 'core',
- type: 'long',
- description:
- 'Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum.',
- example: 24,
- },
- ],
- },
- {
- name: 'observer',
- title: 'Observer',
- group: 2,
- description:
- 'An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS.',
- type: 'group',
- fields: [
- {
- name: 'mac',
- level: 'core',
- type: 'keyword',
- description: 'MAC address of the observer',
- },
- {
- name: 'ip',
- level: 'core',
- type: 'ip',
- description: 'IP address of the observer.',
+ ignore_above: 1024,
+ description: 'Full file path of the library.',
+ example: 'C:\\Windows\\System32\\kernel32.dll',
+ default_field: false,
},
{
- name: 'hostname',
- level: 'core',
+ name: 'pe.company',
+ level: 'extended',
type: 'keyword',
- description: 'Hostname of the observer.',
+ ignore_above: 1024,
+ description: 'Internal company name of the file, provided at compile-time.',
+ example: 'Microsoft Corporation',
+ default_field: false,
},
{
- name: 'vendor',
- level: 'core',
+ name: 'pe.description',
+ level: 'extended',
type: 'keyword',
- description: 'observer vendor information.',
+ ignore_above: 1024,
+ description: 'Internal description of the file, provided at compile-time.',
+ example: 'Paint',
+ default_field: false,
},
{
- name: 'version',
- level: 'core',
+ name: 'pe.file_version',
+ level: 'extended',
type: 'keyword',
- description: 'Observer version.',
+ ignore_above: 1024,
+ description: 'Internal version of the file, provided at compile-time.',
+ example: '6.3.9600.17415',
+ default_field: false,
},
{
- name: 'serial_number',
+ name: 'pe.original_file_name',
level: 'extended',
type: 'keyword',
- description: 'Observer serial number.',
+ ignore_above: 1024,
+ description: 'Internal name of the file, provided at compile-time.',
+ example: 'MSPAINT.EXE',
+ default_field: false,
},
{
- name: 'type',
- level: 'core',
+ name: 'pe.product',
+ level: 'extended',
type: 'keyword',
- description:
- 'The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.',
- example: 'firewall',
- },
- {
- name: 'os',
- title: 'Operating System',
- group: 2,
- description: 'The OS fields contain information about the operating system.',
- reusable: {
- top_level: false,
- expected: ['observer', 'host', 'user_agent'],
- },
- type: 'group',
- fields: [
- {
- name: 'platform',
- level: 'extended',
- type: 'keyword',
- description: 'Operating system platform (such centos, ubuntu, windows).',
- example: 'darwin',
- },
- {
- name: 'name',
- level: 'extended',
- type: 'keyword',
- example: 'Mac OS X',
- description: 'Operating system name, without the version.',
- },
- {
- name: 'full',
- level: 'extended',
- type: 'keyword',
- example: 'Mac OS Mojave',
- description: 'Operating system name, including the version or code name.',
- },
- {
- name: 'family',
- level: 'extended',
- type: 'keyword',
- example: 'debian',
- description: 'OS family (such as redhat, debian, freebsd, windows).',
- },
- {
- name: 'version',
- level: 'extended',
- type: 'keyword',
- example: '10.14.1',
- description: 'Operating system version as a raw string.',
- },
- {
- name: 'kernel',
- level: 'extended',
- type: 'keyword',
- example: '4.4.0-112-generic',
- description: 'Operating system kernel version as a raw string.',
- },
- ],
- },
- {
- name: 'geo',
- title: 'Geo',
- group: 2,
- description:
- 'Geo fields can carry data about a specific location related to an event or geo information derived from an IP field.',
- type: 'group',
- fields: [
- {
- name: 'location',
- level: 'core',
- type: 'geo_point',
- description: 'Longitude and latitude.',
- example: '{ "lon": -73.614830, "lat": 45.505918 }',
- },
- {
- name: 'continent_name',
- level: 'core',
- type: 'keyword',
- description: 'Name of the continent.',
- example: 'North America',
- },
- {
- name: 'country_name',
- level: 'core',
- type: 'keyword',
- description: 'Country name.',
- example: 'Canada',
- },
- {
- name: 'region_name',
- level: 'core',
- type: 'keyword',
- description: 'Region name.',
- example: 'Quebec',
- },
- {
- name: 'city_name',
- level: 'core',
- type: 'keyword',
- description: 'City name.',
- example: 'Montreal',
- },
- {
- name: 'country_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Country ISO code.',
- example: 'CA',
- },
- {
- name: 'region_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Region ISO code.',
- example: 'CA-QC',
- },
- {
- name: 'name',
- level: 'extended',
- type: 'keyword',
- description:
- 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.',
- example: 'boston-dc',
- },
- ],
+ ignore_above: 1024,
+ description: 'Internal product name of the file, provided at compile-time.',
+ example: 'Microsoft® Windows® Operating System',
+ default_field: false,
},
],
},
{
- name: 'organization',
- title: 'Organization',
+ name: 'dns',
+ title: 'DNS',
group: 2,
description:
- 'The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations.',
+ 'Fields describing DNS queries and answers.\n\nDNS events should either represent a single DNS query prior to getting answers\n(`dns.type:query`) or they should represent a full exchange and contain the\nquery details as well as all of the answers that were provided for this query\n(`dns.type:answer`).',
type: 'group',
fields: [
{
- name: 'name',
+ name: 'answers',
level: 'extended',
- type: 'keyword',
- description: 'Organization name.',
+ type: 'object',
+ object_type: 'keyword',
+ description:
+ 'An array containing an object for each answer section returned\nby the server.\n\nThe main keys that should be present in these objects are defined by ECS.\nRecords that have more information may contain more keys than what ECS defines.\n\nNot all DNS data sources give all details about DNS answers. At minimum, answer\nobjects must contain the `data` key. If more information is available, map\nas much of it to ECS as possible, and add any additional fields to the answer\nobjects as custom fields.',
},
{
- name: 'id',
+ name: 'answers.class',
level: 'extended',
type: 'keyword',
- description: 'Unique identifier for the organization.',
+ ignore_above: 1024,
+ description: 'The class of DNS data contained in this resource record.',
+ example: 'IN',
},
- ],
- },
- {
- name: 'os',
- title: 'Operating System',
- group: 2,
- description: 'The OS fields contain information about the operating system.',
- reusable: {
- top_level: false,
- expected: ['observer', 'host', 'user_agent'],
- },
- type: 'group',
- fields: [
{
- name: 'platform',
+ name: 'answers.data',
level: 'extended',
type: 'keyword',
- description: 'Operating system platform (such centos, ubuntu, windows).',
- example: 'darwin',
+ ignore_above: 1024,
+ description:
+ 'The data describing the resource.\n\nThe meaning of this data depends on the type and class of the resource record.',
+ example: '10.10.10.10',
},
{
- name: 'name',
+ name: 'answers.name',
level: 'extended',
type: 'keyword',
- example: 'Mac OS X',
- description: 'Operating system name, without the version.',
+ ignore_above: 1024,
+ description:
+ 'The domain name to which this resource record pertains.\n\nIf a chain of CNAME is being resolved, each answer `name` should be the\none that corresponds with the answer `data`. It should not simply be the\noriginal `question.name` repeated.',
+ example: 'www.google.com',
},
{
- name: 'full',
+ name: 'answers.ttl',
level: 'extended',
- type: 'keyword',
- example: 'Mac OS Mojave',
- description: 'Operating system name, including the version or code name.',
+ type: 'long',
+ description:
+ 'The time interval in seconds that this resource record may be cached\nbefore it should be discarded. Zero values mean that the data should not be\ncached.',
+ example: 180,
},
{
- name: 'family',
+ name: 'answers.type',
level: 'extended',
type: 'keyword',
- example: 'debian',
- description: 'OS family (such as redhat, debian, freebsd, windows).',
+ ignore_above: 1024,
+ description: 'The type of data contained in this resource record.',
+ example: 'CNAME',
},
{
- name: 'version',
+ name: 'header_flags',
level: 'extended',
type: 'keyword',
- example: '10.14.1',
- description: 'Operating system version as a raw string.',
+ ignore_above: 1024,
+ description:
+ 'Array of 2 letter DNS header flags.\n\nExpected values are: AA, TC, RD, RA, AD, CD, DO.',
+ example: ['RD', 'RA'],
},
{
- name: 'kernel',
+ name: 'id',
level: 'extended',
type: 'keyword',
- example: '4.4.0-112-generic',
- description: 'Operating system kernel version as a raw string.',
+ ignore_above: 1024,
+ description:
+ 'The DNS packet identifier assigned by the program that generated\nthe query. The identifier is copied to the response.',
+ example: 62111,
},
- ],
- },
- {
- name: 'process',
- title: 'Process',
- group: 2,
- description:
- 'These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation.',
- type: 'group',
- fields: [
{
- name: 'pid',
- level: 'core',
- type: 'long',
- description: 'Process id.',
- example: 'ssh',
+ name: 'op_code',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The DNS operation code that specifies the kind of query in the\nmessage. This value is set by the originator of a query and copied into the\nresponse.',
+ example: 'QUERY',
},
{
- name: 'name',
+ name: 'question.class',
level: 'extended',
type: 'keyword',
- description: 'Process name. Sometimes called program name or similar.',
- example: 'ssh',
+ ignore_above: 1024,
+ description: 'The class of records being queried.',
+ example: 'IN',
},
{
- name: 'ppid',
+ name: 'question.name',
level: 'extended',
- type: 'long',
- description: 'Process parent id.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The name being queried.\n\nIf the name field contains non-printable characters (below 32 or above 126),\nthose characters should be represented as escaped base 10 integers (\\DDD).\nBack slashes and quotes should be escaped. Tabs, carriage returns, and line\nfeeds should be converted to \\t, \\r, and \\n respectively.',
+ example: 'www.google.com',
},
{
- name: 'args',
+ name: 'question.registered_domain',
level: 'extended',
type: 'keyword',
- description: 'Process arguments. May be filtered to protect sensitive information.',
- example: ['ssh', '-l', 'user', '10.0.0.16'],
+ ignore_above: 1024,
+ description:
+ 'The highest registered domain, stripped of the subdomain.\n\nFor example, the registered domain for "foo.google.com" is "google.com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last two labels will not work well for TLDs such as "co.uk".',
+ example: 'google.com',
},
{
- name: 'executable',
+ name: 'question.subdomain',
level: 'extended',
type: 'keyword',
- description: 'Absolute path to the process executable.',
- example: '/usr/bin/ssh',
+ ignore_above: 1024,
+ description:
+ 'The subdomain is all of the labels under the registered_domain.\n\nIf the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",\nthe subdomain field should contain "sub2.sub1", with no trailing period.',
+ example: 'www',
},
{
- name: 'title',
+ name: 'question.top_level_domain',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.',
+ 'The effective top level domain (eTLD), also known as the domain\nsuffix, is the last part of the domain name. For example, the top level domain\nfor google.com is "com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last label will not work well for effective TLDs such as "co.uk".',
+ example: 'co.uk',
},
{
- name: 'thread.id',
+ name: 'question.type',
level: 'extended',
- type: 'long',
- example: 4242,
- description: 'Thread ID.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The type of record being queried.',
+ example: 'AAAA',
},
{
- name: 'start',
+ name: 'resolved_ip',
level: 'extended',
- type: 'date',
- example: '2016-05-23T08:05:34.853Z',
- description: 'The time the process started.',
+ type: 'ip',
+ description:
+ 'Array containing all IPs seen in `answers.data`.\n\nThe `answers` array can be difficult to use, because of the variety of data\nformats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip`\nmakes it possible to index them as IP addresses, and makes them easier to\nvisualize and query for.',
+ example: ['10.10.10.10', '10.10.10.11'],
},
{
- name: 'working_directory',
+ name: 'response_code',
level: 'extended',
type: 'keyword',
- example: '/home/alice',
- description: 'The working directory of the process.',
+ ignore_above: 1024,
+ description: 'The DNS response code.',
+ example: 'NOERROR',
+ },
+ {
+ name: 'type',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The type of DNS event captured, query or answer.\n\nIf your source of DNS events only gives you DNS queries, you should only create\ndns events of type `dns.type:query`.\n\nIf your source of DNS events gives you answers as well, you should create\none event per query (optionally as soon as the query is seen). And a second\nevent containing all query details as well as an array of answers.',
+ example: 'answer',
},
],
},
{
- name: 'related',
- title: 'Related',
+ name: 'ecs',
+ title: 'ECS',
group: 2,
- description:
- 'This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in ECS. To facilitate searching for them, append values to their corresponding field in `related.`. A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:a.b.c.d`.',
+ description: 'Meta-information specific to ECS.',
type: 'group',
fields: [
{
- name: 'ip',
- level: 'extended',
- type: 'ip',
- description: 'All of the IPs seen on your event.',
+ name: 'version',
+ level: 'core',
+ required: true,
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'ECS version this event conforms to. `ecs.version` is a required\nfield and must exist in all events.\n\nWhen querying across multiple indices -- which may conform to slightly different\nECS versions -- this field lets integrations adjust to the schema version\nof the events.',
+ example: '1.0.0',
},
],
},
{
- name: 'server',
- title: 'Server',
+ name: 'error',
+ title: 'Error',
group: 2,
description:
- 'A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.',
+ 'These fields can represent errors of any kind.\n\nUse them for errors that happen while fetching events or in cases where the\nevent itself contains an error.',
type: 'group',
fields: [
{
- name: 'address',
- level: 'extended',
+ name: 'code',
+ level: 'core',
type: 'keyword',
- description:
- 'Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.',
+ ignore_above: 1024,
+ description: 'Error code describing the error.',
},
{
- name: 'ip',
+ name: 'id',
level: 'core',
- type: 'ip',
- description: 'IP address of the server. Can be one or multiple IPv4 or IPv6 addresses.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the error.',
},
{
- name: 'port',
+ name: 'message',
level: 'core',
- type: 'long',
- description: 'Port of the server.',
- },
- {
- name: 'mac',
- level: 'core',
- type: 'keyword',
- description: 'MAC address of the server.',
+ type: 'text',
+ description: 'Error message.',
},
{
- name: 'domain',
- level: 'core',
+ name: 'stack_trace',
+ level: 'extended',
type: 'keyword',
- description: 'Server domain.',
- },
- {
- name: 'bytes',
- level: 'core',
- type: 'long',
- format: 'bytes',
- example: 184,
- description: 'Bytes sent from the server to the client.',
- },
- {
- name: 'packets',
- level: 'core',
- type: 'long',
- example: 12,
- description: 'Packets sent from the server to the client.',
- },
- {
- name: 'geo',
- title: 'Geo',
- group: 2,
- description:
- 'Geo fields can carry data about a specific location related to an event or geo information derived from an IP field.',
- type: 'group',
- fields: [
- {
- name: 'location',
- level: 'core',
- type: 'geo_point',
- description: 'Longitude and latitude.',
- example: '{ "lon": -73.614830, "lat": 45.505918 }',
- },
- {
- name: 'continent_name',
- level: 'core',
- type: 'keyword',
- description: 'Name of the continent.',
- example: 'North America',
- },
- {
- name: 'country_name',
- level: 'core',
- type: 'keyword',
- description: 'Country name.',
- example: 'Canada',
- },
- {
- name: 'region_name',
- level: 'core',
- type: 'keyword',
- description: 'Region name.',
- example: 'Quebec',
- },
- {
- name: 'city_name',
- level: 'core',
- type: 'keyword',
- description: 'City name.',
- example: 'Montreal',
- },
- {
- name: 'country_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Country ISO code.',
- example: 'CA',
- },
- {
- name: 'region_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Region ISO code.',
- example: 'CA-QC',
- },
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'name',
- level: 'extended',
- type: 'keyword',
- description:
- 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.',
- example: 'boston-dc',
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
},
],
+ description: 'The stack trace of this error in plain text.',
+ },
+ {
+ name: 'type',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The type of the error, for example the class name of the exception.',
+ example: 'java.lang.NullPointerException',
},
],
},
{
- name: 'service',
- title: 'Service',
+ name: 'event',
+ title: 'Event',
group: 2,
description:
- 'The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version.',
+ 'The event fields are used for context information about the log\nor metric event itself.\n\nA log is defined as an event containing details of something that happened.\nLog events must include the time at which the thing happened. Examples of log\nevents include a process starting on a host, a network packet being sent from\na source to a destination, or a network connection between a client and a server\nbeing initiated or closed. A metric is defined as an event containing one or\nmore numerical measurements and the time at which the measurement was taken.\nExamples of metric events include memory pressure measured on a host and device\ntemperature. See the `event.kind` definition in this section for additional\ndetails about metric and state events.',
type: 'group',
fields: [
{
- name: 'id',
+ name: 'action',
level: 'core',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Unique identifier of the running service. This id should uniquely identify this service. This makes it possible to correlate logs and metrics for one specific service. Example: If you are experiencing issues with one redis instance, you can filter on that id to see metrics and logs for that single instance.',
- example: 'd37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6',
+ 'The action captured by the event.\n\nThis describes the information in the event. It is more specific than `event.category`.\nExamples are `group-add`, `process-started`, `file-created`. The value is\nnormally defined by the implementer.',
+ example: 'user-password-change',
},
{
- name: 'name',
+ name: 'category',
level: 'core',
type: 'keyword',
- example: 'elasticsearch-metrics',
+ ignore_above: 1024,
description:
- 'Name of the service data is collected from. The name of the service is normally user given. This allows if two instances of the same service are running on the same machine they can be differentiated by the `service.name`. Also it allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the service.name could contain the cluster name. For Beats the service.name is by default a copy of the `service.type` field if no name is specified.',
+ 'This is one of four ECS Categorization Fields, and indicates the\nsecond level in the ECS category hierarchy.\n\n`event.category` represents the "big buckets" of ECS categories. For example,\nfiltering on `event.category:process` yields all events relating to process\nactivity. This field is closely related to `event.type`, which is used as\na subcategory.\n\nThis field is an array. This will allow proper categorization of some events\nthat fall in multiple categories.',
+ example: 'authentication',
},
{
- name: 'type',
- level: 'core',
+ name: 'code',
+ level: 'extended',
type: 'keyword',
- example: 'elasticsearch',
+ ignore_above: 1024,
description:
- 'The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.',
+ 'Identification code for this event, if one exists.\n\nSome event sources use event codes to identify messages unambiguously, regardless\nof message language or wording adjustments over time. An example of this is\nthe Windows Event ID.',
+ example: 4648,
},
{
- name: 'state',
+ name: 'created',
level: 'core',
- type: 'keyword',
- description: 'Current state of the service.',
+ type: 'date',
+ description:
+ 'event.created contains the date/time when the event was first\nread by an agent, or by your pipeline.\n\nThis field is distinct from @timestamp in that @timestamp typically contain\nthe time extracted from the original event.\n\nIn most situations, these two timestamps will be slightly different. The difference\ncan be used to calculate the delay between your source generating an event,\nand the time when your agent first processed it. This can be used to monitor\nyour agent or pipeline ability to keep up with your event source.\n\nIn case the two timestamps are identical, @timestamp should be used.',
+ example: '2016-05-23T08:05:34.857Z',
},
{
- name: 'version',
+ name: 'dataset',
level: 'core',
type: 'keyword',
- example: '3.2.4',
+ ignore_above: 1024,
description:
- 'Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.',
+ 'Name of the dataset.\n\nIf an event source publishes more than one type of log or events (e.g. access\nlog, error log), the dataset is used to specify which one the event comes\nfrom.\n\nIt is recommended but not required to start the dataset name with the module\nname, followed by a dot, then the dataset name.',
+ example: 'apache.access',
},
{
- name: 'ephemeral_id',
+ name: 'duration',
+ level: 'core',
+ type: 'long',
+ format: 'duration',
+ input_format: 'nanoseconds',
+ output_format: 'asMilliseconds',
+ output_precision: 1,
+ description:
+ 'Duration of the event in nanoseconds.\n\nIf event.start and event.end are known this value should be the difference\nbetween the end and start time.',
+ },
+ {
+ name: 'end',
level: 'extended',
- type: 'keyword',
+ type: 'date',
description:
- 'Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not.',
- example: '8a4f500f',
+ 'event.end contains the date when the event ended or when the activity\nwas last observed.',
},
- ],
- },
- {
- name: 'source',
- title: 'Source',
- group: 2,
- description:
- 'Source fields describe details about the source of a packet/event. Source fields are usually populated in conjunction with destination fields.',
- type: 'group',
- fields: [
{
- name: 'address',
+ name: 'hash',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.',
+ 'Hash (perhaps logstash fingerprint) of raw field to be able to\ndemonstrate log integrity.',
+ example: '123456789012345678901234567890ABCD',
},
{
- name: 'ip',
+ name: 'id',
level: 'core',
- type: 'ip',
- description: 'IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique ID to describe the event.',
+ example: '8a4f500d',
},
{
- name: 'port',
+ name: 'ingested',
level: 'core',
- type: 'long',
- description: 'Port of the source.',
+ type: 'date',
+ description:
+ 'Timestamp when an event arrived in the central data store.\n\nThis is different from `@timestamp`, which is when the event originally occurred. It is\nalso different from `event.created`, which is meant to capture the first time\nan agent saw the event.\n\nIn normal conditions, assuming no tampering, the timestamps should chronologically\nlook like this: `@timestamp` < `event.created` < `event.ingested`.',
+ example: '2016-05-23T08:05:35.101Z',
+ default_field: false,
},
{
- name: 'mac',
+ name: 'kind',
level: 'core',
type: 'keyword',
- description: 'MAC address of the source.',
+ ignore_above: 1024,
+ description:
+ 'This is one of four ECS Categorization Fields, and indicates the\nhighest level in the ECS category hierarchy.\n\n`event.kind` gives high-level information about what type of information the\nevent contains, without being specific to the contents of the event. For example,\nvalues of this field distinguish alert events from metric events.\n\nThe value of this field can be used to inform how these kinds of events should\nbe handled. They may warrant different retention, different access control,\nit may also help understand whether the data coming in at a regular interval\nor not.',
+ example: 'alert',
},
{
- name: 'domain',
+ name: 'module',
level: 'core',
type: 'keyword',
- description: 'Source domain.',
+ ignore_above: 1024,
+ description:
+ 'Name of the module this data is coming from.\n\nIf your monitoring agent supports the concept of modules or plugins to process\nevents of a given source (e.g. Apache logs), `event.module` should contain\nthe name of this module.',
+ example: 'apache',
},
{
- name: 'bytes',
+ name: 'original',
level: 'core',
- type: 'long',
- format: 'bytes',
- example: 184,
- description: 'Bytes sent from the source to the destination.',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Raw text message of entire event. Used to demonstrate log integrity.\n\nThis field is not indexed and doc_values are disabled. It cannot be searched,\nbut it can be retrieved from `_source`.',
+ example:
+ 'Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100|\nworm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232',
},
{
- name: 'packets',
+ name: 'outcome',
level: 'core',
- type: 'long',
- example: 12,
- description: 'Packets sent from the source to the destination.',
- },
- {
- name: 'geo',
- title: 'Geo',
- group: 2,
+ type: 'keyword',
+ ignore_above: 1024,
description:
- 'Geo fields can carry data about a specific location related to an event or geo information derived from an IP field.',
- type: 'group',
- fields: [
- {
- name: 'location',
- level: 'core',
- type: 'geo_point',
- description: 'Longitude and latitude.',
- example: '{ "lon": -73.614830, "lat": 45.505918 }',
- },
- {
- name: 'continent_name',
- level: 'core',
- type: 'keyword',
- description: 'Name of the continent.',
- example: 'North America',
- },
- {
- name: 'country_name',
- level: 'core',
- type: 'keyword',
- description: 'Country name.',
- example: 'Canada',
- },
- {
- name: 'region_name',
- level: 'core',
- type: 'keyword',
- description: 'Region name.',
- example: 'Quebec',
- },
- {
- name: 'city_name',
- level: 'core',
- type: 'keyword',
- description: 'City name.',
- example: 'Montreal',
- },
- {
- name: 'country_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Country ISO code.',
- example: 'CA',
- },
- {
- name: 'region_iso_code',
- level: 'core',
- type: 'keyword',
- description: 'Region ISO code.',
- example: 'CA-QC',
- },
- {
- name: 'name',
- level: 'extended',
- type: 'keyword',
- description:
- 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.',
- example: 'boston-dc',
- },
- ],
+ 'This is one of four ECS Categorization Fields, and indicates the\nlowest level in the ECS category hierarchy.\n\n`event.outcome` simply denotes whether the event represents a success or a\nfailure from the perspective of the entity that produced the event.\n\nNote that when a single transaction is described in multiple events, each\nevent may populate different values of `event.outcome`, according to their\nperspective.\n\nAlso note that in the case of a compound event (a single event that contains\nmultiple logical events), this field should be populated with the value that\nbest captures the overall success or failure from the perspective of the event\nproducer.\n\nFurther note that not all events will have an associated outcome. For example,\nthis field is generally not populated for metric events, events with `event.type:info`,\nor any events for which an outcome does not make logical sense.',
+ example: 'success',
},
- ],
- },
- {
- name: 'url',
- title: 'URL',
- description: 'URL fields provide a complete URL, with scheme, host, and path.',
- type: 'group',
- fields: [
{
- name: 'original',
+ name: 'provider',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.',
- example:
- 'https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch',
+ 'Source of the event.\n\nEvent transports such as Syslog or the Windows Event Log typically mention\nthe source of an event. It can be the name of the software that generated\nthe event (e.g. Sysmon, httpd), or of a subsystem of the operating system\n(kernel, Microsoft-Windows-Security-Auditing).',
+ example: 'kernel',
},
{
- name: 'full',
+ name: 'reference',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.',
- example: 'https://www.elastic.co:443/search?q=elasticsearch#top',
+ 'Reference URL linking to additional information about this event.\n\nThis URL links to a static definition of the this event. Alert events, indicated\nby `event.kind:alert`, are a common use case for this field.',
+ example: 'https://system.vendor.com/event/#0001234',
+ default_field: false,
},
{
- name: 'scheme',
- level: 'extended',
- type: 'keyword',
+ name: 'risk_score',
+ level: 'core',
+ type: 'float',
description:
- 'Scheme of the request, such as "https". Note: The `:` is not part of the scheme.',
- example: 'https',
+ "Risk score or priority of the event (e.g. security solutions).\nUse your system's original value here.",
},
{
- name: 'domain',
+ name: 'risk_score_norm',
level: 'extended',
- type: 'keyword',
+ type: 'float',
description:
- 'Domain of the request, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.',
- example: 'www.elastic.co',
+ 'Normalized risk score or priority of the event, on a scale of\n0 to 100.\n\nThis is mainly useful if you use more than one system that assigns risk scores,\nand you want to see a normalized value across all systems.',
},
{
- name: 'port',
+ name: 'sequence',
level: 'extended',
- type: 'integer',
- description: 'Port of the request, such as 443.',
- example: 443,
+ type: 'long',
+ format: 'string',
+ description:
+ 'Sequence number of the event.\n\nThe sequence number is a value published by some event sources, to make the\nexact ordering of events unambiguous, regardless of the timestamp precision.',
},
{
- name: 'path',
- level: 'extended',
- type: 'keyword',
- description: 'Path of the request, such as "/search".',
+ name: 'severity',
+ level: 'core',
+ type: 'long',
+ format: 'string',
+ description:
+ 'The numeric severity of the event according to your event source.\n\nWhat the different severity values mean can be different between sources and\nuse cases. It is up to the implementer to make sure severities are consistent\nacross events from the same source.\n\nThe Syslog severity belongs in `log.syslog.severity.code`. `event.severity`\nis meant to represent the severity according to the event source (e.g. firewall,\nIDS). If the event source does not publish its own severity, you may optionally\ncopy the `log.syslog.severity.code` to `event.severity`.',
+ example: 7,
},
{
- name: 'query',
+ name: 'start',
level: 'extended',
- type: 'keyword',
+ type: 'date',
description:
- 'The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.',
+ 'event.start contains the date when the event started or when the\nactivity was first observed.',
},
{
- name: 'fragment',
+ name: 'timezone',
level: 'extended',
type: 'keyword',
+ ignore_above: 1024,
description:
- 'Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.',
+ 'This field should be populated when the event timestamp does\nnot include timezone information already (e.g. default Syslog timestamps).\nIt is optional otherwise.\n\nAcceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"),\nabbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").',
},
{
- name: 'username',
- level: 'extended',
+ name: 'type',
+ level: 'core',
type: 'keyword',
- description: 'Username of the request.',
+ ignore_above: 1024,
+ description:
+ 'This is one of four ECS Categorization Fields, and indicates the\nthird level in the ECS category hierarchy.\n\n`event.type` represents a categorization "sub-bucket" that, when used along\nwith the `event.category` field values, enables filtering events down to a\nlevel appropriate for single visualization.\n\nThis field is an array. This will allow proper categorization of some events\nthat fall in multiple event types.',
},
{
- name: 'password',
+ name: 'url',
level: 'extended',
type: 'keyword',
- description: 'Password of the request.',
+ ignore_above: 1024,
+ description:
+ 'URL linking to an external system to continue investigation of\nthis event.\n\nThis URL links to another system where in-depth investigation of the specific\noccurence of this event can take place. Alert events, indicated by `event.kind:alert`,\nare a common use case for this field.',
+ example: 'https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe',
+ default_field: false,
},
],
},
{
- name: 'user',
- title: 'User',
+ name: 'file',
+ title: 'File',
group: 2,
description:
- 'The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.',
- reusable: {
- top_level: true,
- expected: ['client', 'destination', 'host', 'server', 'source'],
- },
+ 'A file is defined as a set of information that has been created\non, or has existed on a filesystem.\n\nFile objects can be associated with host events, network events, and/or file\nevents (e.g., those produced by File Integrity Monitoring [FIM] products or\nservices). File fields provide details about the affected file associated with\nthe event or metric.',
type: 'group',
fields: [
{
- name: 'id',
- level: 'core',
+ name: 'accessed',
+ level: 'extended',
+ type: 'date',
+ description:
+ 'Last time the file was accessed.\n\nNote that not all filesystems keep track of access time.',
+ },
+ {
+ name: 'attributes',
+ level: 'extended',
type: 'keyword',
- description: 'One or multiple unique identifiers of the user.',
+ ignore_above: 1024,
+ description:
+ 'Array of file attributes.\n\nAttributes names will vary by platform. Here is a non-exhaustive list of values\nthat are expected in this field: archive, compressed, directory, encrypted,\nexecute, hidden, read, readonly, system, write.',
+ example: '["readonly", "system"]',
+ default_field: false,
},
{
- name: 'name',
+ name: 'code_signature.exists',
level: 'core',
- type: 'keyword',
- example: 'albert',
- description: 'Short name or login of the user.',
+ type: 'boolean',
+ description: 'Boolean to capture if a signature is present.',
+ example: 'true',
+ default_field: false,
},
{
- name: 'full_name',
+ name: 'code_signature.status',
level: 'extended',
type: 'keyword',
- example: 'Albert Einstein',
- description: "User's full name, if available. ",
+ ignore_above: 1024,
+ description:
+ 'Additional information about the certificate status.\n\nThis is useful for logging cryptographic errors with the certificate validity\nor trust status. Leave unpopulated if the validity or trust of the certificate\nwas unchecked.',
+ example: 'ERROR_UNTRUSTED_ROOT',
+ default_field: false,
},
{
- name: 'email',
- level: 'extended',
+ name: 'code_signature.subject_name',
+ level: 'core',
type: 'keyword',
- description: 'User email address.',
+ ignore_above: 1024,
+ description: 'Subject name of the code signer',
+ example: 'Microsoft Corporation',
+ default_field: false,
},
{
- name: 'hash',
+ name: 'code_signature.trusted',
level: 'extended',
- type: 'keyword',
+ type: 'boolean',
description:
- 'Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.',
+ 'Stores the trust status of the certificate chain.\n\nValidating the trust of the certificate chain may be complicated, and this\nfield should only be populated by tools that actively check the status.',
+ example: 'true',
+ default_field: false,
},
{
- name: 'group',
- title: 'Group',
- group: 2,
+ name: 'code_signature.valid',
+ level: 'extended',
+ type: 'boolean',
description:
- 'The group fields are meant to represent groups that are relevant to the event.',
- type: 'group',
- fields: [
- {
- name: 'id',
- level: 'extended',
- type: 'keyword',
- description: 'Unique identifier for the group on the system/platform.',
- },
- {
- name: 'name',
- level: 'extended',
- type: 'keyword',
- description: 'Name of the group.',
- },
- ],
+ 'Boolean to capture if the digital signature is verified against\nthe binary content.\n\nLeave unpopulated if a certificate was unchecked.',
+ example: 'true',
+ default_field: false,
},
- ],
- },
- {
- name: 'user_agent',
- title: 'User agent',
- group: 2,
- description:
- 'The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.',
- type: 'group',
- fields: [
{
- name: 'original',
+ name: 'created',
level: 'extended',
- type: 'keyword',
- description: 'Unparsed version of the user_agent.',
- example:
- 'Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1',
+ type: 'date',
+ description:
+ 'File creation time.\n\nNote that not all filesystems store the creation time.',
},
{
- name: 'name',
+ name: 'ctime',
level: 'extended',
- type: 'keyword',
- example: 'Safari',
- description: 'Name of the user agent.',
+ type: 'date',
+ description:
+ 'Last time the file attributes or metadata changed.\n\nNote that changes to the file content will update `mtime`. This implies `ctime`\nwill be adjusted at the same time, since `mtime` is an attribute of the file.',
},
{
- name: 'version',
+ name: 'device',
level: 'extended',
type: 'keyword',
- description: 'Version of the user agent.',
- example: 12,
+ ignore_above: 1024,
+ description: 'Device that is the source of the file.',
+ example: 'sda',
},
{
- name: 'device.name',
+ name: 'directory',
level: 'extended',
type: 'keyword',
- example: 'iPhone',
- description: 'Name of the device.',
+ ignore_above: 1024,
+ description:
+ 'Directory where the file is located. It should include the drive\nletter, when appropriate.',
+ example: '/home/alice',
},
{
- name: 'os',
- title: 'Operating System',
- group: 2,
- description: 'The OS fields contain information about the operating system.',
- reusable: {
- top_level: false,
- expected: ['observer', 'host', 'user_agent'],
- },
- type: 'group',
- fields: [
- {
- name: 'platform',
- level: 'extended',
- type: 'keyword',
- description: 'Operating system platform (such centos, ubuntu, windows).',
- example: 'darwin',
- },
- {
- name: 'name',
- level: 'extended',
- type: 'keyword',
- example: 'Mac OS X',
- description: 'Operating system name, without the version.',
- },
- {
- name: 'full',
- level: 'extended',
- type: 'keyword',
- example: 'Mac OS Mojave',
- description: 'Operating system name, including the version or code name.',
- },
- {
- name: 'family',
- level: 'extended',
- type: 'keyword',
- example: 'debian',
- description: 'OS family (such as redhat, debian, freebsd, windows).',
- },
- {
- name: 'version',
- level: 'extended',
- type: 'keyword',
- example: '10.14.1',
- description: 'Operating system version as a raw string.',
- },
- {
- name: 'kernel',
- level: 'extended',
- type: 'keyword',
- example: '4.4.0-112-generic',
- description: 'Operating system kernel version as a raw string.',
- },
- ],
+ name: 'drive_letter',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1,
+ description:
+ 'Drive letter where the file is located. This field is only relevant\non Windows.\n\nThe value should be uppercase, and not include the colon.',
+ example: 'C',
+ default_field: false,
},
- ],
- },
- {
- name: 'agent.hostname',
- type: 'keyword',
- description: 'Hostname of the agent.',
- },
- ],
- },
- {
- key: 'beat',
- title: 'Beat',
- description: 'Contains common beat fields available in all event types.',
- fields: [
- {
- name: 'beat.timezone',
- type: 'alias',
- path: 'event.timezone',
- migration: true,
- },
- {
- name: 'fields',
- type: 'object',
- object_type: 'keyword',
- description: 'Contains user configurable fields.',
- },
- {
- name: 'error',
- type: 'group',
- description: 'Error fields containing additional info in case of errors.',
- fields: [
{
- name: 'type',
+ name: 'extension',
+ level: 'extended',
type: 'keyword',
- description: 'Error type.',
+ ignore_above: 1024,
+ description: 'File extension.',
+ example: 'png',
},
- ],
- },
- {
- name: 'beat.name',
- type: 'alias',
- path: 'host.name',
- migration: true,
- },
- {
- name: 'beat.hostname',
- type: 'alias',
- path: 'agent.hostname',
- migration: true,
- },
- ],
- },
- {
- key: 'cloud',
- title: 'Cloud provider metadata',
- description: 'Metadata from cloud providers added by the add_cloud_metadata processor.',
- fields: [
- {
- name: 'cloud.project.id',
- example: 'project-x',
- description: 'Name of the project in Google Cloud.',
- },
- {
- name: 'meta.cloud.provider',
- type: 'alias',
- path: 'cloud.provider',
- migration: true,
- },
- {
- name: 'meta.cloud.instance_id',
- type: 'alias',
- path: 'cloud.instance.id',
- migration: true,
- },
- {
- name: 'meta.cloud.instance_name',
- type: 'alias',
- path: 'cloud.instance.name',
- migration: true,
- },
- {
- name: 'meta.cloud.machine_type',
- type: 'alias',
- path: 'cloud.machine.type',
- migration: true,
- },
- {
- name: 'meta.cloud.availability_zone',
- type: 'alias',
- path: 'cloud.availability_zone',
- migration: true,
- },
- {
- name: 'meta.cloud.project_id',
- type: 'alias',
- path: 'cloud.project.id',
- migration: true,
- },
- {
- name: 'meta.cloud.region',
- type: 'alias',
- path: 'cloud.region',
- migration: true,
- },
- ],
- },
- {
- key: 'docker',
- title: 'Docker',
- description: 'Docker stats collected from Docker.',
- short_config: false,
- anchor: 'docker-processor',
- fields: [
- {
- name: 'docker',
- type: 'group',
- fields: [
{
- name: 'container.id',
- type: 'alias',
- path: 'container.id',
- migration: true,
+ name: 'gid',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Primary group ID (GID) of the file.',
+ example: '1001',
},
{
- name: 'container.image',
- type: 'alias',
- path: 'container.image.name',
- migration: true,
+ name: 'group',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Primary group name of the file.',
+ example: 'alice',
},
{
- name: 'container.name',
- type: 'alias',
- path: 'container.name',
- migration: true,
+ name: 'hash.md5',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'MD5 hash.',
},
{
- name: 'container.labels',
- type: 'object',
- object_type: 'keyword',
- description: 'Image labels.',
+ name: 'hash.sha1',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA1 hash.',
},
- ],
- },
- ],
- },
- {
- key: 'host',
- title: 'Host',
- description: 'Info collected for the host machine.',
- anchor: 'host-processor',
- },
- {
- key: 'kubernetes',
- title: 'Kubernetes',
- description: 'Kubernetes metadata added by the kubernetes processor',
- short_config: false,
- anchor: 'kubernetes-processor',
- fields: [
- {
- name: 'kubernetes',
- type: 'group',
- fields: [
{
- name: 'pod.name',
+ name: 'hash.sha256',
+ level: 'extended',
type: 'keyword',
- description: 'Kubernetes pod name',
+ ignore_above: 1024,
+ description: 'SHA256 hash.',
},
{
- name: 'pod.uid',
+ name: 'hash.sha512',
+ level: 'extended',
type: 'keyword',
- description: 'Kubernetes Pod UID',
+ ignore_above: 1024,
+ description: 'SHA512 hash.',
},
{
- name: 'namespace',
+ name: 'inode',
+ level: 'extended',
type: 'keyword',
- description: 'Kubernetes namespace',
+ ignore_above: 1024,
+ description: 'Inode representing the file in the filesystem.',
+ example: '256383',
},
{
- name: 'node.name',
+ name: 'mime_type',
+ level: 'extended',
type: 'keyword',
- description: 'Kubernetes node name',
+ ignore_above: 1024,
+ description:
+ 'MIME type should identify the format of the file or stream of bytes\nusing https://www.iana.org/assignments/media-types/media-types.xhtml[IANA\nofficial types], where possible. When more than one type is applicable, the\nmost specific type should be used.',
+ default_field: false,
},
{
- name: 'labels',
- type: 'object',
- description: 'Kubernetes labels map',
+ name: 'mode',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Mode of the file in octal representation.',
+ example: '0640',
},
{
- name: 'annotations',
- type: 'object',
- description: 'Kubernetes annotations map',
+ name: 'mtime',
+ level: 'extended',
+ type: 'date',
+ description: 'Last time the file content was modified.',
},
{
- name: 'container.name',
+ name: 'name',
+ level: 'extended',
type: 'keyword',
- description: 'Kubernetes container name',
+ ignore_above: 1024,
+ description: 'Name of the file including the extension, without the directory.',
+ example: 'example.png',
},
{
- name: 'container.image',
+ name: 'owner',
+ level: 'extended',
type: 'keyword',
- description: 'Kubernetes container image',
+ ignore_above: 1024,
+ description: "File owner's username.",
+ example: 'alice',
},
- ],
- },
- ],
- },
- {
- key: 'process',
- title: 'Process',
- description: 'Process metadata fields',
- fields: [
- {
- name: 'process',
- type: 'group',
- fields: [
- {
- name: 'exe',
- type: 'alias',
- path: 'process.executable',
- migration: true,
- },
- ],
- },
- ],
- },
- {
- key: 'common',
- title: 'Common',
- description:
- 'These fields contain data about the environment in which the transaction or flow was captured.',
- fields: [
- {
- name: 'type',
- description:
- 'The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows.',
- required: true,
- },
- {
- name: 'server.process.name',
- description: 'The name of the process that served the transaction.',
- },
- {
- name: 'server.process.args',
- description: 'The command-line of the process that served the transaction.',
- },
- {
- name: 'server.process.executable',
- description: 'Absolute path to the server process executable.',
- },
- {
- name: 'server.process.working_directory',
- description: 'The working directory of the server process.',
- },
- {
- name: 'server.process.start',
- description: 'The time the server process started.',
- },
- {
- name: 'client.process.name',
- description: 'The name of the process that initiated the transaction.',
- },
- {
- name: 'client.process.args',
- description: 'The command-line of the process that initiated the transaction.',
- },
- {
- name: 'client.process.executable',
- description: 'Absolute path to the client process executable.',
- },
- {
- name: 'client.process.working_directory',
- description: 'The working directory of the client process.',
- },
- {
- name: 'client.process.start',
- description: 'The time the client process started.',
- },
- {
- name: 'real_ip',
- type: 'alias',
- path: 'network.forwarded_ip',
- migration: true,
- description:
- 'If the server initiating the transaction is a proxy, this field contains the original client IP address. For HTTP, for example, the IP address extracted from a configurable HTTP header, by default `X-Forwarded-For`. Unless this field is disabled, it always has a value, and it matches the `client_ip` for non proxy clients.',
- },
- {
- name: 'transport',
- type: 'alias',
- path: 'network.transport',
- migration: true,
- description:
- 'The transport protocol used for the transaction. If not specified, then tcp is assumed.',
- },
- ],
- },
- {
- key: 'flows_event',
- title: 'Flow Event',
- description: 'These fields contain data about the flow itself.',
- fields: [
- {
- name: 'flow.final',
- type: 'boolean',
- description:
- 'Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only.',
- },
- {
- name: 'flow.id',
- description: 'Internal flow ID based on connection meta data and address.',
- },
- {
- name: 'flow.vlan',
- type: 'long',
- description:
- "VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. ",
- },
- {
- name: 'flow_id',
- type: 'alias',
- path: 'flow.id',
- migration: true,
- },
- {
- name: 'final',
- type: 'alias',
- path: 'flow.final',
- migration: true,
- },
- {
- name: 'vlan',
- type: 'alias',
- path: 'flow.vlan',
- migration: true,
- },
- {
- name: 'source.stats.net_bytes_total',
- type: 'alias',
- path: 'source.bytes',
- migration: true,
- },
- {
- name: 'source.stats.net_packets_total',
- type: 'alias',
- path: 'source.packets',
- migration: true,
- },
- {
- name: 'dest.stats.net_bytes_total',
- type: 'alias',
- path: 'destination.bytes',
- migration: true,
- },
- {
- name: 'dest.stats.net_packets_total',
- type: 'alias',
- path: 'destination.packets',
- migration: true,
- },
- ],
- },
- {
- key: 'trans_event',
- title: 'Transaction Event',
- description: 'These fields contain data about the transaction itself.',
- fields: [
- {
- name: 'status',
- description:
- 'The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol.',
- required: true,
- possible_values: ['OK', 'Error', 'Server Error', 'Client Error'],
- },
- {
- name: 'method',
- description:
- 'The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on).',
- },
- {
- name: 'resource',
- description:
- 'The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types.',
- },
- {
- name: 'path',
- required: true,
- description:
- 'The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key.',
- },
- {
- name: 'query',
- type: 'keyword',
- description:
- 'The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`.',
- },
- {
- name: 'params',
- type: 'text',
- description:
- 'The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request.',
- },
- {
- name: 'notes',
- type: 'alias',
- path: 'error.message',
- description:
- 'Messages from Packetbeat itself. This field usually contains error messages for interpreting the raw data. This information can be helpful for troubleshooting.',
- },
- ],
- },
- {
- key: 'raw',
- title: 'Raw',
- description: 'These fields contain the raw transaction data.',
- fields: [
- {
- name: 'request',
- type: 'text',
- description:
- 'For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request.',
- },
- {
- name: 'response',
- type: 'text',
- description:
- 'For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request.',
- },
- ],
- },
- {
- key: 'trans_measurements',
- title: 'Measurements (Transactions)',
- description: 'These fields contain measurements related to the transaction.',
- fields: [
- {
- name: 'bytes_in',
- type: 'alias',
- path: 'source.bytes',
- description:
- 'The number of bytes of the request. Note that this size is the application layer message length, without the length of the IP or TCP headers.',
- },
- {
- name: 'bytes_out',
- type: 'alias',
- path: 'destination.bytes',
- description:
- 'The number of bytes of the response. Note that this size is the application layer message length, without the length of the IP or TCP headers.',
- },
- ],
- },
- {
- key: 'amqp',
- title: 'AMQP',
- description: 'AMQP specific event fields.',
- fields: [
- {
- name: 'amqp',
- type: 'group',
- fields: [
{
- name: 'reply-code',
- type: 'long',
- description: 'AMQP reply code to an error, similar to http reply-code',
- example: 404,
+ name: 'path',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description:
+ 'Full path to the file, including the file name. It should include\nthe drive letter, when appropriate.',
+ example: '/home/alice/example.png',
},
{
- name: 'reply-text',
+ name: 'pe.company',
+ level: 'extended',
type: 'keyword',
- description: 'Text explaining the error.',
+ ignore_above: 1024,
+ description: 'Internal company name of the file, provided at compile-time.',
+ example: 'Microsoft Corporation',
+ default_field: false,
},
{
- name: 'class-id',
- type: 'long',
- description: 'Failing method class.',
+ name: 'pe.description',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal description of the file, provided at compile-time.',
+ example: 'Paint',
+ default_field: false,
},
{
- name: 'method-id',
- type: 'long',
- description: 'Failing method ID.',
+ name: 'pe.file_version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal version of the file, provided at compile-time.',
+ example: '6.3.9600.17415',
+ default_field: false,
},
{
- name: 'exchange',
+ name: 'pe.original_file_name',
+ level: 'extended',
type: 'keyword',
- description: 'Name of the exchange.',
+ ignore_above: 1024,
+ description: 'Internal name of the file, provided at compile-time.',
+ example: 'MSPAINT.EXE',
+ default_field: false,
},
{
- name: 'exchange-type',
+ name: 'pe.product',
+ level: 'extended',
type: 'keyword',
- description: 'Exchange type.',
- example: 'fanout',
+ ignore_above: 1024,
+ description: 'Internal product name of the file, provided at compile-time.',
+ example: 'Microsoft® Windows® Operating System',
+ default_field: false,
},
{
- name: 'passive',
- type: 'boolean',
- description: 'If set, do not create exchange/queue.',
+ name: 'size',
+ level: 'extended',
+ type: 'long',
+ description: 'File size in bytes.\n\nOnly relevant when `file.type` is "file".',
+ example: 16384,
},
{
- name: 'durable',
- type: 'boolean',
- description: 'If set, request a durable exchange/queue.',
+ name: 'target_path',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Target path for symlinks.',
},
{
- name: 'exclusive',
- type: 'boolean',
- description: 'If set, request an exclusive queue.',
+ name: 'type',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'File type (file, dir, or symlink).',
+ example: 'file',
},
{
- name: 'auto-delete',
- type: 'boolean',
- description: 'If set, auto-delete queue when unused.',
+ name: 'uid',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The user ID (UID) or security identifier (SID) of the file owner.',
+ example: '1001',
},
+ ],
+ },
+ {
+ name: 'geo',
+ title: 'Geo',
+ group: 2,
+ description:
+ 'Geo fields can carry data about a specific location related to an\nevent.\n\nThis geolocation information can be derived from techniques such as Geo IP,\nor be user-supplied.',
+ type: 'group',
+ fields: [
{
- name: 'no-wait',
- type: 'boolean',
- description: 'If set, the server will not respond to the method.',
+ name: 'city_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
},
{
- name: 'consumer-tag',
- description: 'Identifier for the consumer, valid within the current channel.',
+ name: 'continent_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
},
{
- name: 'delivery-tag',
- type: 'long',
- description: 'The server-assigned and channel-specific delivery tag.',
+ name: 'country_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
},
{
- name: 'message-count',
- type: 'long',
- description:
- 'The number of messages in the queue, which will be zero for newly-declared queues.',
+ name: 'country_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
},
{
- name: 'consumer-count',
- type: 'long',
- description: 'The number of consumers of a queue.',
+ name: 'location',
+ level: 'core',
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
},
{
- name: 'routing-key',
+ name: 'name',
+ level: 'extended',
type: 'keyword',
- description: 'Message routing key.',
+ ignore_above: 1024,
+ description:
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
},
{
- name: 'no-ack',
- type: 'boolean',
- description: 'If set, the server does not expect acknowledgements for messages.',
+ name: 'region_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
},
{
- name: 'no-local',
- type: 'boolean',
+ name: 'region_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
+ },
+ ],
+ },
+ {
+ name: 'group',
+ title: 'Group',
+ group: 2,
+ description:
+ 'The group fields are meant to represent groups that are relevant\nto the event.',
+ type: 'group',
+ fields: [
+ {
+ name: 'domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
description:
- 'If set, the server will not send messages to the connection that published them.',
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
},
{
- name: 'if-unused',
- type: 'boolean',
- description: 'Delete only if unused.',
+ name: 'id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
},
{
- name: 'if-empty',
- type: 'boolean',
- description: 'Delete only if empty.',
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the group.',
},
+ ],
+ },
+ {
+ name: 'hash',
+ title: 'Hash',
+ group: 2,
+ description:
+ 'The hash fields represent different hash algorithms and their values.\n\nField names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for\nother hashes by lowercasing the hash algorithm name and using underscore separators\nas appropriate (snake case, e.g. sha3_512).',
+ type: 'group',
+ fields: [
{
- name: 'queue',
+ name: 'md5',
+ level: 'extended',
type: 'keyword',
- description: 'The queue name identifies the queue within the vhost.',
+ ignore_above: 1024,
+ description: 'MD5 hash.',
},
{
- name: 'redelivered',
- type: 'boolean',
- description:
- 'Indicates that the message has been previously delivered to this or another client.',
+ name: 'sha1',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA1 hash.',
},
{
- name: 'multiple',
- type: 'boolean',
- description: 'Acknowledge multiple messages.',
+ name: 'sha256',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA256 hash.',
},
{
- name: 'arguments',
- type: 'object',
- description:
- 'Optional additional arguments passed to some methods. Can be of various types.',
+ name: 'sha512',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA512 hash.',
},
+ ],
+ },
+ {
+ name: 'host',
+ title: 'Host',
+ group: 2,
+ description:
+ 'A host is defined as a general computing instance.\n\nECS host.* fields should be populated with details about the host on which the\nevent happened, or from which the measurement was taken. Host types include\nhardware, virtual machines, Docker containers, and Kubernetes nodes.',
+ type: 'group',
+ fields: [
{
- name: 'mandatory',
- type: 'boolean',
- description: 'Indicates mandatory routing.',
+ name: 'architecture',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system architecture.',
+ example: 'x86_64',
},
{
- name: 'immediate',
- type: 'boolean',
- description: 'Request immediate delivery.',
+ name: 'domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the domain of which the host is a member.\n\nFor example, on Windows this could be the host Active Directory domain\nor NetBIOS domain name. For Linux this could be the domain of the host\nLDAP provider.',
+ example: 'CONTOSO',
+ default_field: false,
},
{
- name: 'content-type',
+ name: 'geo.city_name',
+ level: 'core',
type: 'keyword',
- description: 'MIME content type.',
- example: 'text/plain',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
},
{
- name: 'content-encoding',
+ name: 'geo.continent_name',
+ level: 'core',
type: 'keyword',
- description: 'MIME content encoding.',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
},
{
- name: 'headers',
- type: 'object',
- object_type: 'keyword',
- description: 'Message header field table.',
+ name: 'geo.country_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
},
{
- name: 'delivery-mode',
+ name: 'geo.country_name',
+ level: 'core',
type: 'keyword',
- description: 'Non-persistent (1) or persistent (2).',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
},
{
- name: 'priority',
- type: 'long',
- description: 'Message priority, 0 to 9.',
+ name: 'geo.location',
+ level: 'core',
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
},
{
- name: 'correlation-id',
+ name: 'geo.name',
+ level: 'extended',
type: 'keyword',
- description: 'Application correlation identifier.',
+ ignore_above: 1024,
+ description:
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
},
{
- name: 'reply-to',
+ name: 'geo.region_iso_code',
+ level: 'core',
type: 'keyword',
- description: 'Address to reply to.',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
},
{
- name: 'expiration',
+ name: 'geo.region_name',
+ level: 'core',
type: 'keyword',
- description: 'Message expiration specification.',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
},
{
- name: 'message-id',
+ name: 'hostname',
+ level: 'core',
type: 'keyword',
- description: 'Application message identifier.',
+ ignore_above: 1024,
+ description:
+ 'Hostname of the host.\n\nIt normally contains what the `hostname` command returns on the host machine.',
},
{
- name: 'timestamp',
+ name: 'id',
+ level: 'core',
type: 'keyword',
- description: 'Message timestamp.',
+ ignore_above: 1024,
+ description:
+ 'Unique host id.\n\nAs hostname is not always unique, use values that are meaningful in your environment.\n\nExample: The current usage of `beat.name`.',
},
{
- name: 'type',
- type: 'keyword',
- description: 'Message type name.',
+ name: 'ip',
+ level: 'core',
+ type: 'ip',
+ description: 'Host ip addresses.',
},
{
- name: 'user-id',
+ name: 'mac',
+ level: 'core',
type: 'keyword',
- description: 'Creating user id.',
+ ignore_above: 1024,
+ description: 'Host mac addresses.',
},
{
- name: 'app-id',
+ name: 'name',
+ level: 'core',
type: 'keyword',
- description: 'Creating application id.',
+ ignore_above: 1024,
+ description:
+ 'Name of the host.\n\nIt can contain what `hostname` returns on Unix systems, the fully qualified\ndomain name, or a name specified by the user. The sender decides which value\nto use.',
},
- ],
- },
- ],
- },
- {
- key: 'cassandra',
- title: 'Cassandra',
- description: 'Cassandra v4/3 specific event fields.',
- fields: [
- {
- name: 'no_request',
- type: 'alias',
- path: 'cassandra.no_request',
- migration: true,
- },
- {
- name: 'cassandra',
- type: 'group',
- description: 'Information about the Cassandra request and response.',
- fields: [
{
- name: 'no_request',
- type: 'boolean',
- description: 'Indicates that there is no request because this is a PUSH message.',
+ name: 'os.family',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'OS family (such as redhat, debian, freebsd, windows).',
+ example: 'debian',
},
{
- name: 'request',
- type: 'group',
- description: 'Cassandra request.',
- fields: [
+ name: 'os.full',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'headers',
- type: 'group',
- description: 'Cassandra request headers.',
- fields: [
- {
- name: 'version',
- type: 'long',
- description: 'The version of the protocol.',
- },
- {
- name: 'flags',
- type: 'keyword',
- description: 'Flags applying to this frame.',
- },
- {
- name: 'stream',
- type: 'keyword',
- description:
- 'A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X.',
- },
- {
- name: 'op',
- type: 'keyword',
- description: 'An operation type that distinguishes the actual message.',
- },
- {
- name: 'length',
- type: 'long',
- description:
- 'A integer representing the length of the body of the frame (a frame is limited to 256MB in length).',
- },
- ],
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
},
+ ],
+ description: 'Operating system name, including the version or code name.',
+ example: 'Mac OS Mojave',
+ },
+ {
+ name: 'os.kernel',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system kernel version as a raw string.',
+ example: '4.4.0-112-generic',
+ },
+ {
+ name: 'os.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
{
- name: 'query',
- type: 'keyword',
- description: 'The CQL query which client send to cassandra.',
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
},
],
+ description: 'Operating system name, without the version.',
+ example: 'Mac OS X',
},
{
- name: 'response',
+ name: 'os.platform',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system platform (such centos, ubuntu, windows).',
+ example: 'darwin',
+ },
+ {
+ name: 'os.version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system version as a raw string.',
+ example: '10.14.1',
+ },
+ {
+ name: 'type',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Type of host.\n\nFor Cloud providers this can be the machine type like `t2.medium`. If vm,\nthis could be the container, for example, or other information meaningful\nin your environment.',
+ },
+ {
+ name: 'uptime',
+ level: 'extended',
+ type: 'long',
+ description: 'Seconds the host has been up.',
+ example: 1325,
+ },
+ {
+ name: 'user.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the user is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'user.email',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'User email address.',
+ },
+ {
+ name: 'user.full_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: "User's full name, if available.",
+ example: 'Albert Einstein',
+ },
+ {
+ name: 'user.group.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'user.group.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
+ },
+ {
+ name: 'user.group.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the group.',
+ },
+ {
+ name: 'user.hash',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique user hash to correlate information for a user in anonymized\nform.\n\nUseful if `user.id` or `user.name` contain confidential information and cannot\nbe used.',
+ },
+ {
+ name: 'user.id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifiers of the user.',
+ },
+ {
+ name: 'user.name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Short name or login of the user.',
+ example: 'albert',
+ },
+ ],
+ },
+ {
+ name: 'http',
+ title: 'HTTP',
+ group: 2,
+ description:
+ 'Fields related to HTTP activity. Use the `url` field set to store\nthe url of the request.',
+ type: 'group',
+ fields: [
+ {
+ name: 'request.body.bytes',
+ level: 'extended',
+ type: 'long',
+ format: 'bytes',
+ description: 'Size in bytes of the request body.',
+ example: 887,
+ },
+ {
+ name: 'request.body.content',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'The full HTTP request body.',
+ example: 'Hello world',
+ },
+ {
+ name: 'request.bytes',
+ level: 'extended',
+ type: 'long',
+ format: 'bytes',
+ description: 'Total size in bytes of the request (body and headers).',
+ example: 1437,
+ },
+ {
+ name: 'request.method',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'HTTP request method.\n\nThe field value must be normalized to lowercase for querying. See the documentation\nsection "Implementing ECS".',
+ example: 'get, post, put',
+ },
+ {
+ name: 'request.referrer',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Referrer for this HTTP request.',
+ example: 'https://blog.example.com/',
+ },
+ {
+ name: 'response.body.bytes',
+ level: 'extended',
+ type: 'long',
+ format: 'bytes',
+ description: 'Size in bytes of the response body.',
+ example: 887,
+ },
+ {
+ name: 'response.body.content',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'The full HTTP response body.',
+ example: 'Hello world',
+ },
+ {
+ name: 'response.bytes',
+ level: 'extended',
+ type: 'long',
+ format: 'bytes',
+ description: 'Total size in bytes of the response (body and headers).',
+ example: 1437,
+ },
+ {
+ name: 'response.status_code',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: 'HTTP response status code.',
+ example: 404,
+ },
+ {
+ name: 'version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'HTTP version.',
+ example: 1.1,
+ },
+ ],
+ },
+ {
+ name: 'interface',
+ title: 'Interface',
+ group: 2,
+ description:
+ 'The interface fields are used to record ingress and egress interface\ninformation when reported by an observer (e.g. firewall, router, load balancer)\nin the context of the observer handling a network connection. In the case of\na single observer interface (e.g. network sensor on a span port) only the observer.ingress\ninformation should be populated.',
+ type: 'group',
+ fields: [
+ {
+ name: 'alias',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Interface alias as reported by the system, typically used in firewall\nimplementations for e.g. inside, outside, or dmz logical interface naming.',
+ example: 'outside',
+ default_field: false,
+ },
+ {
+ name: 'id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Interface ID as reported by an observer (typically SNMP interface\nID).',
+ example: 10,
+ default_field: false,
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Interface name as reported by the system.',
+ example: 'eth0',
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'log',
+ title: 'Log',
+ group: 2,
+ description:
+ 'Details about the event logging mechanism or logging transport.\n\nThe log.* fields are typically populated with details about the logging mechanism\nused to create and/or transport the event. For example, syslog details belong\nunder `log.syslog.*`.\n\nThe details specific to your event source are typically not logged under `log.*`,\nbut rather in `event.*` or in other ECS fields.',
+ type: 'group',
+ fields: [
+ {
+ name: 'level',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Original log level of the log event.\n\nIf the source of the event provides a log level or textual severity, this\nis the one that goes in `log.level`. If your source does not specify one,\nyou may put your event transport severity here (e.g. Syslog severity).\n\nSome examples are `warn`, `err`, `i`, `informational`.',
+ example: 'error',
+ },
+ {
+ name: 'logger',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The name of the logger inside an application. This is usually the\nname of the class which initialized the logger, or can be a custom name.',
+ example: 'org.elasticsearch.bootstrap.Bootstrap',
+ },
+ {
+ name: 'origin.file.line',
+ level: 'extended',
+ type: 'integer',
+ description:
+ 'The line number of the file containing the source code which originated\nthe log event.',
+ example: 42,
+ },
+ {
+ name: 'origin.file.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The name of the file containing the source code which originated\nthe log event. Note that this is not the name of the log file.',
+ example: 'Bootstrap.java',
+ },
+ {
+ name: 'origin.function',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The name of the function or method which originated the log event.',
+ example: 'init',
+ },
+ {
+ name: 'original',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'This is the original log message and contains the full log message\nbefore splitting it up in multiple parts.\n\nIn contrast to the `message` field which can contain an extracted part of\nthe log message, this field contains the original, full log message. It can\nhave already some modifications applied like encoding or new lines removed\nto clean up the log message.\n\nThis field is not indexed and doc_values are disabled so it can not be queried\nbut the value can be retrieved from `_source`.',
+ example: 'Sep 19 08:26:10 localhost My log',
+ },
+ {
+ name: 'syslog',
+ level: 'extended',
+ type: 'object',
+ object_type: 'keyword',
+ description:
+ 'The Syslog metadata of the event, if the event was transmitted\nvia Syslog. Please see RFCs 5424 or 3164.',
+ },
+ {
+ name: 'syslog.facility.code',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description:
+ 'The Syslog numeric facility of the log event, if available.\n\nAccording to RFCs 5424 and 3164, this value should be an integer between 0\nand 23.',
+ example: 23,
+ },
+ {
+ name: 'syslog.facility.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The Syslog text-based facility of the log event, if available.',
+ example: 'local7',
+ },
+ {
+ name: 'syslog.priority',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description:
+ 'Syslog numeric priority of the event, if available.\n\nAccording to RFCs 5424 and 3164, the priority is 8 * facility + severity.\nThis number is therefore expected to contain a value between 0 and 191.',
+ example: 135,
+ },
+ {
+ name: 'syslog.severity.code',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'The Syslog numeric severity of the log event, if available.\n\nIf the event source publishing via Syslog provides a different numeric severity\nvalue (e.g. firewall, IDS), your source numeric severity should go to `event.severity`.\nIf the event source does not specify a distinct severity, you can optionally\ncopy the Syslog severity to `event.severity`.',
+ example: 3,
+ },
+ {
+ name: 'syslog.severity.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The Syslog numeric severity of the log event, if available.\n\nIf the event source publishing via Syslog provides a different severity value\n(e.g. firewall, IDS), your source text severity should go to `log.level`.\nIf the event source does not specify a distinct severity, you can optionally\ncopy the Syslog severity to `log.level`.',
+ example: 'Error',
+ },
+ ],
+ },
+ {
+ name: 'network',
+ title: 'Network',
+ group: 2,
+ description:
+ 'The network is defined as the communication path over which a host\nor network event happens.\n\nThe network.* fields should be populated with details about the network activity\nassociated with an event.',
+ type: 'group',
+ fields: [
+ {
+ name: 'application',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A name given to an application level protocol. This can be arbitrarily\nassigned for things like microservices, but also apply to things like skype,\nicq, facebook, twitter. This would be used in situations where the vendor\nor service can be decoded such as from the source/dest IP owners, ports, or\nwire format.\n\nThe field value must be normalized to lowercase for querying. See the documentation\nsection "Implementing ECS".',
+ example: 'aim',
+ },
+ {
+ name: 'bytes',
+ level: 'core',
+ type: 'long',
+ format: 'bytes',
+ description:
+ 'Total bytes transferred in both directions.\n\nIf `source.bytes` and `destination.bytes` are known, `network.bytes` is their\nsum.',
+ example: 368,
+ },
+ {
+ name: 'community_id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A hash of source and destination IPs and ports, as well as the\nprotocol used in a communication. This is a tool-agnostic standard to identify\nflows.\n\nLearn more at https://github.com/corelight/community-id-spec.',
+ example: '1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=',
+ },
+ {
+ name: 'direction',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ "Direction of the network traffic.\nRecommended values are:\n * inbound\n * outbound\n * internal\n * external\n * unknown\n\nWhen mapping events from a host-based monitoring context, populate this field from the host's point of view.\nWhen mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter.",
+ example: 'inbound',
+ },
+ {
+ name: 'forwarded_ip',
+ level: 'core',
+ type: 'ip',
+ description: 'Host IP address when the source IP address is the proxy.',
+ example: '192.1.1.2',
+ },
+ {
+ name: 'iana_number',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml).\nStandardized list of protocols. This aligns well with NetFlow and sFlow related\nlogs which use the IANA Protocol Number.',
+ example: 6,
+ },
+ {
+ name: 'inner',
+ level: 'extended',
+ type: 'object',
+ object_type: 'keyword',
+ description:
+ 'Network.inner fields are added in addition to network.vlan fields\nto describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed\nfields include vlan.id and vlan.name. Inner vlan fields are typically used\nwhen sending traffic with multiple 802.1q encapsulations to a network sensor\n(e.g. Zeek, Wireshark.)',
+ default_field: false,
+ },
+ {
+ name: 'inner.vlan.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'VLAN ID as reported by the observer.',
+ example: 10,
+ default_field: false,
+ },
+ {
+ name: 'inner.vlan.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Optional VLAN name as reported by the observer.',
+ example: 'outside',
+ default_field: false,
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name given by operators to sections of their network.',
+ example: 'Guest Wifi',
+ },
+ {
+ name: 'packets',
+ level: 'core',
+ type: 'long',
+ description:
+ 'Total packets transferred in both directions.\n\nIf `source.packets` and `destination.packets` are known, `network.packets`\nis their sum.',
+ example: 24,
+ },
+ {
+ name: 'protocol',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'L7 Network protocol name. ex. http, lumberjack, transport protocol.\n\nThe field value must be normalized to lowercase for querying. See the documentation\nsection "Implementing ECS".',
+ example: 'http',
+ },
+ {
+ name: 'transport',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Same as network.iana_number, but instead using the Keyword name\nof the transport layer (udp, tcp, ipv6-icmp, etc.)\n\nThe field value must be normalized to lowercase for querying. See the documentation\nsection "Implementing ECS".',
+ example: 'tcp',
+ },
+ {
+ name: 'type',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'In the OSI Model this would be the Network Layer. ipv4, ipv6,\nipsec, pim, etc\n\nThe field value must be normalized to lowercase for querying. See the documentation\nsection "Implementing ECS".',
+ example: 'ipv4',
+ },
+ {
+ name: 'vlan.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'VLAN ID as reported by the observer.',
+ example: 10,
+ default_field: false,
+ },
+ {
+ name: 'vlan.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Optional VLAN name as reported by the observer.',
+ example: 'outside',
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'observer',
+ title: 'Observer',
+ group: 2,
+ description:
+ 'An observer is defined as a special network, security, or application\ndevice used to detect, observe, or create network, security, or application-related\nevents and metrics.\n\nThis could be a custom hardware appliance or a server that has been configured\nto run special network, security, or application software. Examples include\nfirewalls, web proxies, intrusion detection/prevention systems, network monitoring\nsensors, web application firewalls, data loss prevention systems, and APM servers.\nThe observer.* fields shall be populated with details of the system, if any,\nthat detects, observes and/or creates a network, security, or application event\nor metric. Message queues and ETL components used in processing events or metrics\nare not considered observers in ECS.',
+ type: 'group',
+ fields: [
+ {
+ name: 'egress',
+ level: 'extended',
+ type: 'object',
+ object_type: 'keyword',
+ description:
+ 'Observer.egress holds information like interface number and name,\nvlan, and zone information to classify egress traffic. Single armed monitoring\nsuch as a network sensor on a span port should only use observer.ingress\nto categorize traffic.',
+ default_field: false,
+ },
+ {
+ name: 'egress.interface.alias',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Interface alias as reported by the system, typically used in firewall\nimplementations for e.g. inside, outside, or dmz logical interface naming.',
+ example: 'outside',
+ default_field: false,
+ },
+ {
+ name: 'egress.interface.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Interface ID as reported by an observer (typically SNMP interface\nID).',
+ example: 10,
+ default_field: false,
+ },
+ {
+ name: 'egress.interface.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Interface name as reported by the system.',
+ example: 'eth0',
+ default_field: false,
+ },
+ {
+ name: 'egress.vlan.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'VLAN ID as reported by the observer.',
+ example: 10,
+ default_field: false,
+ },
+ {
+ name: 'egress.vlan.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Optional VLAN name as reported by the observer.',
+ example: 'outside',
+ default_field: false,
+ },
+ {
+ name: 'egress.zone',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Network zone of outbound traffic as reported by the observer to\ncategorize the destination area of egress traffic, e.g. Internal, External,\nDMZ, HR, Legal, etc.',
+ example: 'Public_Internet',
+ default_field: false,
+ },
+ {
+ name: 'geo.city_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
+ },
+ {
+ name: 'geo.continent_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
+ },
+ {
+ name: 'geo.country_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
+ },
+ {
+ name: 'geo.country_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
+ },
+ {
+ name: 'geo.location',
+ level: 'core',
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
+ },
+ {
+ name: 'geo.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
+ },
+ {
+ name: 'geo.region_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
+ },
+ {
+ name: 'geo.region_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
+ },
+ {
+ name: 'hostname',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Hostname of the observer.',
+ },
+ {
+ name: 'ingress',
+ level: 'extended',
+ type: 'object',
+ object_type: 'keyword',
+ description:
+ 'Observer.ingress holds information like interface number and name,\nvlan, and zone information to classify ingress traffic. Single armed monitoring\nsuch as a network sensor on a span port should only use observer.ingress\nto categorize traffic.',
+ default_field: false,
+ },
+ {
+ name: 'ingress.interface.alias',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Interface alias as reported by the system, typically used in firewall\nimplementations for e.g. inside, outside, or dmz logical interface naming.',
+ example: 'outside',
+ default_field: false,
+ },
+ {
+ name: 'ingress.interface.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Interface ID as reported by an observer (typically SNMP interface\nID).',
+ example: 10,
+ default_field: false,
+ },
+ {
+ name: 'ingress.interface.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Interface name as reported by the system.',
+ example: 'eth0',
+ default_field: false,
+ },
+ {
+ name: 'ingress.vlan.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'VLAN ID as reported by the observer.',
+ example: 10,
+ default_field: false,
+ },
+ {
+ name: 'ingress.vlan.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Optional VLAN name as reported by the observer.',
+ example: 'outside',
+ default_field: false,
+ },
+ {
+ name: 'ingress.zone',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Network zone of incoming traffic as reported by the observer to\ncategorize the source area of ingress traffic. e.g. internal, External, DMZ,\nHR, Legal, etc.',
+ example: 'DMZ',
+ default_field: false,
+ },
+ {
+ name: 'ip',
+ level: 'core',
+ type: 'ip',
+ description: 'IP addresses of the observer.',
+ },
+ {
+ name: 'mac',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'MAC addresses of the observer',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Custom name of the observer.\n\nThis is a name that can be given to an observer. This can be helpful for example\nif multiple firewalls of the same model are used in an organization.\n\nIf no custom name is needed, the field can be left empty.',
+ example: '1_proxySG',
+ },
+ {
+ name: 'os.family',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'OS family (such as redhat, debian, freebsd, windows).',
+ example: 'debian',
+ },
+ {
+ name: 'os.full',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Operating system name, including the version or code name.',
+ example: 'Mac OS Mojave',
+ },
+ {
+ name: 'os.kernel',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system kernel version as a raw string.',
+ example: '4.4.0-112-generic',
+ },
+ {
+ name: 'os.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Operating system name, without the version.',
+ example: 'Mac OS X',
+ },
+ {
+ name: 'os.platform',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system platform (such centos, ubuntu, windows).',
+ example: 'darwin',
+ },
+ {
+ name: 'os.version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system version as a raw string.',
+ example: '10.14.1',
+ },
+ {
+ name: 'product',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The product name of the observer.',
+ example: 's200',
+ },
+ {
+ name: 'serial_number',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Observer serial number.',
+ },
+ {
+ name: 'type',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The type of the observer the data is coming from.\n\nThere is no predefined list of observer types. Some examples are `forwarder`,\n`firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.',
+ example: 'firewall',
+ },
+ {
+ name: 'vendor',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Vendor name of the observer.',
+ example: 'Symantec',
+ },
+ {
+ name: 'version',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Observer version.',
+ },
+ ],
+ },
+ {
+ name: 'organization',
+ title: 'Organization',
+ group: 2,
+ description:
+ 'The organization fields enrich data with information about the company\nor entity the data is associated with.\n\nThese fields help you arrange or filter data stored in an index by one or multiple\norganizations.',
+ type: 'group',
+ fields: [
+ {
+ name: 'id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the organization.',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Organization name.',
+ },
+ ],
+ },
+ {
+ name: 'os',
+ title: 'Operating System',
+ group: 2,
+ description: 'The OS fields contain information about the operating system.',
+ type: 'group',
+ fields: [
+ {
+ name: 'family',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'OS family (such as redhat, debian, freebsd, windows).',
+ example: 'debian',
+ },
+ {
+ name: 'full',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Operating system name, including the version or code name.',
+ example: 'Mac OS Mojave',
+ },
+ {
+ name: 'kernel',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system kernel version as a raw string.',
+ example: '4.4.0-112-generic',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Operating system name, without the version.',
+ example: 'Mac OS X',
+ },
+ {
+ name: 'platform',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system platform (such centos, ubuntu, windows).',
+ example: 'darwin',
+ },
+ {
+ name: 'version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system version as a raw string.',
+ example: '10.14.1',
+ },
+ ],
+ },
+ {
+ name: 'package',
+ title: 'Package',
+ group: 2,
+ description:
+ 'These fields contain information about an installed software package.\nIt contains general information about a package, such as name, version or size.\nIt also contains installation details, such as time or location.',
+ type: 'group',
+ fields: [
+ {
+ name: 'architecture',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Package architecture.',
+ example: 'x86_64',
+ },
+ {
+ name: 'build_version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Additional information about the build version of the installed\npackage.\n\nFor example use the commit SHA of a non-released package.',
+ example: '36f4f7e89dd61b0988b12ee000b98966867710cd',
+ default_field: false,
+ },
+ {
+ name: 'checksum',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Checksum of the installed package for verification.',
+ example: '68b329da9893e34099c7d8ad5cb9c940',
+ },
+ {
+ name: 'description',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Description of the package.',
+ example:
+ 'Open source programming language to build simple/reliable/efficient\nsoftware.',
+ },
+ {
+ name: 'install_scope',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Indicating how the package was installed, e.g. user-local, global.',
+ example: 'global',
+ },
+ {
+ name: 'installed',
+ level: 'extended',
+ type: 'date',
+ description: 'Time when package was installed.',
+ },
+ {
+ name: 'license',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'License under which the package was released.\n\nUse a short name, e.g. the license identifier from SPDX License List where\npossible (https://spdx.org/licenses/).',
+ example: 'Apache License 2.0',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Package name',
+ example: 'go',
+ },
+ {
+ name: 'path',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Path where the package is installed.',
+ example: '/usr/local/Cellar/go/1.12.9/',
+ },
+ {
+ name: 'reference',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Home page or reference URL of the software in this package, if\navailable.',
+ example: 'https://golang.org',
+ default_field: false,
+ },
+ {
+ name: 'size',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: 'Package size in bytes.',
+ example: 62231,
+ },
+ {
+ name: 'type',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Type of package.\n\nThis should contain the package file type, rather than the package manager\nname. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.',
+ example: 'rpm',
+ default_field: false,
+ },
+ {
+ name: 'version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Package version',
+ example: '1.12.9',
+ },
+ ],
+ },
+ {
+ name: 'pe',
+ title: 'PE Header',
+ group: 2,
+ description: 'These fields contain Windows Portable Executable (PE) metadata.',
+ type: 'group',
+ fields: [
+ {
+ name: 'company',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal company name of the file, provided at compile-time.',
+ example: 'Microsoft Corporation',
+ default_field: false,
+ },
+ {
+ name: 'description',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal description of the file, provided at compile-time.',
+ example: 'Paint',
+ default_field: false,
+ },
+ {
+ name: 'file_version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal version of the file, provided at compile-time.',
+ example: '6.3.9600.17415',
+ default_field: false,
+ },
+ {
+ name: 'original_file_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal name of the file, provided at compile-time.',
+ example: 'MSPAINT.EXE',
+ default_field: false,
+ },
+ {
+ name: 'product',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal product name of the file, provided at compile-time.',
+ example: 'Microsoft® Windows® Operating System',
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'process',
+ title: 'Process',
+ group: 2,
+ description:
+ 'These fields contain information about a process.\n\nThese fields can help you correlate metrics information with a process id/name\nfrom a log message. The `process.pid` often stays in the metric itself and\nis copied to the global field for correlation.',
+ type: 'group',
+ fields: [
+ {
+ name: 'args',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.',
+ example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'],
+ },
+ {
+ name: 'args_count',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'Length of the process.args array.\n\nThis field can be useful for querying or performing bucket analysis on how\nmany arguments were provided to start a process. More arguments may be an\nindication of suspicious activity.',
+ example: 4,
+ default_field: false,
+ },
+ {
+ name: 'code_signature.exists',
+ level: 'core',
+ type: 'boolean',
+ description: 'Boolean to capture if a signature is present.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.status',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Additional information about the certificate status.\n\nThis is useful for logging cryptographic errors with the certificate validity\nor trust status. Leave unpopulated if the validity or trust of the certificate\nwas unchecked.',
+ example: 'ERROR_UNTRUSTED_ROOT',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.subject_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Subject name of the code signer',
+ example: 'Microsoft Corporation',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.trusted',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Stores the trust status of the certificate chain.\n\nValidating the trust of the certificate chain may be complicated, and this\nfield should only be populated by tools that actively check the status.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'code_signature.valid',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Boolean to capture if the digital signature is verified against\nthe binary content.\n\nLeave unpopulated if a certificate was unchecked.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'command_line',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ },
+ ],
+ description:
+ 'Full command line that started the process, including the absolute\npath to the executable, and all arguments.\n\nSome arguments may be filtered to protect sensitive information.',
+ example: '/usr/bin/ssh -l user 10.0.0.16',
+ default_field: false,
+ },
+ {
+ name: 'entity_id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique identifier for the process.\n\nThe implementation of this is specified by the data source, but some examples\nof what could be used here are a process-generated UUID, Sysmon Process GUIDs,\nor a hash of some uniquely identifying components of a process.\n\nConstructing a globally unique identifier is a common practice to mitigate\nPID reuse as well as to identify a specific process over time, across multiple\nmonitored hosts.',
+ example: 'c2c455d9f99375d',
+ default_field: false,
+ },
+ {
+ name: 'executable',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Absolute path to the process executable.',
+ example: '/usr/bin/ssh',
+ },
+ {
+ name: 'exit_code',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'The exit code of the process, if this is a termination event.\n\nThe field should be absent if there is no exit code for the event (e.g. process\nstart).',
+ example: 137,
+ default_field: false,
+ },
+ {
+ name: 'hash.md5',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'MD5 hash.',
+ },
+ {
+ name: 'hash.sha1',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA1 hash.',
+ },
+ {
+ name: 'hash.sha256',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA256 hash.',
+ },
+ {
+ name: 'hash.sha512',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA512 hash.',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Process name.\n\nSometimes called program name or similar.',
+ example: 'ssh',
+ },
+ {
+ name: 'parent.args',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Array of process arguments.\n\nMay be filtered to protect sensitive information.',
+ example: ['ssh', '-l', 'user', '10.0.0.16'],
+ default_field: false,
+ },
+ {
+ name: 'parent.args_count',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'Length of the process.args array.\n\nThis field can be useful for querying or performing bucket analysis on how\nmany arguments were provided to start a process. More arguments may be an\nindication of suspicious activity.',
+ example: 4,
+ default_field: false,
+ },
+ {
+ name: 'parent.code_signature.exists',
+ level: 'core',
+ type: 'boolean',
+ description: 'Boolean to capture if a signature is present.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'parent.code_signature.status',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Additional information about the certificate status.\n\nThis is useful for logging cryptographic errors with the certificate validity\nor trust status. Leave unpopulated if the validity or trust of the certificate\nwas unchecked.',
+ example: 'ERROR_UNTRUSTED_ROOT',
+ default_field: false,
+ },
+ {
+ name: 'parent.code_signature.subject_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Subject name of the code signer',
+ example: 'Microsoft Corporation',
+ default_field: false,
+ },
+ {
+ name: 'parent.code_signature.trusted',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Stores the trust status of the certificate chain.\n\nValidating the trust of the certificate chain may be complicated, and this\nfield should only be populated by tools that actively check the status.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'parent.code_signature.valid',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Boolean to capture if the digital signature is verified against\nthe binary content.\n\nLeave unpopulated if a certificate was unchecked.',
+ example: 'true',
+ default_field: false,
+ },
+ {
+ name: 'parent.command_line',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ },
+ ],
+ description:
+ 'Full command line that started the process, including the absolute\npath to the executable, and all arguments.\n\nSome arguments may be filtered to protect sensitive information.',
+ example: '/usr/bin/ssh -l user 10.0.0.16',
+ default_field: false,
+ },
+ {
+ name: 'parent.entity_id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique identifier for the process.\n\nThe implementation of this is specified by the data source, but some examples\nof what could be used here are a process-generated UUID, Sysmon Process GUIDs,\nor a hash of some uniquely identifying components of a process.\n\nConstructing a globally unique identifier is a common practice to mitigate\nPID reuse as well as to identify a specific process over time, across multiple\nmonitored hosts.',
+ example: 'c2c455d9f99375d',
+ default_field: false,
+ },
+ {
+ name: 'parent.executable',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ },
+ ],
+ description: 'Absolute path to the process executable.',
+ example: '/usr/bin/ssh',
+ default_field: false,
+ },
+ {
+ name: 'parent.exit_code',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'The exit code of the process, if this is a termination event.\n\nThe field should be absent if there is no exit code for the event (e.g. process\nstart).',
+ example: 137,
+ default_field: false,
+ },
+ {
+ name: 'parent.hash.md5',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'MD5 hash.',
+ default_field: false,
+ },
+ {
+ name: 'parent.hash.sha1',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA1 hash.',
+ default_field: false,
+ },
+ {
+ name: 'parent.hash.sha256',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA256 hash.',
+ default_field: false,
+ },
+ {
+ name: 'parent.hash.sha512',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'SHA512 hash.',
+ default_field: false,
+ },
+ {
+ name: 'parent.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ },
+ ],
+ description: 'Process name.\n\nSometimes called program name or similar.',
+ example: 'ssh',
+ default_field: false,
+ },
+ {
+ name: 'parent.pgid',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: 'Identifier of the group of processes the process belongs to.',
+ default_field: false,
+ },
+ {
+ name: 'parent.pid',
+ level: 'core',
+ type: 'long',
+ format: 'string',
+ description: 'Process id.',
+ example: 4242,
+ default_field: false,
+ },
+ {
+ name: 'parent.ppid',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: "Parent process' pid.",
+ example: 4241,
+ default_field: false,
+ },
+ {
+ name: 'parent.start',
+ level: 'extended',
+ type: 'date',
+ description: 'The time the process started.',
+ example: '2016-05-23T08:05:34.853Z',
+ default_field: false,
+ },
+ {
+ name: 'parent.thread.id',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: 'Thread ID.',
+ example: 4242,
+ default_field: false,
+ },
+ {
+ name: 'parent.thread.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Thread name.',
+ example: 'thread-0',
+ default_field: false,
+ },
+ {
+ name: 'parent.title',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ },
+ ],
+ description:
+ 'Process title.\n\nThe proctitle, some times the same as process name. Can also be different:\nfor example a browser setting its title to the web page currently opened.',
+ default_field: false,
+ },
+ {
+ name: 'parent.uptime',
+ level: 'extended',
+ type: 'long',
+ description: 'Seconds the process has been up.',
+ example: 1325,
+ default_field: false,
+ },
+ {
+ name: 'parent.working_directory',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ },
+ ],
+ description: 'The working directory of the process.',
+ example: '/home/alice',
+ default_field: false,
+ },
+ {
+ name: 'pe.company',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal company name of the file, provided at compile-time.',
+ example: 'Microsoft Corporation',
+ default_field: false,
+ },
+ {
+ name: 'pe.description',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal description of the file, provided at compile-time.',
+ example: 'Paint',
+ default_field: false,
+ },
+ {
+ name: 'pe.file_version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal version of the file, provided at compile-time.',
+ example: '6.3.9600.17415',
+ default_field: false,
+ },
+ {
+ name: 'pe.original_file_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal name of the file, provided at compile-time.',
+ example: 'MSPAINT.EXE',
+ default_field: false,
+ },
+ {
+ name: 'pe.product',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Internal product name of the file, provided at compile-time.',
+ example: 'Microsoft® Windows® Operating System',
+ default_field: false,
+ },
+ {
+ name: 'pgid',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: 'Identifier of the group of processes the process belongs to.',
+ },
+ {
+ name: 'pid',
+ level: 'core',
+ type: 'long',
+ format: 'string',
+ description: 'Process id.',
+ example: 4242,
+ },
+ {
+ name: 'ppid',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: "Parent process' pid.",
+ example: 4241,
+ },
+ {
+ name: 'start',
+ level: 'extended',
+ type: 'date',
+ description: 'The time the process started.',
+ example: '2016-05-23T08:05:34.853Z',
+ },
+ {
+ name: 'thread.id',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: 'Thread ID.',
+ example: 4242,
+ },
+ {
+ name: 'thread.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Thread name.',
+ example: 'thread-0',
+ },
+ {
+ name: 'title',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description:
+ 'Process title.\n\nThe proctitle, some times the same as process name. Can also be different:\nfor example a browser setting its title to the web page currently opened.',
+ },
+ {
+ name: 'uptime',
+ level: 'extended',
+ type: 'long',
+ description: 'Seconds the process has been up.',
+ example: 1325,
+ },
+ {
+ name: 'working_directory',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'The working directory of the process.',
+ example: '/home/alice',
+ },
+ ],
+ },
+ {
+ name: 'registry',
+ title: 'Registry',
+ group: 2,
+ description: 'Fields related to Windows Registry operations.',
+ type: 'group',
+ fields: [
+ {
+ name: 'data.bytes',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Original bytes written with base64 encoding.\n\nFor Windows registry operations, such as SetValueEx and RegQueryValueEx, this\ncorresponds to the data pointed by `lp_data`. This is optional but provides\nbetter recoverability and should be populated for REG_BINARY encoded values.',
+ example: 'ZQBuAC0AVQBTAAAAZQBuAAAAAAA=',
+ default_field: false,
+ },
+ {
+ name: 'data.strings',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Content when writing string types.\n\nPopulated as an array when writing string data to the registry. For single\nstring registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with\none string. For sequences of string with REG_MULTI_SZ, this array will be\nvariable length. For numeric data, such as REG_DWORD and REG_QWORD, this should\nbe populated with the decimal representation (e.g `"1"`).',
+ example: '["C:\\rta\\red_ttp\\bin\\myapp.exe"]',
+ default_field: false,
+ },
+ {
+ name: 'data.type',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Standard registry type for encoding contents',
+ example: 'REG_SZ',
+ default_field: false,
+ },
+ {
+ name: 'hive',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Abbreviated name for the hive.',
+ example: 'HKLM',
+ default_field: false,
+ },
+ {
+ name: 'key',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Hive-relative path of keys.',
+ example:
+ 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe',
+ default_field: false,
+ },
+ {
+ name: 'path',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Full path, including hive, key and value',
+ example:
+ 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution\nOptions\\winword.exe\\Debugger',
+ default_field: false,
+ },
+ {
+ name: 'value',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the value written.',
+ example: 'Debugger',
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'related',
+ title: 'Related',
+ group: 2,
+ description:
+ 'This field set is meant to facilitate pivoting around a piece of\ndata.\n\nSome pieces of information can be seen in many places in an ECS event. To facilitate\nsearching for them, store an array of all seen values to their corresponding\nfield in `related.`.\n\nA concrete example is IP addresses, which can be under host, observer, source,\ndestination, client, server, and network.forwarded_ip. If you append all IPs\nto `related.ip`, you can then search for a given IP trivially, no matter where\nit appeared, by querying `related.ip:192.0.2.15`.',
+ type: 'group',
+ fields: [
+ {
+ name: 'hash',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ "All the hashes seen on your event. Populating this field, then\nusing it to search for hashes can help in situations where you're unsure what\nthe hash algorithm is (and therefore which key name to search).",
+ default_field: false,
+ },
+ {
+ name: 'ip',
+ level: 'extended',
+ type: 'ip',
+ description: 'All of the IPs seen on your event.',
+ },
+ {
+ name: 'user',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'All the user names seen on your event.',
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'rule',
+ title: 'Rule',
+ group: 2,
+ description:
+ 'Rule fields are used to capture the specifics of any observer or\nagent rules that generate alerts or other notable events.\n\nExamples of data sources that would populate the rule fields include: network\nadmission control platforms, network or host IDS/IPS, network firewalls, web\napplication firewalls, url filters, endpoint detection and response (EDR) systems,\netc.',
+ type: 'group',
+ fields: [
+ {
+ name: 'author',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name, organization, or pseudonym of the author or authors who created\nthe rule used to generate this event.',
+ example: ['Star-Lord'],
+ default_field: false,
+ },
+ {
+ name: 'category',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A categorization value keyword used by the entity using the rule\nfor detection of this event.',
+ example: 'Attempted Information Leak',
+ default_field: false,
+ },
+ {
+ name: 'description',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The description of the rule generating the event.',
+ example: 'Block requests to public DNS over HTTPS / TLS protocols',
+ default_field: false,
+ },
+ {
+ name: 'id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A rule ID that is unique within the scope of an agent, observer,\nor other entity using the rule for detection of this event.',
+ example: 101,
+ default_field: false,
+ },
+ {
+ name: 'license',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the license under which the rule used to generate this\nevent is made available.',
+ example: 'Apache 2.0',
+ default_field: false,
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The name of the rule or signature generating the event.',
+ example: 'BLOCK_DNS_over_TLS',
+ default_field: false,
+ },
+ {
+ name: 'reference',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Reference URL to additional information about the rule used to\ngenerate this event.\n\nThe URL can point to the vendor documentation about the rule. If that is\nnot available, it can also be a link to a more general page describing this\ntype of alert.',
+ example: 'https://en.wikipedia.org/wiki/DNS_over_TLS',
+ default_field: false,
+ },
+ {
+ name: 'ruleset',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the ruleset, policy, group, or parent category in which\nthe rule used to generate this event is a member.',
+ example: 'Standard_Protocol_Filters',
+ default_field: false,
+ },
+ {
+ name: 'uuid',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A rule ID that is unique within the scope of a set or group of\nagents, observers, or other entities using the rule for detection of this\nevent.',
+ example: 1100110011,
+ default_field: false,
+ },
+ {
+ name: 'version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The version / revision of the rule being used for analysis.',
+ example: 1.1,
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'server',
+ title: 'Server',
+ group: 2,
+ description:
+ 'A Server is defined as the responder in a network connection for\nevents regarding sessions, connections, or bidirectional flow records.\n\nFor TCP events, the server is the receiver of the initial SYN packet(s) of the\nTCP connection. For other protocols, the server is generally the responder in\nthe network transaction. Some systems actually use the term "responder" to refer\nthe server in TCP connections. The server fields describe details about the\nsystem acting as the server in the network event. Server fields are usually\npopulated in conjunction with client fields. Server fields are generally not\npopulated for packet-level events.\n\nClient / server representations can add semantic context to an exchange, which\nis helpful to visualize the data in certain situations. If your context falls\nin that category, you should still ensure that source and destination are filled\nappropriately.',
+ type: 'group',
+ fields: [
+ {
+ name: 'address',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Some event server addresses are defined ambiguously. The event\nwill sometimes list an IP, a domain or a unix socket. You should always store\nthe raw address in the `.address` field.\n\nThen it should be duplicated to `.ip` or `.domain`, depending on which one\nit is.',
+ },
+ {
+ name: 'as.number',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'Unique number allocated to the autonomous system. The autonomous\nsystem number (ASN) uniquely identifies each network on the Internet.',
+ example: 15169,
+ },
+ {
+ name: 'as.organization.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Organization name.',
+ example: 'Google LLC',
+ },
+ {
+ name: 'bytes',
+ level: 'core',
+ type: 'long',
+ format: 'bytes',
+ description: 'Bytes sent from the server to the client.',
+ example: 184,
+ },
+ {
+ name: 'domain',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Server domain.',
+ },
+ {
+ name: 'geo.city_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
+ },
+ {
+ name: 'geo.continent_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
+ },
+ {
+ name: 'geo.country_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
+ },
+ {
+ name: 'geo.country_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
+ },
+ {
+ name: 'geo.location',
+ level: 'core',
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
+ },
+ {
+ name: 'geo.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
+ },
+ {
+ name: 'geo.region_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
+ },
+ {
+ name: 'geo.region_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
+ },
+ {
+ name: 'ip',
+ level: 'core',
+ type: 'ip',
+ description:
+ 'IP address of the server.\n\nCan be one or multiple IPv4 or IPv6 addresses.',
+ },
+ {
+ name: 'mac',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'MAC address of the server.',
+ },
+ {
+ name: 'nat.ip',
+ level: 'extended',
+ type: 'ip',
+ description:
+ 'Translated ip of destination based NAT sessions (e.g. internet\nto private DMZ)\n\nTypically used with load balancers, firewalls, or routers.',
+ },
+ {
+ name: 'nat.port',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description:
+ 'Translated port of destination based NAT sessions (e.g. internet\nto private DMZ)\n\nTypically used with load balancers, firewalls, or routers.',
+ },
+ {
+ name: 'packets',
+ level: 'core',
+ type: 'long',
+ description: 'Packets sent from the server to the client.',
+ example: 12,
+ },
+ {
+ name: 'port',
+ level: 'core',
+ type: 'long',
+ format: 'string',
+ description: 'Port of the server.',
+ },
+ {
+ name: 'registered_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The highest registered server domain, stripped of the subdomain.\n\nFor example, the registered domain for "foo.google.com" is "google.com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last two labels will not work well for TLDs such as "co.uk".',
+ example: 'google.com',
+ },
+ {
+ name: 'top_level_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The effective top level domain (eTLD), also known as the domain\nsuffix, is the last part of the domain name. For example, the top level domain\nfor google.com is "com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last label will not work well for effective TLDs such as "co.uk".',
+ example: 'co.uk',
+ },
+ {
+ name: 'user.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the user is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'user.email',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'User email address.',
+ },
+ {
+ name: 'user.full_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: "User's full name, if available.",
+ example: 'Albert Einstein',
+ },
+ {
+ name: 'user.group.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'user.group.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
+ },
+ {
+ name: 'user.group.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the group.',
+ },
+ {
+ name: 'user.hash',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique user hash to correlate information for a user in anonymized\nform.\n\nUseful if `user.id` or `user.name` contain confidential information and cannot\nbe used.',
+ },
+ {
+ name: 'user.id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifiers of the user.',
+ },
+ {
+ name: 'user.name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Short name or login of the user.',
+ example: 'albert',
+ },
+ ],
+ },
+ {
+ name: 'service',
+ title: 'Service',
+ group: 2,
+ description:
+ 'The service fields describe the service for or from which the data\nwas collected.\n\nThese fields help you find and correlate logs for a specific service and version.',
+ type: 'group',
+ fields: [
+ {
+ name: 'ephemeral_id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Ephemeral identifier of this service (if one exists).\n\nThis id normally changes across restarts, but `service.id` does not.',
+ example: '8a4f500f',
+ },
+ {
+ name: 'id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique identifier of the running service. If the service is comprised\nof many nodes, the `service.id` should be the same for all nodes.\n\nThis id should uniquely identify the service. This makes it possible to correlate\nlogs and metrics for one specific service, no matter which particular node\nemitted the event.\n\nNote that if you need to see the events from one specific host of the service,\nyou should filter on that `host.name` or `host.id` instead.',
+ example: 'd37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6',
+ },
+ {
+ name: 'name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the service data is collected from.\n\nThe name of the service is normally user given. This allows for distributed\nservices that run on multiple hosts to correlate the related instances based\non the name.\n\nIn the case of Elasticsearch the `service.name` could contain the cluster\nname. For Beats the `service.name` is by default a copy of the `service.type`\nfield if no name is specified.',
+ example: 'elasticsearch-metrics',
+ },
+ {
+ name: 'node.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of a service node.\n\nThis allows for two nodes of the same service running on the same host to\nbe differentiated. Therefore, `service.node.name` should typically be unique\nacross nodes of a given service.\n\nIn the case of Elasticsearch, the `service.node.name` could contain the unique\nnode name within the Elasticsearch cluster. In cases where the service doe not\nhave the concept of a node name, the host name or container name can be used\nto distinguish running instances that make up this service. If those do not\nprovide uniqueness (e.g. multiple instances of the service running on the\nsame host) - the node name can be manually set.',
+ example: 'instance-0000000016',
+ },
+ {
+ name: 'state',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Current state of the service.',
+ },
+ {
+ name: 'type',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The type of the service data is collected from.\n\nThe type can be used to group and correlate logs and metrics from one service\ntype.\n\nExample: If logs or metrics are collected from Elasticsearch, `service.type`\nwould be `elasticsearch`.',
+ example: 'elasticsearch',
+ },
+ {
+ name: 'version',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Version of the service the data was collected from.\n\nThis allows to look at a data set only for a specific version of a service.',
+ example: '3.2.4',
+ },
+ ],
+ },
+ {
+ name: 'source',
+ title: 'Source',
+ group: 2,
+ description:
+ 'Source fields describe details about the source of a packet/event.\n\nSource fields are usually populated in conjunction with destination fields.',
+ type: 'group',
+ fields: [
+ {
+ name: 'address',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Some event source addresses are defined ambiguously. The event\nwill sometimes list an IP, a domain or a unix socket. You should always store\nthe raw address in the `.address` field.\n\nThen it should be duplicated to `.ip` or `.domain`, depending on which one\nit is.',
+ },
+ {
+ name: 'as.number',
+ level: 'extended',
+ type: 'long',
+ description:
+ 'Unique number allocated to the autonomous system. The autonomous\nsystem number (ASN) uniquely identifies each network on the Internet.',
+ example: 15169,
+ },
+ {
+ name: 'as.organization.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Organization name.',
+ example: 'Google LLC',
+ },
+ {
+ name: 'bytes',
+ level: 'core',
+ type: 'long',
+ format: 'bytes',
+ description: 'Bytes sent from the source to the destination.',
+ example: 184,
+ },
+ {
+ name: 'domain',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Source domain.',
+ },
+ {
+ name: 'geo.city_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'City name.',
+ example: 'Montreal',
+ },
+ {
+ name: 'geo.continent_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the continent.',
+ example: 'North America',
+ },
+ {
+ name: 'geo.country_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country ISO code.',
+ example: 'CA',
+ },
+ {
+ name: 'geo.country_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Country name.',
+ example: 'Canada',
+ },
+ {
+ name: 'geo.location',
+ level: 'core',
+ type: 'geo_point',
+ description: 'Longitude and latitude.',
+ example: '{ "lon": -73.614830, "lat": 45.505918 }',
+ },
+ {
+ name: 'geo.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'User-defined description of a location, at the level of granularity\nthey care about.\n\nCould be the name of their data centers, the floor number, if this describes\na local physical entity, city names.\n\nNot typically used in automated geolocation.',
+ example: 'boston-dc',
+ },
+ {
+ name: 'geo.region_iso_code',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region ISO code.',
+ example: 'CA-QC',
+ },
+ {
+ name: 'geo.region_name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Region name.',
+ example: 'Quebec',
+ },
+ {
+ name: 'ip',
+ level: 'core',
+ type: 'ip',
+ description:
+ 'IP address of the source.\n\nCan be one or multiple IPv4 or IPv6 addresses.',
+ },
+ {
+ name: 'mac',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'MAC address of the source.',
+ },
+ {
+ name: 'nat.ip',
+ level: 'extended',
+ type: 'ip',
+ description:
+ 'Translated ip of source based NAT sessions (e.g. internal client\nto internet)\n\nTypically connections traversing load balancers, firewalls, or routers.',
+ },
+ {
+ name: 'nat.port',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description:
+ 'Translated port of source based NAT sessions. (e.g. internal client\nto internet)\n\nTypically used with load balancers, firewalls, or routers.',
+ },
+ {
+ name: 'packets',
+ level: 'core',
+ type: 'long',
+ description: 'Packets sent from the source to the destination.',
+ example: 12,
+ },
+ {
+ name: 'port',
+ level: 'core',
+ type: 'long',
+ format: 'string',
+ description: 'Port of the source.',
+ },
+ {
+ name: 'registered_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The highest registered source domain, stripped of the subdomain.\n\nFor example, the registered domain for "foo.google.com" is "google.com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last two labels will not work well for TLDs such as "co.uk".',
+ example: 'google.com',
+ },
+ {
+ name: 'top_level_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The effective top level domain (eTLD), also known as the domain\nsuffix, is the last part of the domain name. For example, the top level domain\nfor google.com is "com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last label will not work well for effective TLDs such as "co.uk".',
+ example: 'co.uk',
+ },
+ {
+ name: 'user.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the user is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'user.email',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'User email address.',
+ },
+ {
+ name: 'user.full_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: "User's full name, if available.",
+ example: 'Albert Einstein',
+ },
+ {
+ name: 'user.group.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'user.group.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
+ },
+ {
+ name: 'user.group.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the group.',
+ },
+ {
+ name: 'user.hash',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique user hash to correlate information for a user in anonymized\nform.\n\nUseful if `user.id` or `user.name` contain confidential information and cannot\nbe used.',
+ },
+ {
+ name: 'user.id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifiers of the user.',
+ },
+ {
+ name: 'user.name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Short name or login of the user.',
+ example: 'albert',
+ },
+ ],
+ },
+ {
+ name: 'threat',
+ title: 'Threat',
+ group: 2,
+ description:
+ 'Fields to classify events and alerts according to a threat taxonomy\nsuch as the Mitre ATT&CK framework.\n\nThese fields are for users to classify alerts from all of their sources (e.g.\nIDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to\ncapture the high level category of the threat (e.g. "impact"). The threat.technique.*\nfields are meant to capture which kind of approach is used by this detected\nthreat, to accomplish the goal (e.g. "endpoint denial of service").',
+ type: 'group',
+ fields: [
+ {
+ name: 'framework',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the threat framework used to further categorize and classify\nthe tactic and technique of the reported threat. Framework classification\ncan be provided by detecting systems, evaluated at ingest time, or retrospectively\ntagged to events.',
+ example: 'MITRE ATT&CK',
+ },
+ {
+ name: 'tactic.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The id of tactic used by this threat. You can use the Mitre ATT&CK\nMatrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/\n)',
+ example: 'TA0040',
+ },
+ {
+ name: 'tactic.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the type of tactic used by this threat. You can use the\nMitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/\n)',
+ example: 'impact',
+ },
+ {
+ name: 'tactic.reference',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The reference url of tactic used by this threat. You can use the\nMitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/\n)',
+ example: 'https://attack.mitre.org/tactics/TA0040/',
+ },
+ {
+ name: 'technique.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The id of technique used by this tactic. You can use the Mitre\nATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/\n)',
+ example: 'T1499',
+ },
+ {
+ name: 'technique.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description:
+ 'The name of technique used by this tactic. You can use the Mitre\nATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/\n)',
+ example: 'endpoint denial of service',
+ },
+ {
+ name: 'technique.reference',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The reference url of technique used by this tactic. You can use\nthe Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/\n)',
+ example: 'https://attack.mitre.org/techniques/T1499/',
+ },
+ ],
+ },
+ {
+ name: 'tls',
+ title: 'TLS',
+ group: 2,
+ description:
+ 'Fields related to a TLS connection. These fields focus on the TLS\nprotocol itself and intentionally avoids in-depth analysis of the related x.509\ncertificate files.',
+ type: 'group',
+ fields: [
+ {
+ name: 'cipher',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'String indicating the cipher used during the current connection.',
+ example: 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
+ default_field: false,
+ },
+ {
+ name: 'client.certificate',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'PEM-encoded stand-alone certificate offered by the client. This\nis usually mutually-exclusive of `client.certificate_chain` since this value\nalso exists in that list.',
+ example: 'MII...',
+ default_field: false,
+ },
+ {
+ name: 'client.certificate_chain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Array of PEM-encoded certificates that make up the certificate\nchain offered by the client. This is usually mutually-exclusive of `client.certificate`\nsince that value should be the first certificate in the chain.',
+ example: ['MII...', 'MII...'],
+ default_field: false,
+ },
+ {
+ name: 'client.hash.md5',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Certificate fingerprint using the MD5 digest of DER-encoded version\nof certificate offered by the client. For consistency with other hash values,\nthis value should be formatted as an uppercase hash.',
+ example: '0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC',
+ default_field: false,
+ },
+ {
+ name: 'client.hash.sha1',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Certificate fingerprint using the SHA1 digest of DER-encoded version\nof certificate offered by the client. For consistency with other hash values,\nthis value should be formatted as an uppercase hash.',
+ example: '9E393D93138888D288266C2D915214D1D1CCEB2A',
+ default_field: false,
+ },
+ {
+ name: 'client.hash.sha256',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Certificate fingerprint using the SHA256 digest of DER-encoded\nversion of certificate offered by the client. For consistency with other hash\nvalues, this value should be formatted as an uppercase hash.',
+ example: '0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0',
+ default_field: false,
+ },
+ {
+ name: 'client.issuer',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Distinguished name of subject of the issuer of the x.509 certificate\npresented by the client.',
+ example: 'CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com',
+ default_field: false,
+ },
+ {
+ name: 'client.ja3',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A hash that identifies clients based on how they perform an SSL/TLS\nhandshake.',
+ example: 'd4e5b18d6b55c71272893221c96ba240',
+ default_field: false,
+ },
+ {
+ name: 'client.not_after',
+ level: 'extended',
+ type: 'date',
+ description:
+ 'Date/Time indicating when client certificate is no longer considered\nvalid.',
+ example: '2021-01-01T00:00:00.000Z',
+ default_field: false,
+ },
+ {
+ name: 'client.not_before',
+ level: 'extended',
+ type: 'date',
+ description: 'Date/Time indicating when client certificate is first considered\nvalid.',
+ example: '1970-01-01T00:00:00.000Z',
+ default_field: false,
+ },
+ {
+ name: 'client.server_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Also called an SNI, this tells the server which hostname to which\nthe client is attempting to connect. When this value is available, it should\nget copied to `destination.domain`.',
+ example: 'www.elastic.co',
+ default_field: false,
+ },
+ {
+ name: 'client.subject',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Distinguished name of subject of the x.509 certificate presented\nby the client.',
+ example: 'CN=myclient, OU=Documentation Team, DC=mydomain, DC=com',
+ default_field: false,
+ },
+ {
+ name: 'client.supported_ciphers',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Array of ciphers offered by the client during the client hello.',
+ example: [
+ 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
+ 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
+ '...',
+ ],
+ default_field: false,
+ },
+ {
+ name: 'curve',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'String indicating the curve used for the given cipher, when applicable.',
+ example: 'secp256r1',
+ default_field: false,
+ },
+ {
+ name: 'established',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Boolean flag indicating if the TLS negotiation was successful and\ntransitioned to an encrypted tunnel.',
+ default_field: false,
+ },
+ {
+ name: 'next_protocol',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'String indicating the protocol being tunneled. Per the values in\nthe IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids),\nthis string should be lower case.',
+ example: 'http/1.1',
+ default_field: false,
+ },
+ {
+ name: 'resumed',
+ level: 'extended',
+ type: 'boolean',
+ description:
+ 'Boolean flag indicating if this TLS connection was resumed from\nan existing TLS negotiation.',
+ default_field: false,
+ },
+ {
+ name: 'server.certificate',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'PEM-encoded stand-alone certificate offered by the server. This\nis usually mutually-exclusive of `server.certificate_chain` since this value\nalso exists in that list.',
+ example: 'MII...',
+ default_field: false,
+ },
+ {
+ name: 'server.certificate_chain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Array of PEM-encoded certificates that make up the certificate\nchain offered by the server. This is usually mutually-exclusive of `server.certificate`\nsince that value should be the first certificate in the chain.',
+ example: ['MII...', 'MII...'],
+ default_field: false,
+ },
+ {
+ name: 'server.hash.md5',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Certificate fingerprint using the MD5 digest of DER-encoded version\nof certificate offered by the server. For consistency with other hash values,\nthis value should be formatted as an uppercase hash.',
+ example: '0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC',
+ default_field: false,
+ },
+ {
+ name: 'server.hash.sha1',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Certificate fingerprint using the SHA1 digest of DER-encoded version\nof certificate offered by the server. For consistency with other hash values,\nthis value should be formatted as an uppercase hash.',
+ example: '9E393D93138888D288266C2D915214D1D1CCEB2A',
+ default_field: false,
+ },
+ {
+ name: 'server.hash.sha256',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Certificate fingerprint using the SHA256 digest of DER-encoded\nversion of certificate offered by the server. For consistency with other hash\nvalues, this value should be formatted as an uppercase hash.',
+ example: '0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0',
+ default_field: false,
+ },
+ {
+ name: 'server.issuer',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Subject of the issuer of the x.509 certificate presented by the\nserver.',
+ example: 'CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com',
+ default_field: false,
+ },
+ {
+ name: 'server.ja3s',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A hash that identifies servers based on how they perform an SSL/TLS\nhandshake.',
+ example: '394441ab65754e2207b1e1b457b3641d',
+ default_field: false,
+ },
+ {
+ name: 'server.not_after',
+ level: 'extended',
+ type: 'date',
+ description:
+ 'Timestamp indicating when server certificate is no longer considered\nvalid.',
+ example: '2021-01-01T00:00:00.000Z',
+ default_field: false,
+ },
+ {
+ name: 'server.not_before',
+ level: 'extended',
+ type: 'date',
+ description: 'Timestamp indicating when server certificate is first considered\nvalid.',
+ example: '1970-01-01T00:00:00.000Z',
+ default_field: false,
+ },
+ {
+ name: 'server.subject',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Subject of the x.509 certificate presented by the server.',
+ example: 'CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com',
+ default_field: false,
+ },
+ {
+ name: 'version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Numeric part of the version parsed from the original string.',
+ example: '1.2',
+ default_field: false,
+ },
+ {
+ name: 'version_protocol',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Normalized lowercase protocol name parsed from original string.',
+ example: 'tls',
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'tracing',
+ title: 'Tracing',
+ group: 2,
+ description:
+ 'Distributed tracing makes it possible to analyze performance throughout\na microservice architecture all in one view. This is accomplished by tracing\nall of the requests - from the initial web request in the front-end service\n- to queries made through multiple back-end services.',
+ type: 'group',
+ fields: [
+ {
+ name: 'trace.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique identifier of the trace.\n\nA trace groups multiple events like transactions that belong together. For\nexample, a user request handled by multiple inter-connected services.',
+ example: '4bf92f3577b34da6a3ce929d0e0e4736',
+ },
+ {
+ name: 'transaction.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique identifier of the transaction.\n\nA transaction is the highest level of work measured within a service, such\nas a request to a server.',
+ example: '00f067aa0ba902b7',
+ },
+ ],
+ },
+ {
+ name: 'url',
+ title: 'URL',
+ group: 2,
+ description:
+ 'URL fields provide support for complete or partial URLs, and supports\nthe breaking down into scheme, domain, path, and so on.',
+ type: 'group',
+ fields: [
+ {
+ name: 'domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Domain of the url, such as "www.elastic.co".\n\nIn some cases a URL may refer to an IP and/or port directly, without a domain\nname. In this case, the IP address would go to the `domain` field.',
+ example: 'www.elastic.co',
+ },
+ {
+ name: 'extension',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The field contains the file extension from the original request\nurl.\n\nThe file extension is only set if it exists, as not every url has a file extension.\n\nThe leading period must not be included. For example, the value must be "png",\nnot ".png".',
+ example: 'png',
+ },
+ {
+ name: 'fragment',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Portion of the url after the `#`, such as "top".\n\nThe `#` is not part of the fragment.',
+ },
+ {
+ name: 'full',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description:
+ 'If full URLs are important to your use case, they should be stored\nin `url.full`, whether this field is reconstructed or present in the event\nsource.',
+ example: 'https://www.elastic.co:443/search?q=elasticsearch#top',
+ },
+ {
+ name: 'original',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description:
+ 'Unmodified original url as seen in the event source.\n\nNote that in network monitoring, the observed URL may be a full URL, whereas\nin access logs, the URL is often just represented as a path.\n\nThis field is meant to represent the URL as it was observed, complete or not.',
+ example:
+ 'https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch',
+ },
+ {
+ name: 'password',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Password of the request.',
+ },
+ {
+ name: 'path',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Path of the request, such as "/search".',
+ },
+ {
+ name: 'port',
+ level: 'extended',
+ type: 'long',
+ format: 'string',
+ description: 'Port of the request, such as 443.',
+ example: 443,
+ },
+ {
+ name: 'query',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The query field describes the query string of the request, such\nas "q=elasticsearch".\n\nThe `?` is excluded from the query string. If a URL contains no `?`, there\nis no query field. If there is a `?` but no query, the query field exists\nwith an empty string. The `exists` query can be used to differentiate between\nthe two cases.',
+ },
+ {
+ name: 'registered_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The highest registered url domain, stripped of the subdomain.\n\nFor example, the registered domain for "foo.google.com" is "google.com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last two labels will not work well for TLDs such as "co.uk".',
+ example: 'google.com',
+ },
+ {
+ name: 'scheme',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Scheme of the request, such as "https".\n\nNote: The `:` is not part of the scheme.',
+ example: 'https',
+ },
+ {
+ name: 'top_level_domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The effective top level domain (eTLD), also known as the domain\nsuffix, is the last part of the domain name. For example, the top level domain\nfor google.com is "com".\n\nThis value can be determined precisely with a list like the public suffix\nlist (http://publicsuffix.org). Trying to approximate this by simply taking\nthe last label will not work well for effective TLDs such as "co.uk".',
+ example: 'co.uk',
+ },
+ {
+ name: 'username',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Username of the request.',
+ },
+ ],
+ },
+ {
+ name: 'user',
+ title: 'User',
+ group: 2,
+ description:
+ 'The user fields describe information about the user that is relevant\nto the event.\n\nFields can have one entry or multiple entries. If a user has more than one id,\nprovide an array that includes all of them.',
+ type: 'group',
+ fields: [
+ {
+ name: 'domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the user is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'email',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'User email address.',
+ },
+ {
+ name: 'full_name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: "User's full name, if available.",
+ example: 'Albert Einstein',
+ },
+ {
+ name: 'group.domain',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Name of the directory the group is a member of.\n\nFor example, an LDAP or Active Directory domain name.',
+ },
+ {
+ name: 'group.id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifier for the group on the system/platform.',
+ },
+ {
+ name: 'group.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the group.',
+ },
+ {
+ name: 'hash',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'Unique user hash to correlate information for a user in anonymized\nform.\n\nUseful if `user.id` or `user.name` contain confidential information and cannot\nbe used.',
+ },
+ {
+ name: 'id',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Unique identifiers of the user.',
+ },
+ {
+ name: 'name',
+ level: 'core',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Short name or login of the user.',
+ example: 'albert',
+ },
+ ],
+ },
+ {
+ name: 'user_agent',
+ title: 'User agent',
+ group: 2,
+ description:
+ 'The user_agent fields normally come from a browser request.\n\nThey often show up in web service logs coming from the parsed user agent string.',
+ type: 'group',
+ fields: [
+ {
+ name: 'device.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the device.',
+ example: 'iPhone',
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Name of the user agent.',
+ example: 'Safari',
+ },
+ {
+ name: 'original',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ },
+ ],
+ description: 'Unparsed user_agent string.',
+ example:
+ 'Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15\n(KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1',
+ },
+ {
+ name: 'os.family',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'OS family (such as redhat, debian, freebsd, windows).',
+ example: 'debian',
+ },
+ {
+ name: 'os.full',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Operating system name, including the version or code name.',
+ example: 'Mac OS Mojave',
+ },
+ {
+ name: 'os.kernel',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system kernel version as a raw string.',
+ example: '4.4.0-112-generic',
+ },
+ {
+ name: 'os.name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ default_field: false,
+ },
+ ],
+ description: 'Operating system name, without the version.',
+ example: 'Mac OS X',
+ },
+ {
+ name: 'os.platform',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system platform (such centos, ubuntu, windows).',
+ example: 'darwin',
+ },
+ {
+ name: 'os.version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Operating system version as a raw string.',
+ example: '10.14.1',
+ },
+ {
+ name: 'version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Version of the user agent.',
+ example: 12,
+ },
+ ],
+ },
+ {
+ name: 'vlan',
+ title: 'VLAN',
+ group: 2,
+ description:
+ 'The VLAN fields are used to identify 802.1q tag(s) of a packet,\nas well as ingress and egress VLAN associations of an observer in relation to\na specific packet or connection.\n\nNetwork.vlan fields are used to record a single VLAN tag, or the outer tag in\nthe case of q-in-q encapsulations, for a packet or connection as observed, typically\nprovided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic.\n\nNetwork.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple\n802.1q encapsulations) as observed, typically provided by a network sensor (e.g.\nZeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should\nonly be used in addition to network.vlan fields to indicate q-in-q tagging.\n\nObserver.ingress and observer.egress VLAN values are used to record observer\nspecific information when observer events contain discrete ingress and egress\nVLAN information, typically provided by firewalls, routers, or load balancers.',
+ type: 'group',
+ fields: [
+ {
+ name: 'id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'VLAN ID as reported by the observer.',
+ example: 10,
+ default_field: false,
+ },
+ {
+ name: 'name',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'Optional VLAN name as reported by the observer.',
+ example: 'outside',
+ default_field: false,
+ },
+ ],
+ },
+ {
+ name: 'vulnerability',
+ title: 'Vulnerability',
+ group: 2,
+ description:
+ 'The vulnerability fields describe information about a vulnerability\nthat is relevant to an event.',
+ type: 'group',
+ fields: [
+ {
+ name: 'category',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The type of system or architecture that the vulnerability affects.\nThese may be platform-specific (for example, Debian or SUSE) or general (for\nexample, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys\nvulnerability categories])\n\nThis field must be an array.',
+ example: '["Firewall"]',
+ default_field: false,
+ },
+ {
+ name: 'classification',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The classification of the vulnerability scoring system. For example\n(https://www.first.org/cvss/)',
+ example: 'CVSS',
+ default_field: false,
+ },
+ {
+ name: 'description',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ multi_fields: [
+ {
+ name: 'text',
+ type: 'text',
+ norms: false,
+ },
+ ],
+ description:
+ 'The description of the vulnerability that provides additional context\nof the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common\nVulnerabilities and Exposure CVE description])',
+ example: 'In macOS before 2.12.6, there is a vulnerability in the RPC...',
+ default_field: false,
+ },
+ {
+ name: 'enumeration',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The type of identifier used for this vulnerability. For example\n(https://cve.mitre.org/about/)',
+ example: 'CVE',
+ default_field: false,
+ },
+ {
+ name: 'id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The identification (ID) is the number portion of a vulnerability\nentry. It includes a unique identification number for the vulnerability. For\nexample (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities\nand Exposure CVE ID]',
+ example: 'CVE-2019-00001',
+ default_field: false,
+ },
+ {
+ name: 'reference',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'A resource that provides additional information, context, and mitigations\nfor the identified vulnerability.',
+ example: 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111',
+ default_field: false,
+ },
+ {
+ name: 'report_id',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The report or scan identification number.',
+ example: 20191018.0001,
+ default_field: false,
+ },
+ {
+ name: 'scanner.vendor',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description: 'The name of the vulnerability scanner vendor.',
+ example: 'Tenable',
+ default_field: false,
+ },
+ {
+ name: 'score.base',
+ level: 'extended',
+ type: 'float',
+ description:
+ 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\n\nBase scores cover an assessment for exploitability metrics (attack vector,\ncomplexity, privileges, and user interaction), impact metrics (confidentiality,\nintegrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)',
+ example: 5.5,
+ default_field: false,
+ },
+ {
+ name: 'score.environmental',
+ level: 'extended',
+ type: 'float',
+ description:
+ 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\n\nEnvironmental scores cover an assessment for any modified Base metrics, confidentiality,\nintegrity, and availability requirements. For example (https://www.first.org/cvss/specification-document)',
+ example: 5.5,
+ default_field: false,
+ },
+ {
+ name: 'score.temporal',
+ level: 'extended',
+ type: 'float',
+ description:
+ 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\n\nTemporal scores cover an assessment for code maturity, remediation level,\nand confidence. For example (https://www.first.org/cvss/specification-document)',
+ default_field: false,
+ },
+ {
+ name: 'score.version',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The National Vulnerability Database (NVD) provides qualitative\nseverity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score\nranges in addition to the severity ratings for CVSS v3.0 as they are defined\nin the CVSS v3.0 specification.\n\nCVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit\norganization, whose mission is to help computer security incident response\nteams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)',
+ example: 2,
+ default_field: false,
+ },
+ {
+ name: 'severity',
+ level: 'extended',
+ type: 'keyword',
+ ignore_above: 1024,
+ description:
+ 'The severity of the vulnerability can help with metrics and internal\nprioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)',
+ example: 'Critical',
+ default_field: false,
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'beat',
+ anchor: 'beat-common',
+ title: 'Beat',
+ description: 'Contains common beat fields available in all event types.\n',
+ fields: [
+ {
+ name: 'agent.hostname',
+ type: 'keyword',
+ description: 'Hostname of the agent.',
+ },
+ {
+ name: 'beat.timezone',
+ type: 'alias',
+ path: 'event.timezone',
+ migration: true,
+ },
+ {
+ name: 'fields',
+ type: 'object',
+ object_type: 'keyword',
+ description: 'Contains user configurable fields.\n',
+ },
+ {
+ name: 'beat.name',
+ type: 'alias',
+ path: 'host.name',
+ migration: true,
+ },
+ {
+ name: 'beat.hostname',
+ type: 'alias',
+ path: 'agent.hostname',
+ migration: true,
+ },
+ {
+ name: 'timeseries.instance',
+ type: 'keyword',
+ description: 'Time series instance id',
+ },
+ ],
+ },
+ {
+ key: 'cloud',
+ title: 'Cloud provider metadata',
+ description: 'Metadata from cloud providers added by the add_cloud_metadata processor.\n',
+ fields: [
+ {
+ name: 'cloud.project.id',
+ example: 'project-x',
+ description: 'Name of the project in Google Cloud.\n',
+ },
+ {
+ name: 'cloud.image.id',
+ example: 'ami-abcd1234',
+ description: 'Image ID for the cloud instance.\n',
+ },
+ {
+ name: 'meta.cloud.provider',
+ type: 'alias',
+ path: 'cloud.provider',
+ migration: true,
+ },
+ {
+ name: 'meta.cloud.instance_id',
+ type: 'alias',
+ path: 'cloud.instance.id',
+ migration: true,
+ },
+ {
+ name: 'meta.cloud.instance_name',
+ type: 'alias',
+ path: 'cloud.instance.name',
+ migration: true,
+ },
+ {
+ name: 'meta.cloud.machine_type',
+ type: 'alias',
+ path: 'cloud.machine.type',
+ migration: true,
+ },
+ {
+ name: 'meta.cloud.availability_zone',
+ type: 'alias',
+ path: 'cloud.availability_zone',
+ migration: true,
+ },
+ {
+ name: 'meta.cloud.project_id',
+ type: 'alias',
+ path: 'cloud.project.id',
+ migration: true,
+ },
+ {
+ name: 'meta.cloud.region',
+ type: 'alias',
+ path: 'cloud.region',
+ migration: true,
+ },
+ ],
+ },
+ {
+ key: 'docker',
+ title: 'Docker',
+ description: 'Docker stats collected from Docker.\n',
+ short_config: false,
+ anchor: 'docker-processor',
+ fields: [
+ {
+ name: 'docker',
+ type: 'group',
+ fields: [
+ {
+ name: 'container.id',
+ type: 'alias',
+ path: 'container.id',
+ migration: true,
+ },
+ {
+ name: 'container.image',
+ type: 'alias',
+ path: 'container.image.name',
+ migration: true,
+ },
+ {
+ name: 'container.name',
+ type: 'alias',
+ path: 'container.name',
+ migration: true,
+ },
+ {
+ name: 'container.labels',
+ type: 'object',
+ object_type: 'keyword',
+ description: 'Image labels.\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'host',
+ title: 'Host',
+ description: 'Info collected for the host machine.\n',
+ anchor: 'host-processor',
+ fields: [
+ {
+ name: 'host',
+ type: 'group',
+ fields: [
+ {
+ name: 'containerized',
+ type: 'boolean',
+ description: 'If the host is a container.\n',
+ },
+ {
+ name: 'os.build',
+ type: 'keyword',
+ example: '18D109',
+ description: 'OS build information.\n',
+ },
+ {
+ name: 'os.codename',
+ type: 'keyword',
+ example: 'stretch',
+ description: 'OS codename, if any.\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'kubernetes',
+ title: 'Kubernetes',
+ description: 'Kubernetes metadata added by the kubernetes processor\n',
+ short_config: false,
+ anchor: 'kubernetes-processor',
+ fields: [
+ {
+ name: 'kubernetes',
+ type: 'group',
+ fields: [
+ {
+ name: 'pod.name',
+ type: 'keyword',
+ description: 'Kubernetes pod name\n',
+ },
+ {
+ name: 'pod.uid',
+ type: 'keyword',
+ description: 'Kubernetes Pod UID\n',
+ },
+ {
+ name: 'namespace',
+ type: 'keyword',
+ description: 'Kubernetes namespace\n',
+ },
+ {
+ name: 'node.name',
+ type: 'keyword',
+ description: 'Kubernetes node name\n',
+ },
+ {
+ name: 'labels.*',
+ type: 'object',
+ object_type: 'keyword',
+ object_type_mapping_type: '*',
+ description: 'Kubernetes labels map\n',
+ },
+ {
+ name: 'annotations.*',
+ type: 'object',
+ object_type: 'keyword',
+ object_type_mapping_type: '*',
+ description: 'Kubernetes annotations map\n',
+ },
+ {
+ name: 'replicaset.name',
+ type: 'keyword',
+ description: 'Kubernetes replicaset name\n',
+ },
+ {
+ name: 'deployment.name',
+ type: 'keyword',
+ description: 'Kubernetes deployment name\n',
+ },
+ {
+ name: 'statefulset.name',
+ type: 'keyword',
+ description: 'Kubernetes statefulset name\n',
+ },
+ {
+ name: 'container.name',
+ type: 'keyword',
+ description: 'Kubernetes container name\n',
+ },
+ {
+ name: 'container.image',
+ type: 'keyword',
+ description: 'Kubernetes container image\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'process',
+ title: 'Process',
+ description: 'Process metadata fields\n',
+ fields: [
+ {
+ name: 'process',
+ type: 'group',
+ fields: [
+ {
+ name: 'exe',
+ type: 'alias',
+ path: 'process.executable',
+ migration: true,
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'jolokia-autodiscover',
+ title: 'Jolokia Discovery autodiscover provider',
+ description: 'Metadata from Jolokia Discovery added by the jolokia provider.\n',
+ fields: [
+ {
+ name: 'jolokia.agent.version',
+ type: 'keyword',
+ description: 'Version number of jolokia agent.\n',
+ },
+ {
+ name: 'jolokia.agent.id',
+ type: 'keyword',
+ description:
+ 'Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type.\n',
+ },
+ {
+ name: 'jolokia.server.product',
+ type: 'keyword',
+ description: 'The container product if detected.\n',
+ },
+ {
+ name: 'jolokia.server.version',
+ type: 'keyword',
+ description: "The container's version (if detected).\n",
+ },
+ {
+ name: 'jolokia.server.vendor',
+ type: 'keyword',
+ description: 'The vendor of the container the agent is running in.\n',
+ },
+ {
+ name: 'jolokia.url',
+ type: 'keyword',
+ description: 'The URL how this agent can be contacted.\n',
+ },
+ {
+ name: 'jolokia.secured',
+ type: 'boolean',
+ description: 'Whether the agent was configured for authentication or not.\n',
+ },
+ ],
+ },
+ {
+ key: 'common',
+ title: 'Common',
+ description:
+ 'These fields contain data about the environment in which the transaction or flow was captured.\n',
+ fields: [
+ {
+ name: 'type',
+ description:
+ 'The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows.\n',
+ required: true,
+ },
+ {
+ name: 'server.process.name',
+ description: 'The name of the process that served the transaction.\n',
+ },
+ {
+ name: 'server.process.args',
+ description: 'The command-line of the process that served the transaction.\n',
+ },
+ {
+ name: 'server.process.executable',
+ description: 'Absolute path to the server process executable.\n',
+ },
+ {
+ name: 'server.process.working_directory',
+ description: 'The working directory of the server process.\n',
+ },
+ {
+ name: 'server.process.start',
+ description: 'The time the server process started.\n',
+ },
+ {
+ name: 'client.process.name',
+ description: 'The name of the process that initiated the transaction.\n',
+ },
+ {
+ name: 'client.process.args',
+ description: 'The command-line of the process that initiated the transaction.\n',
+ },
+ {
+ name: 'client.process.executable',
+ description: 'Absolute path to the client process executable.\n',
+ },
+ {
+ name: 'client.process.working_directory',
+ description: 'The working directory of the client process.\n',
+ },
+ {
+ name: 'client.process.start',
+ description: 'The time the client process started.\n',
+ },
+ {
+ name: 'real_ip',
+ type: 'alias',
+ path: 'network.forwarded_ip',
+ migration: true,
+ description:
+ 'If the server initiating the transaction is a proxy, this field contains the original client IP address. For HTTP, for example, the IP address extracted from a configurable HTTP header, by default `X-Forwarded-For`.\nUnless this field is disabled, it always has a value, and it matches the `client_ip` for non proxy clients.\n',
+ },
+ {
+ name: 'transport',
+ type: 'alias',
+ path: 'network.transport',
+ migration: true,
+ description:
+ 'The transport protocol used for the transaction. If not specified, then tcp is assumed.\n',
+ },
+ ],
+ },
+ {
+ key: 'flows_event',
+ title: 'Flow Event',
+ description: 'These fields contain data about the flow itself.\n',
+ fields: [
+ {
+ name: 'flow.final',
+ type: 'boolean',
+ description:
+ 'Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only.\n',
+ },
+ {
+ name: 'flow.id',
+ description: 'Internal flow ID based on connection meta data and address.\n',
+ },
+ {
+ name: 'flow.vlan',
+ type: 'long',
+ description:
+ "VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first.\n",
+ },
+ {
+ name: 'flow_id',
+ type: 'alias',
+ path: 'flow.id',
+ migration: true,
+ },
+ {
+ name: 'final',
+ type: 'alias',
+ path: 'flow.final',
+ migration: true,
+ },
+ {
+ name: 'vlan',
+ type: 'alias',
+ path: 'flow.vlan',
+ migration: true,
+ },
+ {
+ name: 'source.stats.net_bytes_total',
+ type: 'alias',
+ path: 'source.bytes',
+ migration: true,
+ },
+ {
+ name: 'source.stats.net_packets_total',
+ type: 'alias',
+ path: 'source.packets',
+ migration: true,
+ },
+ {
+ name: 'dest.stats.net_bytes_total',
+ type: 'alias',
+ path: 'destination.bytes',
+ migration: true,
+ },
+ {
+ name: 'dest.stats.net_packets_total',
+ type: 'alias',
+ path: 'destination.packets',
+ migration: true,
+ },
+ ],
+ },
+ {
+ key: 'trans_event',
+ title: 'Transaction Event',
+ description: 'These fields contain data about the transaction itself.\n',
+ fields: [
+ {
+ name: 'status',
+ description:
+ 'The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol.\n',
+ required: true,
+ possible_values: ['OK', 'Error', 'Server Error', 'Client Error'],
+ },
+ {
+ name: 'method',
+ description:
+ 'The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on).\n',
+ },
+ {
+ name: 'resource',
+ description:
+ 'The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types.\n',
+ },
+ {
+ name: 'path',
+ required: true,
+ description:
+ 'The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key.\n',
+ },
+ {
+ name: 'query',
+ type: 'keyword',
+ description:
+ 'The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`.\n',
+ },
+ {
+ name: 'params',
+ type: 'text',
+ description:
+ 'The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request.\n',
+ },
+ {
+ name: 'notes',
+ type: 'alias',
+ path: 'error.message',
+ description:
+ 'Messages from Packetbeat itself. This field usually contains error messages for interpreting the raw data. This information can be helpful for troubleshooting.\n',
+ },
+ ],
+ },
+ {
+ key: 'raw',
+ title: 'Raw',
+ description: 'These fields contain the raw transaction data.',
+ fields: [
+ {
+ name: 'request',
+ type: 'text',
+ description:
+ 'For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request.\n',
+ },
+ {
+ name: 'response',
+ type: 'text',
+ description:
+ 'For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request.\n',
+ },
+ ],
+ },
+ {
+ key: 'trans_measurements',
+ title: 'Measurements (Transactions)',
+ description: 'These fields contain measurements related to the transaction.\n',
+ fields: [
+ {
+ name: 'bytes_in',
+ type: 'alias',
+ path: 'source.bytes',
+ description:
+ 'The number of bytes of the request. Note that this size is the application layer message length, without the length of the IP or TCP headers.\n',
+ },
+ {
+ name: 'bytes_out',
+ type: 'alias',
+ path: 'destination.bytes',
+ description:
+ 'The number of bytes of the response. Note that this size is the application layer message length, without the length of the IP or TCP headers.\n',
+ },
+ ],
+ },
+ {
+ key: 'amqp',
+ title: 'AMQP',
+ description: 'AMQP specific event fields.',
+ fields: [
+ {
+ name: 'amqp',
+ type: 'group',
+ fields: [
+ {
+ name: 'reply-code',
+ type: 'long',
+ description: 'AMQP reply code to an error, similar to http reply-code\n',
+ example: 404,
+ },
+ {
+ name: 'reply-text',
+ type: 'keyword',
+ description: 'Text explaining the error.\n',
+ },
+ {
+ name: 'class-id',
+ type: 'long',
+ description: 'Failing method class.\n',
+ },
+ {
+ name: 'method-id',
+ type: 'long',
+ description: 'Failing method ID.\n',
+ },
+ {
+ name: 'exchange',
+ type: 'keyword',
+ description: 'Name of the exchange.\n',
+ },
+ {
+ name: 'exchange-type',
+ type: 'keyword',
+ description: 'Exchange type.\n',
+ example: 'fanout',
+ },
+ {
+ name: 'passive',
+ type: 'boolean',
+ description: 'If set, do not create exchange/queue.\n',
+ },
+ {
+ name: 'durable',
+ type: 'boolean',
+ description: 'If set, request a durable exchange/queue.\n',
+ },
+ {
+ name: 'exclusive',
+ type: 'boolean',
+ description: 'If set, request an exclusive queue.\n',
+ },
+ {
+ name: 'auto-delete',
+ type: 'boolean',
+ description: 'If set, auto-delete queue when unused.\n',
+ },
+ {
+ name: 'no-wait',
+ type: 'boolean',
+ description: 'If set, the server will not respond to the method.\n',
+ },
+ {
+ name: 'consumer-tag',
+ description: 'Identifier for the consumer, valid within the current channel.\n',
+ },
+ {
+ name: 'delivery-tag',
+ type: 'long',
+ description: 'The server-assigned and channel-specific delivery tag.\n',
+ },
+ {
+ name: 'message-count',
+ type: 'long',
+ description:
+ 'The number of messages in the queue, which will be zero for newly-declared queues.\n',
+ },
+ {
+ name: 'consumer-count',
+ type: 'long',
+ description: 'The number of consumers of a queue.\n',
+ },
+ {
+ name: 'routing-key',
+ type: 'keyword',
+ description: 'Message routing key.\n',
+ },
+ {
+ name: 'no-ack',
+ type: 'boolean',
+ description: 'If set, the server does not expect acknowledgements for messages.\n',
+ },
+ {
+ name: 'no-local',
+ type: 'boolean',
+ description:
+ 'If set, the server will not send messages to the connection that published them.\n',
+ },
+ {
+ name: 'if-unused',
+ type: 'boolean',
+ description: 'Delete only if unused.\n',
+ },
+ {
+ name: 'if-empty',
+ type: 'boolean',
+ description: 'Delete only if empty.\n',
+ },
+ {
+ name: 'queue',
+ type: 'keyword',
+ description: 'The queue name identifies the queue within the vhost.\n',
+ },
+ {
+ name: 'redelivered',
+ type: 'boolean',
+ description:
+ 'Indicates that the message has been previously delivered to this or another client.\n',
+ },
+ {
+ name: 'multiple',
+ type: 'boolean',
+ description: 'Acknowledge multiple messages.\n',
+ },
+ {
+ name: 'arguments',
+ type: 'object',
+ description:
+ 'Optional additional arguments passed to some methods. Can be of various types.\n',
+ },
+ {
+ name: 'mandatory',
+ type: 'boolean',
+ description: 'Indicates mandatory routing.\n',
+ },
+ {
+ name: 'immediate',
+ type: 'boolean',
+ description: 'Request immediate delivery.\n',
+ },
+ {
+ name: 'content-type',
+ type: 'keyword',
+ description: 'MIME content type.\n',
+ example: 'text/plain',
+ },
+ {
+ name: 'content-encoding',
+ type: 'keyword',
+ description: 'MIME content encoding.\n',
+ },
+ {
+ name: 'headers',
+ type: 'object',
+ object_type: 'keyword',
+ description: 'Message header field table.\n',
+ },
+ {
+ name: 'delivery-mode',
+ type: 'keyword',
+ description: 'Non-persistent (1) or persistent (2).\n',
+ },
+ {
+ name: 'priority',
+ type: 'long',
+ description: 'Message priority, 0 to 9.\n',
+ },
+ {
+ name: 'correlation-id',
+ type: 'keyword',
+ description: 'Application correlation identifier.\n',
+ },
+ {
+ name: 'reply-to',
+ type: 'keyword',
+ description: 'Address to reply to.\n',
+ },
+ {
+ name: 'expiration',
+ type: 'keyword',
+ description: 'Message expiration specification.\n',
+ },
+ {
+ name: 'message-id',
+ type: 'keyword',
+ description: 'Application message identifier.\n',
+ },
+ {
+ name: 'timestamp',
+ type: 'keyword',
+ description: 'Message timestamp.\n',
+ },
+ {
+ name: 'type',
+ type: 'keyword',
+ description: 'Message type name.\n',
+ },
+ {
+ name: 'user-id',
+ type: 'keyword',
+ description: 'Creating user id.\n',
+ },
+ {
+ name: 'app-id',
+ type: 'keyword',
+ description: 'Creating application id.\n',
+ },
+ ],
+ },
+ ],
+ },
+ {
+ key: 'cassandra',
+ title: 'Cassandra',
+ description: 'Cassandra v4/3 specific event fields.',
+ fields: [
+ {
+ name: 'no_request',
+ type: 'alias',
+ path: 'cassandra.no_request',
+ migration: true,
+ },
+ {
+ name: 'cassandra',
+ type: 'group',
+ description: 'Information about the Cassandra request and response.',
+ fields: [
+ {
+ name: 'no_request',
+ type: 'boolean',
+ description: 'Indicates that there is no request because this is a PUSH message.\n',
+ },
+ {
+ name: 'request',
+ type: 'group',
+ description: 'Cassandra request.',
+ fields: [
+ {
+ name: 'headers',
+ type: 'group',
+ description: 'Cassandra request headers.',
+ fields: [
+ {
+ name: 'version',
+ type: 'long',
+ description: 'The version of the protocol.',
+ },
+ {
+ name: 'flags',
+ type: 'keyword',
+ description: 'Flags applying to this frame.',
+ },
+ {
+ name: 'stream',
+ type: 'keyword',
+ description:
+ 'A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X.',
+ },
+ {
+ name: 'op',
+ type: 'keyword',
+ description: 'An operation type that distinguishes the actual message.',
+ },
+ {
+ name: 'length',
+ type: 'long',
+ description:
+ 'A integer representing the length of the body of the frame (a frame is limited to 256MB in length).',
+ },
+ ],
+ },
+ {
+ name: 'query',
+ type: 'keyword',
+ description: 'The CQL query which client send to cassandra.',
+ },
+ ],
+ },
+ {
+ name: 'response',
type: 'group',
description: 'Cassandra response.',
fields: [
@@ -3243,19 +6791,19 @@ export const packetbeatSchema: Schema = [
name: 'transaction_id',
type: 'keyword',
description:
- 'Transaction ID, a random number chosen by the client, used by the client and server to associate messages and responses between a client and a server.',
+ 'Transaction ID, a random number chosen by the\nclient, used by the client and server to associate\nmessages and responses between a client and a\nserver.\n',
},
{
name: 'seconds',
type: 'long',
description:
- 'Number of seconds elapsed since client began address acquisition or renewal process.',
+ 'Number of seconds elapsed since client began address acquisition or\nrenewal process.\n',
},
{
name: 'flags',
type: 'keyword',
description:
- 'Flags are set by the client to indicate how the DHCP server should its reply -- either unicast or broadcast.',
+ 'Flags are set by the client to indicate how the DHCP server should\nits reply -- either unicast or broadcast.\n',
},
{
name: 'client_ip',
@@ -3266,19 +6814,19 @@ export const packetbeatSchema: Schema = [
name: 'assigned_ip',
type: 'ip',
description:
- 'The IP address that the DHCP server is assigning to the client. This field is also known as "your" IP address.',
+ 'The IP address that the DHCP server is assigning to the client.\nThis field is also known as "your" IP address.\n',
},
{
name: 'server_ip',
type: 'ip',
description:
- 'The IP address of the DHCP server that the client should use for the next step in the bootstrap process.',
+ 'The IP address of the DHCP server that the client should use for the\nnext step in the bootstrap process.\n',
},
{
name: 'relay_ip',
type: 'ip',
description:
- 'The relay IP address used by the client to contact the server (i.e. a DHCP relay server).',
+ 'The relay IP address used by the client to contact the server\n(i.e. a DHCP relay server).\n',
},
{
name: 'client_mac',
@@ -3289,13 +6837,13 @@ export const packetbeatSchema: Schema = [
name: 'server_name',
type: 'keyword',
description:
- 'The name of the server sending the message. Optional. Used in DHCPOFFER or DHCPACK messages.',
+ 'The name of the server sending the message. Optional. Used in\nDHCPOFFER or DHCPACK messages.\n',
},
{
name: 'op_code',
type: 'keyword',
example: 'bootreply',
- description: 'The message op code (bootrequest or bootreply).',
+ description: 'The message op code (bootrequest or bootreply).\n',
},
{
name: 'hops',
@@ -3306,7 +6854,7 @@ export const packetbeatSchema: Schema = [
name: 'hardware_type',
type: 'keyword',
description:
- 'The type of hardware used for the local network (Ethernet, LocalTalk, etc).',
+ 'The type of hardware used for the local network (Ethernet,\nLocalTalk, etc).\n',
},
{
name: 'option',
@@ -3317,124 +6865,126 @@ export const packetbeatSchema: Schema = [
type: 'keyword',
example: 'ack',
description:
- 'The specific type of DHCP message being sent (e.g. discover, offer, request, decline, ack, nak, release, inform).',
+ 'The specific type of DHCP message being sent (e.g. discover,\noffer, request, decline, ack, nak, release, inform).\n',
},
{
name: 'parameter_request_list',
type: 'keyword',
description:
- 'This option is used by a DHCP client to request values for specified configuration parameters.',
+ 'This option is used by a DHCP client to request values for\nspecified configuration parameters.\n',
},
{
name: 'requested_ip_address',
type: 'ip',
description:
- 'This option is used in a client request (DHCPDISCOVER) to allow the client to request that a particular IP address be assigned.',
+ 'This option is used in a client request (DHCPDISCOVER) to allow\nthe client to request that a particular IP address be assigned.\n',
},
{
name: 'server_identifier',
type: 'ip',
- description: 'IP address of the individual DHCP server which handled this message.',
+ description:
+ 'IP address of the individual DHCP server which handled this\nmessage.\n',
},
{
name: 'broadcast_address',
type: 'ip',
description:
- "This option specifies the broadcast address in use on the client's subnet. ",
+ "This option specifies the broadcast address in use on the\nclient's subnet.\n",
},
{
name: 'max_dhcp_message_size',
type: 'long',
description:
- 'This option specifies the maximum length DHCP message that the client is willing to accept.',
+ 'This option specifies the maximum length DHCP message that the\nclient is willing to accept.\n',
},
{
name: 'class_identifier',
type: 'keyword',
description:
- "This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. Vendors may choose to define specific vendor class identifiers to convey particular configuration or other identification information about a client. For example, the identifier may encode the client's hardware configuration. ",
+ "This option is used by DHCP clients to optionally identify the\nvendor type and configuration of a DHCP client. Vendors may\nchoose to define specific vendor class identifiers to convey\nparticular configuration or other identification information\nabout a client. For example, the identifier may encode the\nclient's hardware configuration.\n",
},
{
name: 'domain_name',
type: 'keyword',
description:
- 'This option specifies the domain name that client should use when resolving hostnames via the Domain Name System.',
+ 'This option specifies the domain name that client should use\nwhen resolving hostnames via the Domain Name System.\n',
},
{
name: 'dns_servers',
type: 'ip',
description:
- 'The domain name server option specifies a list of Domain Name System servers available to the client.',
+ 'The domain name server option specifies a list of Domain Name\nSystem servers available to the client.\n',
},
{
name: 'vendor_identifying_options',
type: 'object',
description:
- 'A DHCP client may use this option to unambiguously identify the vendor that manufactured the hardware on which the client is running, the software in use, or an industry consortium to which the vendor belongs. This field is described in RFC 3925.',
+ 'A DHCP client may use this option to unambiguously identify the\nvendor that manufactured the hardware on which the client is\nrunning, the software in use, or an industry consortium to which\nthe vendor belongs. This field is described in RFC 3925.\n',
},
{
name: 'subnet_mask',
type: 'ip',
- description: 'The subnet mask that the client should use on the currnet network.',
+ description:
+ 'The subnet mask that the client should use on the currnet\nnetwork.\n',
},
{
name: 'utc_time_offset_sec',
type: 'long',
description:
- "The time offset field specifies the offset of the client's subnet in seconds from Coordinated Universal Time (UTC). ",
+ "The time offset field specifies the offset of the client's\nsubnet in seconds from Coordinated Universal Time (UTC).\n",
},
{
name: 'router',
type: 'ip',
description:
- "The router option specifies a list of IP addresses for routers on the client's subnet. ",
+ "The router option specifies a list of IP addresses for routers\non the client's subnet.\n",
},
{
name: 'time_servers',
type: 'ip',
description:
- 'The time server option specifies a list of RFC 868 time servers available to the client.',
+ 'The time server option specifies a list of RFC 868 time servers\navailable to the client.\n',
},
{
name: 'ntp_servers',
type: 'ip',
description:
- 'This option specifies a list of IP addresses indicating NTP servers available to the client.',
+ 'This option specifies a list of IP addresses indicating NTP\nservers available to the client.\n',
},
{
name: 'hostname',
type: 'keyword',
- description: 'This option specifies the name of the client.',
+ description: 'This option specifies the name of the client.\n',
},
{
name: 'ip_address_lease_time_sec',
type: 'long',
description:
- 'This option is used in a client request (DHCPDISCOVER or DHCPREQUEST) to allow the client to request a lease time for the IP address. In a server reply (DHCPOFFER), a DHCP server uses this option to specify the lease time it is willing to offer.',
+ 'This option is used in a client request (DHCPDISCOVER or\nDHCPREQUEST) to allow the client to request a lease time for the\nIP address. In a server reply (DHCPOFFER), a DHCP server uses\nthis option to specify the lease time it is willing to offer.\n',
},
{
name: 'message',
type: 'text',
description:
- 'This option is used by a DHCP server to provide an error message to a DHCP client in a DHCPNAK message in the event of a failure. A client may use this option in a DHCPDECLINE message to indicate the why the client declined the offered parameters.',
+ 'This option is used by a DHCP server to provide an error message\nto a DHCP client in a DHCPNAK message in the event of a failure.\nA client may use this option in a DHCPDECLINE message to\nindicate the why the client declined the offered parameters.\n',
},
{
name: 'renewal_time_sec',
type: 'long',
description:
- 'This option specifies the time interval from address assignment until the client transitions to the RENEWING state.',
+ 'This option specifies the time interval from address assignment\nuntil the client transitions to the RENEWING state.\n',
},
{
name: 'rebinding_time_sec',
type: 'long',
description:
- 'This option specifies the time interval from address assignment until the client transitions to the REBINDING state.',
+ 'This option specifies the time interval from address assignment\nuntil the client transitions to the REBINDING state.\n',
},
{
name: 'boot_file_name',
type: 'keyword',
description:
- "This option is used to identify a bootfile when the 'file' field in the DHCP header has been used for DHCP options. ",
+ "This option is used to identify a bootfile when the 'file' field\nin the DHCP header has been used for DHCP options.\n",
},
],
},
@@ -3451,129 +7001,64 @@ export const packetbeatSchema: Schema = [
name: 'dns',
type: 'group',
fields: [
- {
- name: 'id',
- type: 'long',
- description:
- 'The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.',
- },
- {
- name: 'op_code',
- description:
- 'The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response.',
- example: 'QUERY',
- },
{
name: 'flags.authoritative',
type: 'boolean',
description:
- 'A DNS flag specifying that the responding server is an authority for the domain name used in the question.',
+ 'A DNS flag specifying that the responding server is an authority for the domain name used in the question.\n',
},
{
name: 'flags.recursion_available',
type: 'boolean',
description:
- 'A DNS flag specifying whether recursive query support is available in the name server.',
+ 'A DNS flag specifying whether recursive query support is available in the name server.\n',
},
{
name: 'flags.recursion_desired',
type: 'boolean',
description:
- 'A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional.',
+ 'A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional.\n',
},
{
name: 'flags.authentic_data',
type: 'boolean',
description:
- 'A DNS flag specifying that the recursive server considers the response authentic.',
+ 'A DNS flag specifying that the recursive server considers the response authentic.\n',
},
{
name: 'flags.checking_disabled',
type: 'boolean',
description:
- 'A DNS flag specifying that the client disables the server signature validation of the query.',
+ 'A DNS flag specifying that the client disables the server signature validation of the query.\n',
},
{
name: 'flags.truncated_response',
type: 'boolean',
description:
- 'A DNS flag specifying that only the first 512 bytes of the reply were returned.',
- },
- {
- name: 'response_code',
- description: 'The DNS status code.',
- example: 'NOERROR',
- },
- {
- name: 'question.name',
- description:
- 'The domain name being queried. If the name field contains non-printable characters (below 32 or above 126), then those characters are represented as escaped base 10 integers (\\DDD). Back slashes and quotes are escaped. Tabs, carriage returns, and line feeds are converted to \\t, \\r, and respectively.',
- example: 'www.google.com.',
- },
- {
- name: 'question.type',
- description: 'The type of records being queried.',
- example: 'AAAA',
- },
- {
- name: 'question.class',
- description: 'The class of of records being queried.',
- example: 'IN',
+ 'A DNS flag specifying that only the first 512 bytes of the reply were returned.\n',
},
{
name: 'question.etld_plus_one',
description:
- 'The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org.',
+ 'The effective top-level domain (eTLD) plus one more label.\nFor example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.".\nThe data for determining the eTLD comes from an embedded copy of the\ndata from http://publicsuffix.org.',
example: 'amazon.co.uk.',
},
- {
- name: 'answers',
- type: 'object',
- description:
- 'An array containing a dictionary about each answer section returned by the server.',
- },
{
name: 'answers_count',
type: 'long',
- description: 'The number of resource records contained in the `dns.answers` field.',
- },
- {
- name: 'answers.name',
- description: 'The domain name to which this resource record pertains.',
- example: 'example.com.',
- },
- {
- name: 'answers.type',
- description: 'The type of data contained in this resource record.',
- example: 'MX',
- },
- {
- name: 'answers.class',
- description: 'The class of DNS data contained in this resource record.',
- example: 'IN',
- },
- {
- name: 'answers.ttl',
- description:
- 'The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.',
- type: 'long',
- },
- {
- name: 'answers.data',
- description:
- 'The data describing the resource. The meaning of this data depends on the type and class of the resource record.',
+ description: 'The number of resource records contained in the `dns.answers` field.\n',
},
{
name: 'authorities',
type: 'object',
description:
- 'An array containing a dictionary for each authority section from the answer.',
+ 'An array containing a dictionary for each authority section from the answer.\n',
},
{
name: 'authorities_count',
type: 'long',
description:
- 'The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat.',
+ 'The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat.\n',
},
{
name: 'authorities.name',
@@ -3594,13 +7079,13 @@ export const packetbeatSchema: Schema = [
name: 'additionals',
type: 'object',
description:
- 'An array containing a dictionary for each additional section from the answer.',
+ 'An array containing a dictionary for each additional section from the answer.\n',
},
{
name: 'additionals_count',
type: 'long',
description:
- 'The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat.',
+ 'The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat.\n',
},
{
name: 'additionals.name',
@@ -3620,13 +7105,13 @@ export const packetbeatSchema: Schema = [
{
name: 'additionals.ttl',
description:
- 'The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.',
+ 'The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.\n',
type: 'long',
},
{
name: 'additionals.data',
description:
- 'The data describing the resource. The meaning of this data depends on the type and class of the resource record.',
+ 'The data describing the resource. The meaning of this data depends on the type and class of the resource record.\n',
},
{
name: 'opt.version',
@@ -3672,7 +7157,7 @@ export const packetbeatSchema: Schema = [
type: 'object',
object_type: 'keyword',
description:
- 'A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas.',
+ 'A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas.\n',
},
{
name: 'params',
@@ -3697,7 +7182,7 @@ export const packetbeatSchema: Schema = [
type: 'object',
object_type: 'keyword',
description:
- 'A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas.',
+ 'A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas.\n',
},
{
name: 'code',
@@ -3720,7 +7205,7 @@ export const packetbeatSchema: Schema = [
{
key: 'icmp',
title: 'ICMP',
- description: 'ICMP specific event fields.',
+ description: 'ICMP specific event fields.\n',
fields: [
{
name: 'icmp',
@@ -3778,232 +7263,232 @@ export const packetbeatSchema: Schema = [
name: 'protocol_type',
type: 'keyword',
description:
- 'The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type.',
+ 'The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type.\n',
},
{
name: 'request.line',
type: 'keyword',
- description: 'The raw command line for unknown commands ONLY.',
+ description: 'The raw command line for unknown commands ONLY.\n',
},
{
name: 'request.command',
type: 'keyword',
description:
- 'The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands.',
+ 'The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands.\n',
},
{
name: 'response.command',
type: 'keyword',
description:
- 'Either the text based protocol response message type or the name of the originating request if binary protocol is used.',
+ 'Either the text based protocol response message type or the name of the originating request if binary protocol is used.\n',
},
{
name: 'request.type',
type: 'keyword',
description:
- 'The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth".',
+ 'The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth".\n',
},
{
name: 'response.type',
type: 'keyword',
description:
- 'The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol).',
+ 'The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol).\n',
},
{
name: 'response.error_msg',
type: 'keyword',
description:
- 'The optional error message in the memcache response (text based protocol only).',
+ 'The optional error message in the memcache response (text based protocol only).\n',
},
{
name: 'request.opcode',
type: 'keyword',
- description: 'The binary protocol message opcode name.',
+ description: 'The binary protocol message opcode name.\n',
},
{
name: 'response.opcode',
type: 'keyword',
- description: 'The binary protocol message opcode name.',
+ description: 'The binary protocol message opcode name.\n',
},
{
name: 'request.opcode_value',
type: 'long',
- description: 'The binary protocol message opcode value.',
+ description: 'The binary protocol message opcode value.\n',
},
{
name: 'response.opcode_value',
type: 'long',
- description: 'The binary protocol message opcode value.',
+ description: 'The binary protocol message opcode value.\n',
},
{
name: 'request.opaque',
type: 'long',
description:
- 'The binary protocol opaque header value used for correlating request with response messages.',
+ 'The binary protocol opaque header value used for correlating request with response messages.\n',
},
{
name: 'response.opaque',
type: 'long',
description:
- 'The binary protocol opaque header value used for correlating request with response messages.',
+ 'The binary protocol opaque header value used for correlating request with response messages.\n',
},
{
name: 'request.vbucket',
type: 'long',
- description: 'The vbucket index sent in the binary message.',
+ description: 'The vbucket index sent in the binary message.\n',
},
{
name: 'response.status',
type: 'keyword',
description:
- 'The textual representation of the response error code (binary protocol only).',
+ 'The textual representation of the response error code (binary protocol only).\n',
},
{
name: 'response.status_code',
type: 'long',
- description: 'The status code value returned in the response (binary protocol only).',
+ description: 'The status code value returned in the response (binary protocol only).\n',
},
{
name: 'request.keys',
type: 'array',
- description: 'The list of keys sent in the store or load commands.',
+ description: 'The list of keys sent in the store or load commands.\n',
},
{
name: 'response.keys',
type: 'array',
- description: 'The list of keys returned for the load command (if present).',
+ description: 'The list of keys returned for the load command (if present).\n',
},
{
name: 'request.count_values',
type: 'long',
description:
- 'The number of values found in the memcache request message. If the command does not send any data, this field is missing.',
+ 'The number of values found in the memcache request message. If the command does not send any data, this field is missing.\n',
},
{
name: 'response.count_values',
type: 'long',
description:
- 'The number of values found in the memcache response message. If the command does not send any data, this field is missing.',
+ 'The number of values found in the memcache response message. If the command does not send any data, this field is missing.\n',
},
{
name: 'request.values',
type: 'array',
- description: 'The list of base64 encoded values sent with the request (if present).',
+ description: 'The list of base64 encoded values sent with the request (if present).\n',
},
{
name: 'response.values',
type: 'array',
- description: 'The list of base64 encoded values sent with the response (if present).',
+ description: 'The list of base64 encoded values sent with the response (if present).\n',
},
{
name: 'request.bytes',
type: 'long',
format: 'bytes',
- description: 'The byte count of the values being transferred.',
+ description: 'The byte count of the values being transferred.\n',
},
{
name: 'response.bytes',
type: 'long',
format: 'bytes',
- description: 'The byte count of the values being transferred.',
+ description: 'The byte count of the values being transferred.\n',
},
{
name: 'request.delta',
type: 'long',
- description: 'The counter increment/decrement delta value.',
+ description: 'The counter increment/decrement delta value.\n',
},
{
name: 'request.initial',
type: 'long',
description:
- 'The counter increment/decrement initial value parameter (binary protocol only).',
+ 'The counter increment/decrement initial value parameter (binary protocol only).\n',
},
{
name: 'request.verbosity',
type: 'long',
- description: 'The value of the memcache "verbosity" command.',
+ description: 'The value of the memcache "verbosity" command.\n',
},
{
name: 'request.raw_args',
type: 'keyword',
description:
- 'The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands.',
+ 'The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands.\n',
},
{
name: 'request.source_class',
type: 'long',
- description: "The source class id in 'slab reassign' command. ",
+ description: "The source class id in 'slab reassign' command.\n",
},
{
name: 'request.dest_class',
type: 'long',
- description: "The destination class id in 'slab reassign' command. ",
+ description: "The destination class id in 'slab reassign' command.\n",
},
{
name: 'request.automove',
type: 'keyword',
description:
- 'The automove mode in the \'slab automove\' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown.',
+ 'The automove mode in the \'slab automove\' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown.\n',
},
{
name: 'request.flags',
type: 'long',
- description: 'The memcache command flags sent in the request (if present).',
+ description: 'The memcache command flags sent in the request (if present).\n',
},
{
name: 'response.flags',
type: 'long',
- description: 'The memcache message flags sent in the response (if present).',
+ description: 'The memcache message flags sent in the response (if present).\n',
},
{
name: 'request.exptime',
type: 'long',
description:
- 'The data expiry time in seconds sent with the memcache command (if present). If the value is <30 days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit).',
+ 'The data expiry time in seconds sent with the memcache command (if present). If the value is <30 days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit).\n',
},
{
name: 'request.sleep_us',
type: 'long',
- description: "The sleep setting in microseconds for the 'lru_crawler sleep' command. ",
+ description: "The sleep setting in microseconds for the 'lru_crawler sleep' command.\n",
},
{
name: 'response.value',
type: 'long',
- description: 'The counter value returned by a counter operation.',
+ description: 'The counter value returned by a counter operation.\n',
},
{
name: 'request.noreply',
type: 'boolean',
description:
- 'Set to true if noreply was set in the request. The `memcache.response` field will be missing.',
+ 'Set to true if noreply was set in the request. The `memcache.response` field will be missing.\n',
},
{
name: 'request.quiet',
type: 'boolean',
description:
- 'Set to true if the binary protocol message is to be treated as a quiet message.',
+ 'Set to true if the binary protocol message is to be treated as a quiet message.\n',
},
{
name: 'request.cas_unique',
type: 'long',
- description: 'The CAS (compare-and-swap) identifier if present.',
+ description: 'The CAS (compare-and-swap) identifier if present.\n',
},
{
name: 'response.cas_unique',
type: 'long',
description:
- 'The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present).',
+ 'The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present).\n',
},
{
name: 'response.stats',
type: 'array',
description:
- 'The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value".',
+ 'The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value".\n',
},
{
name: 'response.version',
type: 'keyword',
- description: 'The returned memcache version string.',
+ description: 'The returned memcache version string.\n',
},
],
},
@@ -4013,7 +7498,7 @@ export const packetbeatSchema: Schema = [
key: 'mongodb',
title: 'MongoDb',
description:
- 'MongoDB-specific event fields. These fields mirror closely the fields for the MongoDB wire protocol. The higher level fields (for example, `query` and `resource`) apply to MongoDB events as well.',
+ 'MongoDB-specific event fields. These fields mirror closely the fields for the MongoDB wire protocol. The higher level fields (for example, `query` and `resource`) apply to MongoDB events as well.\n',
fields: [
{
name: 'mongodb',
@@ -4022,57 +7507,57 @@ export const packetbeatSchema: Schema = [
{
name: 'error',
description:
- 'If the MongoDB request has resulted in an error, this field contains the error message returned by the server.',
+ 'If the MongoDB request has resulted in an error, this field contains the error message returned by the server.\n',
},
{
name: 'fullCollectionName',
description:
- 'The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar.',
+ 'The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar.\n',
},
{
name: 'numberToSkip',
type: 'long',
description:
- 'Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query.',
+ 'Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query.\n',
},
{
name: 'numberToReturn',
type: 'long',
- description: 'The requested maximum number of documents to be returned.',
+ description: 'The requested maximum number of documents to be returned.\n',
},
{
name: 'numberReturned',
type: 'long',
- description: 'The number of documents in the reply.',
+ description: 'The number of documents in the reply.\n',
},
{
name: 'startingFrom',
- description: 'Where in the cursor this reply is starting.',
+ description: 'Where in the cursor this reply is starting.\n',
},
{
name: 'query',
description:
- 'A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot.',
+ 'A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot.\n',
},
{
name: 'returnFieldsSelector',
description:
- 'A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1.',
+ 'A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1.\n',
},
{
name: 'selector',
description:
- 'A BSON document that specifies the query for selecting the document to update or delete.',
+ 'A BSON document that specifies the query for selecting the document to update or delete.\n',
},
{
name: 'update',
description:
- 'A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual.',
+ 'A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual.\n',
},
{
name: 'cursorId',
description:
- 'The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database.',
+ 'The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database.\n',
},
],
},
@@ -4081,7 +7566,7 @@ export const packetbeatSchema: Schema = [
{
key: 'mysql',
title: 'MySQL',
- description: 'MySQL-specific event fields.',
+ description: 'MySQL-specific event fields.\n',
fields: [
{
name: 'mysql',
@@ -4091,35 +7576,35 @@ export const packetbeatSchema: Schema = [
name: 'affected_rows',
type: 'long',
description:
- 'If the MySQL command is successful, this field contains the affected number of rows of the last statement.',
+ 'If the MySQL command is successful, this field contains the affected number of rows of the last statement.\n',
},
{
name: 'insert_id',
description:
- 'If the INSERT query is successful, this field contains the id of the newly inserted row.',
+ 'If the INSERT query is successful, this field contains the id of the newly inserted row.\n',
},
{
name: 'num_fields',
description:
- 'If the SELECT query is successful, this field is set to the number of fields returned.',
+ 'If the SELECT query is successful, this field is set to the number of fields returned.\n',
},
{
name: 'num_rows',
description:
- 'If the SELECT query is successful, this field is set to the number of rows returned.',
+ 'If the SELECT query is successful, this field is set to the number of rows returned.\n',
},
{
name: 'query',
- description: "The row mysql query as read from the transaction's request. ",
+ description: "The row mysql query as read from the transaction's request.\n",
},
{
name: 'error_code',
type: 'long',
- description: 'The error code returned by MySQL.',
+ description: 'The error code returned by MySQL.\n',
},
{
name: 'error_message',
- description: 'The error info message returned by MySQL.',
+ description: 'The error info message returned by MySQL.\n',
},
],
},
@@ -4150,7 +7635,7 @@ export const packetbeatSchema: Schema = [
},
{
name: 'opcode',
- description: 'NFS operation name, or main operation name, in case of COMPOUND calls.',
+ description: 'NFS operation name, or main operation name, in case of COMPOUND calls.\n',
},
{
name: 'status',
@@ -4219,7 +7704,7 @@ export const packetbeatSchema: Schema = [
{
key: 'pgsql',
title: 'PostgreSQL',
- description: 'PostgreSQL-specific event fields.',
+ description: 'PostgreSQL-specific event fields.\n',
fields: [
{
name: 'pgsql',
@@ -4242,12 +7727,12 @@ export const packetbeatSchema: Schema = [
{
name: 'num_fields',
description:
- 'If the SELECT query if successful, this field is set to the number of fields returned.',
+ 'If the SELECT query if successful, this field is set to the number of fields returned.\n',
},
{
name: 'num_rows',
description:
- 'If the SELECT query if successful, this field is set to the number of rows returned.',
+ 'If the SELECT query if successful, this field is set to the number of rows returned.\n',
},
],
},
@@ -4256,7 +7741,7 @@ export const packetbeatSchema: Schema = [
{
key: 'redis',
title: 'Redis',
- description: 'Redis-specific event fields.',
+ description: 'Redis-specific event fields.\n',
fields: [
{
name: 'redis',
@@ -4264,12 +7749,12 @@ export const packetbeatSchema: Schema = [
fields: [
{
name: 'return_value',
- description: 'The return value of the Redis command in a human readable format.',
+ description: 'The return value of the Redis command in a human readable format.\n',
},
{
name: 'error',
description:
- 'If the Redis command has resulted in an error, this field contains the error message returned by the Redis server.',
+ 'If the Redis command has resulted in an error, this field contains the error message returned by the Redis server.\n',
},
],
},
@@ -4278,7 +7763,7 @@ export const packetbeatSchema: Schema = [
{
key: 'thrift',
title: 'Thrift-RPC',
- description: 'Thrift-RPC specific event fields.',
+ description: 'Thrift-RPC specific event fields.\n',
fields: [
{
name: 'thrift',
@@ -4287,521 +7772,785 @@ export const packetbeatSchema: Schema = [
{
name: 'params',
description:
- 'The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used.',
+ 'The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used.\n',
},
{
name: 'service',
- description: 'The name of the Thrift-RPC service as defined in the IDL files.',
+ description: 'The name of the Thrift-RPC service as defined in the IDL files.\n',
},
{
name: 'return_value',
description:
- 'The value returned by the Thrift-RPC call. This is encoded in a human readable format.',
+ 'The value returned by the Thrift-RPC call. This is encoded in a human readable format.\n',
},
{
name: 'exceptions',
description:
- 'If the call resulted in exceptions, this field contains the exceptions in a human readable format.',
+ 'If the call resulted in exceptions, this field contains the exceptions in a human readable format.\n',
},
],
},
],
- },
- {
- key: 'tls',
- title: 'TLS',
- description: 'TLS-specific event fields.',
- fields: [
- {
- name: 'tls',
- type: 'group',
- fields: [
- {
- name: 'version',
- type: 'keyword',
- description: 'The version of the TLS protocol used.',
- example: 'TLS 1.3',
- },
- {
- name: 'handshake_completed',
- type: 'boolean',
- description:
- 'Whether the TLS negotiation has been successful and the session has transitioned to encrypted mode.',
- },
- {
- name: 'resumed',
- type: 'boolean',
- description: 'If the TLS session has been resumed from a previous session.',
- },
- {
- name: 'resumption_method',
- type: 'keyword',
- description:
- 'If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension.',
- },
- {
- name: 'client_certificate_requested',
- type: 'boolean',
- description:
- 'Whether the server has requested the client to authenticate itself using a client certificate.',
- },
- {
- name: 'client_hello',
- type: 'group',
- fields: [
- {
- name: 'version',
- type: 'keyword',
- description:
- 'The version of the TLS protocol by which the client wishes to communicate during this session.',
- },
- {
- name: 'supported_ciphers',
- type: 'array',
- description:
- 'List of ciphers the client is willing to use for this session. See https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4',
- },
- {
- name: 'supported_compression_methods',
- type: 'array',
- description:
- 'The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml',
- },
- {
- name: 'extensions',
- type: 'group',
- description: 'The hello extensions provided by the client.',
- fields: [
- {
- name: 'server_name_indication',
- type: 'keyword',
- description: 'List of hostnames',
- },
- {
- name: 'application_layer_protocol_negotiation',
- type: 'keyword',
- description:
- 'List of application-layer protocols the client is willing to use.',
- },
- {
- name: 'session_ticket',
- type: 'keyword',
- description:
- 'Length of the session ticket, if provided, or an empty string to advertise support for tickets.',
- },
- {
- name: 'supported_versions',
- type: 'keyword',
- description: 'List of TLS versions that the client is willing to use.',
- },
- {
- name: 'supported_groups',
- type: 'keyword',
- description:
- 'List of Elliptic Curve Cryptography (ECC) curve groups supported by the client.',
- },
- {
- name: 'signature_algorithms',
- type: 'keyword',
- description:
- 'List of signature algorithms that may be use in digital signatures.',
- },
- {
- name: 'ec_points_formats',
- type: 'keyword',
- description:
- 'List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse.',
- },
- {
- name: '_unparsed_',
- type: 'keyword',
- description: 'List of extensions that were left unparsed by Packetbeat.',
- },
- ],
- },
- ],
- },
+ },
+ {
+ key: 'tls_detailed',
+ title: 'Detailed TLS',
+ description: 'Detailed TLS-specific event fields.\n',
+ fields: [
+ {
+ name: 'tls',
+ type: 'group',
+ fields: [
{
- name: 'server_hello',
+ name: 'detailed',
type: 'group',
+ default_fields: false,
fields: [
{
name: 'version',
type: 'keyword',
- description:
- 'The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello.',
- },
- {
- name: 'selected_cipher',
- type: 'keyword',
- description:
- 'The cipher suite selected by the server from the list provided by in the client hello.',
+ description: 'The version of the TLS protocol used.\n',
+ example: 'TLS 1.3',
},
{
- name: 'selected_compression_method',
+ name: 'resumption_method',
type: 'keyword',
description:
- 'The compression method selected by the server from the list provided in the client hello.',
+ 'If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension.\n',
},
{
- name: 'session_id',
- type: 'keyword',
+ name: 'client_certificate_requested',
+ type: 'boolean',
description:
- 'Unique number to identify the session for the corresponding connection with the client.',
+ 'Whether the server has requested the client to authenticate itself using a client certificate.\n',
},
{
- name: 'extensions',
+ name: 'client_hello',
type: 'group',
- description: 'The hello extensions provided by the server.',
fields: [
{
- name: 'application_layer_protocol_negotiation',
- type: 'array',
- description: 'Negotiated application layer protocol',
- },
- {
- name: 'session_ticket',
+ name: 'version',
type: 'keyword',
description:
- 'Used to announce that a session ticket will be provided by the server. Always an empty string.',
+ 'The version of the TLS protocol by which the client wishes to communicate during this session.\n',
},
{
- name: 'supported_versions',
+ name: 'session_id',
type: 'keyword',
- description: 'Negotiated TLS version to be used.',
+ description:
+ 'Unique number to identify the session for the corresponding connection with the client.\n',
},
{
- name: 'ec_points_formats',
+ name: 'supported_compression_methods',
type: 'keyword',
description:
- 'List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse.',
+ 'The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml\n',
},
{
- name: '_unparsed_',
- type: 'keyword',
- description: 'List of extensions that were left unparsed by Packetbeat.',
+ name: 'extensions',
+ type: 'group',
+ description: 'The hello extensions provided by the client.',
+ fields: [
+ {
+ name: 'server_name_indication',
+ type: 'keyword',
+ description: 'List of hostnames',
+ },
+ {
+ name: 'application_layer_protocol_negotiation',
+ type: 'keyword',
+ description:
+ 'List of application-layer protocols the client is willing to use.\n',
+ },
+ {
+ name: 'session_ticket',
+ type: 'keyword',
+ description:
+ 'Length of the session ticket, if provided, or an empty string to advertise support for tickets.\n',
+ },
+ {
+ name: 'supported_versions',
+ type: 'keyword',
+ description: 'List of TLS versions that the client is willing to use.\n',
+ },
+ {
+ name: 'supported_groups',
+ type: 'keyword',
+ description:
+ 'List of Elliptic Curve Cryptography (ECC) curve groups supported by the client.\n',
+ },
+ {
+ name: 'signature_algorithms',
+ type: 'keyword',
+ description:
+ 'List of signature algorithms that may be use in digital signatures.\n',
+ },
+ {
+ name: 'ec_points_formats',
+ type: 'keyword',
+ description:
+ 'List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse.\n',
+ },
+ {
+ name: '_unparsed_',
+ type: 'keyword',
+ description: 'List of extensions that were left unparsed by Packetbeat.\n',
+ },
+ ],
},
],
},
- ],
- },
- {
- name: 'client_certificate',
- type: 'group',
- description: 'Certificate provided by the client for authentication.',
- fields: [
- {
- name: 'version',
- type: 'long',
- description: 'X509 format version.',
- },
- {
- name: 'serial_number',
- type: 'keyword',
- description: "The certificate's serial number.",
- },
- {
- name: 'not_before',
- type: 'date',
- description: 'Date before which the certificate is not valid.',
- },
{
- name: 'not_after',
- type: 'date',
- description: 'Date after which the certificate expires.',
- },
- {
- name: 'public_key_algorithm',
- type: 'keyword',
- description:
- "The algorithm used for this certificate's public key. One of RSA, DSA or ECDSA. ",
- },
- {
- name: 'public_key_size',
- type: 'long',
- description: 'Size of the public key.',
- },
- {
- name: 'signature_algorithm',
- type: 'keyword',
- description: "The algorithm used for the certificate's signature. ",
- },
- {
- name: 'alternative_names',
- type: 'array',
- description: 'Subject Alternative Names for this certificate.',
- },
- {
- name: 'raw',
- type: 'keyword',
- description: 'The raw certificate in PEM format.',
- },
- {
- name: 'subject',
+ name: 'server_hello',
type: 'group',
- description: 'Subject represented by this certificate.',
fields: [
{
- name: 'country',
- type: 'keyword',
- description: 'Country code.',
- },
- {
- name: 'organization',
+ name: 'version',
type: 'keyword',
- description: 'Organization name.',
+ description:
+ 'The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello.\n',
},
{
- name: 'organizational_unit',
+ name: 'selected_compression_method',
type: 'keyword',
- description: 'Unit within organization.',
+ description:
+ 'The compression method selected by the server from the list provided in the client hello.\n',
},
{
- name: 'province',
+ name: 'session_id',
type: 'keyword',
- description: 'Province or region within country.',
+ description:
+ 'Unique number to identify the session for the corresponding connection with the client.\n',
},
{
- name: 'common_name',
- type: 'keyword',
- description: 'Name or host name identified by the certificate.',
+ name: 'extensions',
+ type: 'group',
+ description: 'The hello extensions provided by the server.',
+ fields: [
+ {
+ name: 'application_layer_protocol_negotiation',
+ type: 'keyword',
+ description: 'Negotiated application layer protocol',
+ },
+ {
+ name: 'session_ticket',
+ type: 'keyword',
+ description:
+ 'Used to announce that a session ticket will be provided by the server. Always an empty string.\n',
+ },
+ {
+ name: 'supported_versions',
+ type: 'keyword',
+ description: 'Negotiated TLS version to be used.\n',
+ },
+ {
+ name: 'ec_points_formats',
+ type: 'keyword',
+ description:
+ 'List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse.\n',
+ },
+ {
+ name: '_unparsed_',
+ type: 'keyword',
+ description: 'List of extensions that were left unparsed by Packetbeat.\n',
+ },
+ ],
},
],
},
{
- name: 'issuer',
+ name: 'client_certificate',
type: 'group',
- description: 'Entity that issued and signed this certificate.',
+ description: 'Certificate provided by the client for authentication.',
fields: [
{
- name: 'country',
- type: 'keyword',
- description: 'Country code.',
+ name: 'version',
+ type: 'long',
+ description: 'X509 format version.',
},
{
- name: 'organization',
+ name: 'serial_number',
type: 'keyword',
- description: 'Organization name.',
+ description: "The certificate's serial number.",
},
{
- name: 'organizational_unit',
- type: 'keyword',
- description: 'Unit within organization.',
+ name: 'not_before',
+ type: 'date',
+ description: 'Date before which the certificate is not valid.',
},
{
- name: 'province',
- type: 'keyword',
- description: 'Province or region within country.',
+ name: 'not_after',
+ type: 'date',
+ description: 'Date after which the certificate expires.',
},
{
- name: 'common_name',
+ name: 'public_key_algorithm',
type: 'keyword',
- description: 'Name or host name identified by the certificate.',
+ description:
+ "The algorithm used for this certificate's public key. One of RSA, DSA or ECDSA.\n",
},
- ],
- },
- {
- name: 'fingerprint',
- type: 'group',
- fields: [
{
- name: 'md5',
- type: 'keyword',
- description: "Certificate's MD5 fingerprint.",
+ name: 'public_key_size',
+ type: 'long',
+ description: 'Size of the public key.',
},
{
- name: 'sha1',
+ name: 'signature_algorithm',
type: 'keyword',
- description: "Certificate's SHA-1 fingerprint.",
+ description: "The algorithm used for the certificate's signature.\n",
},
{
- name: 'sha256',
+ name: 'alternative_names',
type: 'keyword',
- description: "Certificate's SHA-256 fingerprint.",
+ description: 'Subject Alternative Names for this certificate.',
+ },
+ {
+ name: 'subject',
+ type: 'group',
+ description: 'Subject represented by this certificate.',
+ fields: [
+ {
+ name: 'country',
+ type: 'keyword',
+ description: 'Country code.',
+ },
+ {
+ name: 'organization',
+ type: 'keyword',
+ description: 'Organization name.',
+ },
+ {
+ name: 'organizational_unit',
+ type: 'keyword',
+ description: 'Unit within organization.',
+ },
+ {
+ name: 'province',
+ type: 'keyword',
+ description: 'Province or region within country.',
+ },
+ {
+ name: 'common_name',
+ type: 'keyword',
+ description: 'Name or host name identified by the certificate.',
+ },
+ {
+ name: 'locality',
+ type: 'keyword',
+ description: 'Locality.',
+ },
+ ],
+ },
+ {
+ name: 'issuer',
+ type: 'group',
+ description: 'Entity that issued and signed this certificate.',
+ fields: [
+ {
+ name: 'country',
+ type: 'keyword',
+ description: 'Country code.',
+ },
+ {
+ name: 'organization',
+ type: 'keyword',
+ description: 'Organization name.',
+ },
+ {
+ name: 'organizational_unit',
+ type: 'keyword',
+ description: 'Unit within organization.',
+ },
+ {
+ name: 'province',
+ type: 'keyword',
+ description: 'Province or region within country.',
+ },
+ {
+ name: 'common_name',
+ type: 'keyword',
+ description: 'Name or host name identified by the certificate.',
+ },
+ {
+ name: 'locality',
+ type: 'keyword',
+ description: 'Locality.',
+ },
+ ],
},
],
},
- ],
- },
- {
- name: 'server_certificate',
- type: 'group',
- description: 'Certificate provided by the server for authentication.',
- fields: [
- {
- name: 'version',
- type: 'long',
- description: 'X509 format version.',
- },
- {
- name: 'serial_number',
- type: 'keyword',
- description: "The certificate's serial number.",
- },
- {
- name: 'not_before',
- type: 'date',
- description: 'Date before which the certificate is not valid.',
- },
- {
- name: 'not_after',
- type: 'date',
- description: 'Date after which the certificate expires.',
- },
- {
- name: 'public_key_algorithm',
- type: 'keyword',
- description:
- "The algorithm used for this certificate's public key. One of RSA, DSA or ECDSA. ",
- },
- {
- name: 'public_key_size',
- type: 'long',
- description: 'Size of the public key.',
- },
{
- name: 'signature_algorithm',
- type: 'keyword',
- description: "The algorithm used for the certificate's signature. ",
- },
- {
- name: 'alternative_names',
- type: 'array',
- description: 'Subject Alternative Names for this certificate.',
- },
- {
- name: 'raw',
- type: 'keyword',
- description: 'The raw certificate in PEM format.',
- },
- {
- name: 'subject',
+ name: 'server_certificate',
type: 'group',
- description: 'Subject represented by this certificate.',
+ description: 'Certificate provided by the server for authentication.',
fields: [
{
- name: 'country',
- type: 'keyword',
- description: 'Country code.',
+ name: 'version',
+ type: 'long',
+ description: 'X509 format version.',
},
{
- name: 'organization',
+ name: 'serial_number',
type: 'keyword',
- description: 'Organization name.',
+ description: "The certificate's serial number.",
+ },
+ {
+ name: 'not_before',
+ type: 'date',
+ description: 'Date before which the certificate is not valid.',
+ },
+ {
+ name: 'not_after',
+ type: 'date',
+ description: 'Date after which the certificate expires.',
},
{
- name: 'organizational_unit',
+ name: 'public_key_algorithm',
type: 'keyword',
- description: 'Unit within organization.',
+ description:
+ "The algorithm used for this certificate's public key. One of RSA, DSA or ECDSA.\n",
+ },
+ {
+ name: 'public_key_size',
+ type: 'long',
+ description: 'Size of the public key.',
},
{
- name: 'province',
+ name: 'signature_algorithm',
type: 'keyword',
- description: 'Province or region within country.',
+ description: "The algorithm used for the certificate's signature.\n",
},
{
- name: 'common_name',
+ name: 'alternative_names',
type: 'keyword',
- description: 'Name or host name identified by the certificate.',
+ description: 'Subject Alternative Names for this certificate.',
+ },
+ {
+ name: 'subject',
+ type: 'group',
+ description: 'Subject represented by this certificate.',
+ fields: [
+ {
+ name: 'country',
+ type: 'keyword',
+ description: 'Country code.',
+ },
+ {
+ name: 'organization',
+ type: 'keyword',
+ description: 'Organization name.',
+ },
+ {
+ name: 'organizational_unit',
+ type: 'keyword',
+ description: 'Unit within organization.',
+ },
+ {
+ name: 'province',
+ type: 'keyword',
+ description: 'Province or region within country.',
+ },
+ {
+ name: 'common_name',
+ type: 'keyword',
+ description: 'Name or host name identified by the certificate.',
+ },
+ {
+ name: 'locality',
+ type: 'keyword',
+ description: 'Locality.',
+ },
+ ],
+ },
+ {
+ name: 'issuer',
+ type: 'group',
+ description: 'Entity that issued and signed this certificate.',
+ fields: [
+ {
+ name: 'country',
+ type: 'keyword',
+ description: 'Country code.',
+ },
+ {
+ name: 'organization',
+ type: 'keyword',
+ description: 'Organization name.',
+ },
+ {
+ name: 'organizational_unit',
+ type: 'keyword',
+ description: 'Unit within organization.',
+ },
+ {
+ name: 'province',
+ type: 'keyword',
+ description: 'Province or region within country.',
+ },
+ {
+ name: 'common_name',
+ type: 'keyword',
+ description: 'Name or host name identified by the certificate.',
+ },
+ {
+ name: 'locality',
+ type: 'keyword',
+ description: 'Locality.',
+ },
+ ],
},
],
},
{
- name: 'issuer',
- type: 'group',
- description: 'Entity that issued and signed this certificate.',
- fields: [
- {
- name: 'country',
- type: 'keyword',
- description: 'Country code.',
- },
- {
- name: 'organization',
- type: 'keyword',
- description: 'Organization name.',
- },
- {
- name: 'organizational_unit',
- type: 'keyword',
- description: 'Unit within organization.',
- },
- {
- name: 'province',
- type: 'keyword',
- description: 'Province or region within country.',
- },
- {
- name: 'common_name',
- type: 'keyword',
- description: 'Name or host name identified by the certificate.',
- },
- ],
+ name: 'server_certificate_chain',
+ type: 'array',
+ description: 'Chain of trust for the server certificate.',
},
{
- name: 'fingerprint',
- type: 'group',
- fields: [
- {
- name: 'md5',
- type: 'keyword',
- description: "Certificate's MD5 fingerprint.",
- },
- {
- name: 'sha1',
- type: 'keyword',
- description: "Certificate's SHA-1 fingerprint.",
- },
- {
- name: 'sha256',
- type: 'keyword',
- description: "Certificate's SHA-256 fingerprint.",
- },
- ],
+ name: 'client_certificate_chain',
+ type: 'array',
+ description: 'Chain of trust for the client certificate.',
},
- ],
- },
- {
- name: 'server_certificate_chain',
- type: 'array',
- description: 'Chain of trust for the server certificate.',
- },
- {
- name: 'client_certificate_chain',
- type: 'array',
- description: 'Chain of trust for the client certificate.',
- },
- {
- name: 'alert_types',
- type: 'keyword',
- description: 'An array containing the TLS alert type for every alert received.',
- },
- {
- name: 'fingerprints',
- type: 'group',
- description: 'Fingerprints for this TLS session.',
- fields: [
{
- name: 'ja3',
- type: 'group',
- description: 'JA3 TLS client fingerprint',
- fields: [
- {
- name: 'hash',
- type: 'keyword',
- description: 'The JA3 fingerprint hash for the client side.',
- },
- {
- name: 'str',
- type: 'keyword',
- description: 'The JA3 string used to calculate the hash.',
- },
- ],
+ name: 'alert_types',
+ type: 'keyword',
+ description: 'An array containing the TLS alert type for every alert received.\n',
},
],
},
],
},
+ {
+ name: 'tls.handshake_completed',
+ type: 'alias',
+ path: 'tls.established',
+ },
+ {
+ name: 'tls.client_hello.supported_ciphers',
+ type: 'alias',
+ path: 'tls.client.supported_ciphers',
+ },
+ {
+ name: 'tls.server_hello.selected_cipher',
+ type: 'alias',
+ path: 'tls.cipher',
+ },
+ {
+ name: 'tls.fingerprints.ja3',
+ type: 'alias',
+ path: 'tls.client.ja3',
+ },
+ {
+ name: 'tls.resumption_method',
+ type: 'alias',
+ path: 'tls.detailed.resumption_method',
+ },
+ {
+ name: 'tls.client_certificate_requested',
+ type: 'alias',
+ path: 'tls.detailed.client_certificate_requested',
+ },
+ {
+ name: 'tls.client_hello.version',
+ type: 'alias',
+ path: 'tls.detailed.client_hello.version',
+ },
+ {
+ name: 'tls.client_hello.session_id',
+ type: 'alias',
+ path: 'tls.detailed.client_hello.session_id',
+ },
+ {
+ name: 'tls.client_hello.supported_compression_methods',
+ type: 'alias',
+ path: 'tls.detailed.client_hello.supported_compression_methods',
+ },
+ {
+ name: 'tls.client_hello.extensions.server_name_indication',
+ type: 'alias',
+ path: 'tls.detailed.client_hello.extensions.server_name_indication',
+ },
+ {
+ name: 'tls.client_hello.extensions.application_layer_protocol_negotiation',
+ type: 'alias',
+ path: 'tls.detailed.client_hello.extensions.application_layer_protocol_negotiation',
+ },
+ {
+ name: 'tls.client_hello.extensions.session_ticket',
+ type: 'alias',
+ path: 'tls.detailed.client_hello.extensions.session_ticket',
+ },
+ {
+ name: 'tls.client_hello.extensions.supported_versions',
+ type: 'alias',
+ path: 'tls.detailed.client_hello.extensions.supported_versions',
+ },
+ {
+ name: 'tls.client_hello.extensions.supported_groups',
+ type: 'alias',
+ path: 'tls.detailed.client_hello.extensions.supported_groups',
+ },
+ {
+ name: 'tls.client_hello.extensions.signature_algorithms',
+ type: 'alias',
+ path: 'tls.detailed.client_hello.extensions.signature_algorithms',
+ },
+ {
+ name: 'tls.client_hello.extensions.ec_points_formats',
+ type: 'alias',
+ path: 'tls.detailed.client_hello.extensions.ec_points_formats',
+ },
+ {
+ name: 'tls.client_hello.extensions._unparsed_',
+ type: 'alias',
+ path: 'tls.detailed.client_hello.extensions._unparsed_',
+ },
+ {
+ name: 'tls.server_hello.version',
+ type: 'alias',
+ path: 'tls.detailed.server_hello.version',
+ },
+ {
+ name: 'tls.server_hello.selected_compression_method',
+ type: 'alias',
+ path: 'tls.detailed.server_hello.selected_compression_method',
+ },
+ {
+ name: 'tls.server_hello.session_id',
+ type: 'alias',
+ path: 'tls.detailed.server_hello.session_id',
+ },
+ {
+ name: 'tls.server_hello.extensions.application_layer_protocol_negotiation',
+ type: 'alias',
+ path: 'tls.detailed.server_hello.extensions.application_layer_protocol_negotiation',
+ },
+ {
+ name: 'tls.server_hello.extensions.session_ticket',
+ type: 'alias',
+ path: 'tls.detailed.server_hello.extensions.session_ticket',
+ },
+ {
+ name: 'tls.server_hello.extensions.supported_versions',
+ type: 'alias',
+ path: 'tls.detailed.server_hello.extensions.supported_versions',
+ },
+ {
+ name: 'tls.server_hello.extensions.ec_points_formats',
+ type: 'alias',
+ path: 'tls.detailed.server_hello.extensions.ec_points_formats',
+ },
+ {
+ name: 'tls.server_hello.extensions._unparsed_',
+ type: 'alias',
+ path: 'tls.detailed.server_hello.extensions._unparsed_',
+ },
+ {
+ name: 'tls.client_certificate.version',
+ type: 'alias',
+ path: 'tls.detailed.client_certificate.version',
+ },
+ {
+ name: 'tls.client_certificate.serial_number',
+ type: 'alias',
+ path: 'tls.detailed.client_certificate.serial_number',
+ },
+ {
+ name: 'tls.client_certificate.not_before',
+ type: 'alias',
+ path: 'tls.detailed.client_certificate.not_before',
+ },
+ {
+ name: 'tls.client_certificate.not_after',
+ type: 'alias',
+ path: 'tls.detailed.client_certificate.not_after',
+ },
+ {
+ name: 'tls.client_certificate.public_key_algorithm',
+ type: 'alias',
+ path: 'tls.detailed.client_certificate.public_key_algorithm',
+ },
+ {
+ name: 'tls.client_certificate.public_key_size',
+ type: 'alias',
+ path: 'tls.detailed.client_certificate.public_key_size',
+ },
+ {
+ name: 'tls.client_certificate.signature_algorithm',
+ type: 'alias',
+ path: 'tls.detailed.client_certificate.signature_algorithm',
+ },
+ {
+ name: 'tls.client_certificate.alternative_names',
+ type: 'alias',
+ path: 'tls.detailed.client_certificate.alternative_names',
+ },
+ {
+ name: 'tls.client_certificate.subject.country',
+ type: 'alias',
+ path: 'tls.detailed.client_certificate.subject.country',
+ },
+ {
+ name: 'tls.client_certificate.subject.organization',
+ type: 'alias',
+ path: 'tls.detailed.client_certificate.subject.organization',
+ },
+ {
+ name: 'tls.client_certificate.subject.organizational_unit',
+ type: 'alias',
+ path: 'tls.detailed.client_certificate.subject.organizational_unit',
+ },
+ {
+ name: 'tls.client_certificate.subject.province',
+ type: 'alias',
+ path: 'tls.detailed.client_certificate.subject.province',
+ },
+ {
+ name: 'tls.client_certificate.subject.common_name',
+ type: 'alias',
+ path: 'tls.detailed.client_certificate.subject.common_name',
+ },
+ {
+ name: 'tls.client_certificate.subject.locality',
+ type: 'alias',
+ path: 'tls.detailed.client_certificate.subject.locality',
+ },
+ {
+ name: 'tls.client_certificate.issuer.country',
+ type: 'alias',
+ path: 'tls.detailed.client_certificate.issuer.country',
+ },
+ {
+ name: 'tls.client_certificate.issuer.organization',
+ type: 'alias',
+ path: 'tls.detailed.client_certificate.issuer.organization',
+ },
+ {
+ name: 'tls.client_certificate.issuer.organizational_unit',
+ type: 'alias',
+ path: 'tls.detailed.client_certificate.issuer.organizational_unit',
+ },
+ {
+ name: 'tls.client_certificate.issuer.province',
+ type: 'alias',
+ path: 'tls.detailed.client_certificate.issuer.province',
+ },
+ {
+ name: 'tls.client_certificate.issuer.common_name',
+ type: 'alias',
+ path: 'tls.detailed.client_certificate.issuer.common_name',
+ },
+ {
+ name: 'tls.client_certificate.issuer.locality',
+ type: 'alias',
+ path: 'tls.detailed.client_certificate.issuer.locality',
+ },
+ {
+ name: 'tls.server_certificate.version',
+ type: 'alias',
+ path: 'tls.detailed.server_certificate.version',
+ },
+ {
+ name: 'tls.server_certificate.serial_number',
+ type: 'alias',
+ path: 'tls.detailed.server_certificate.serial_number',
+ },
+ {
+ name: 'tls.server_certificate.not_before',
+ type: 'alias',
+ path: 'tls.detailed.server_certificate.not_before',
+ },
+ {
+ name: 'tls.server_certificate.not_after',
+ type: 'alias',
+ path: 'tls.detailed.server_certificate.not_after',
+ },
+ {
+ name: 'tls.server_certificate.public_key_algorithm',
+ type: 'alias',
+ path: 'tls.detailed.server_certificate.public_key_algorithm',
+ },
+ {
+ name: 'tls.server_certificate.public_key_size',
+ type: 'alias',
+ path: 'tls.detailed.server_certificate.public_key_size',
+ },
+ {
+ name: 'tls.server_certificate.signature_algorithm',
+ type: 'alias',
+ path: 'tls.detailed.server_certificate.signature_algorithm',
+ },
+ {
+ name: 'tls.server_certificate.alternative_names',
+ type: 'alias',
+ path: 'tls.detailed.server_certificate.alternative_names',
+ },
+ {
+ name: 'tls.server_certificate.subject.country',
+ type: 'alias',
+ path: 'tls.detailed.server_certificate.subject.country',
+ },
+ {
+ name: 'tls.server_certificate.subject.organization',
+ type: 'alias',
+ path: 'tls.detailed.server_certificate.subject.organization',
+ },
+ {
+ name: 'tls.server_certificate.subject.organizational_unit',
+ type: 'alias',
+ path: 'tls.detailed.server_certificate.subject.organizational_unit',
+ },
+ {
+ name: 'tls.server_certificate.subject.province',
+ type: 'alias',
+ path: 'tls.detailed.server_certificate.subject.province',
+ },
+ {
+ name: 'tls.server_certificate.subject.common_name',
+ type: 'alias',
+ path: 'tls.detailed.server_certificate.subject.common_name',
+ },
+ {
+ name: 'tls.server_certificate.subject.locality',
+ type: 'alias',
+ path: 'tls.detailed.server_certificate.subject.locality',
+ },
+ {
+ name: 'tls.server_certificate.issuer.country',
+ type: 'alias',
+ path: 'tls.detailed.server_certificate.issuer.country',
+ },
+ {
+ name: 'tls.server_certificate.issuer.organization',
+ type: 'alias',
+ path: 'tls.detailed.server_certificate.issuer.organization',
+ },
+ {
+ name: 'tls.server_certificate.issuer.organizational_unit',
+ type: 'alias',
+ path: 'tls.detailed.server_certificate.issuer.organizational_unit',
+ },
+ {
+ name: 'tls.server_certificate.issuer.province',
+ type: 'alias',
+ path: 'tls.detailed.server_certificate.issuer.province',
+ },
+ {
+ name: 'tls.server_certificate.issuer.common_name',
+ type: 'alias',
+ path: 'tls.detailed.server_certificate.issuer.common_name',
+ },
+ {
+ name: 'tls.server_certificate.issuer.locality',
+ type: 'alias',
+ path: 'tls.detailed.server_certificate.issuer.locality',
+ },
+ {
+ name: 'tls.alert_types',
+ type: 'alias',
+ path: 'tls.detailed.alert_types',
+ },
],
},
];
diff --git a/x-pack/legacy/plugins/siem/server/utils/beat_schema/index.test.ts b/x-pack/legacy/plugins/siem/server/utils/beat_schema/index.test.ts
index 53ed7c26b877f6..56ceca2b70e9ce 100644
--- a/x-pack/legacy/plugins/siem/server/utils/beat_schema/index.test.ts
+++ b/x-pack/legacy/plugins/siem/server/utils/beat_schema/index.test.ts
@@ -17,175 +17,94 @@ describe('Schema Beat', () => {
convertData[0].fields = isArray(convertData[0].fields)
? convertData[0].fields!.slice(0, 6)
: [];
+
expect(convertSchemaToAssociativeArray(convertData)).toEqual({
'@timestamp': {
description:
- 'Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.',
+ 'Date/time when the event originated.\n\nThis is the date/time extracted from the event, typically representing when\nthe event was generated by the source.\n\nIf the event source has no original timestamp, this value is typically populated\nby the first time the event was received by the pipeline.\n\nRequired field for all events.',
example: '2016-05-23T08:05:34.853Z',
name: '@timestamp',
type: 'date',
},
- tags: {
- description: 'List of keywords used to tag each event.',
- example: '["production", "env2"]',
- name: 'tags',
- type: 'keyword',
- },
labels: {
description:
- 'Key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels.',
- example: '{"env":"production","application":"foo-bar"}',
+ 'Custom key/value pairs.\n\nCan be used to add meta information to events. Should not contain nested objects.\nAll values are stored as keyword.\n\nExample: `docker` and `k8s` labels.',
+ example: '{"application": "foo-bar", "env": "production"}',
name: 'labels',
type: 'object',
},
message: {
description:
- 'For log events the message field contains the log message. In other use cases the message field can be used to concatenate different values which are then freely searchable. If multiple messages exist, they can be combined into one message.',
+ 'For log events the message field contains the log message, optimized\nfor viewing in a log viewer.\n\nFor structured logs without an original message field, other fields can be concatenated\nto form a human-readable summary of the event.\n\nIf multiple messages exist, they can be combined into one message.',
example: 'Hello World',
name: 'message',
type: 'text',
},
+ tags: {
+ description: 'List of keywords used to tag each event.',
+ example: '["production", "env2"]',
+ name: 'tags',
+ type: 'keyword',
+ },
agent: {
description:
- 'The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.',
+ 'The agent fields contain the data about the software entity, if\nany, that collects, detects, or observes events on a host, or takes measurements\non a host.\n\nExamples include Beats. Agents may also run on observers. ECS agent.* fields\nshall be populated with details of the agent running on the host or observer\nwhere the event happened or the measurement was taken.',
name: 'agent',
type: 'group',
fields: {
- 'agent.version': {
- description: 'Version of the agent.',
- example: '6.0.0-rc2',
- name: 'version',
+ 'agent.ephemeral_id': {
+ description:
+ 'Ephemeral identifier of this agent (if one exists).\n\nThis id normally changes across restarts, but `agent.id` does not.',
+ example: '8a4f500f',
+ name: 'ephemeral_id',
+ type: 'keyword',
+ },
+ 'agent.id': {
+ description:
+ 'Unique identifier of this agent (if one exists).\n\nExample: For Beats this would be beat.id.',
+ example: '8a4f500d',
+ name: 'id',
type: 'keyword',
},
'agent.name': {
description:
- 'Name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.',
+ 'Custom name of the agent.\n\nThis is a name that can be given to an agent. This can be helpful if for example\ntwo Filebeat instances are running on the same host but a human readable separation\nis needed on which Filebeat instance data is coming from.\n\nIf no name is given, the name is often left empty.',
example: 'foo',
name: 'name',
type: 'keyword',
},
'agent.type': {
description:
- 'Type of the agent. The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.',
+ 'Type of the agent.\n\nThe agent type stays always the same and should be given by the agent used.\nIn case of Filebeat the agent would always be Filebeat also if two Filebeat\ninstances are run on the same machine.',
example: 'filebeat',
name: 'type',
type: 'keyword',
},
- 'agent.id': {
- description:
- 'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.',
- example: '8a4f500d',
- name: 'id',
- type: 'keyword',
- },
- 'agent.ephemeral_id': {
- description:
- 'Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not.',
- example: '8a4f500f',
- name: 'ephemeral_id',
+ 'agent.version': {
+ description: 'Version of the agent.',
+ example: '6.0.0-rc2',
+ name: 'version',
type: 'keyword',
},
},
},
- client: {
+ as: {
description:
- 'A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.',
- name: 'client',
+ 'An autonomous system (AS) is a collection of connected Internet Protocol\n(IP) routing prefixes under the control of one or more network operators on\nbehalf of a single administrative entity or domain that presents a common, clearly\ndefined routing policy to the internet.',
+ name: 'as',
type: 'group',
fields: {
- 'client.address': {
+ 'as.number': {
description:
- 'Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.',
- name: 'address',
- type: 'keyword',
- },
- 'client.ip': {
- description:
- 'IP address of the client. Can be one or multiple IPv4 or IPv6 addresses.',
- name: 'ip',
- type: 'ip',
- },
- 'client.port': {
- description: 'Port of the client.',
- name: 'port',
+ 'Unique number allocated to the autonomous system. The autonomous\nsystem number (ASN) uniquely identifies each network on the Internet.',
+ example: 15169,
+ name: 'number',
type: 'long',
},
- 'client.mac': {
- description: 'MAC address of the client.',
- name: 'mac',
- type: 'keyword',
- },
- 'client.domain': {
- description: 'Client domain.',
- name: 'domain',
- type: 'keyword',
- },
- 'client.bytes': {
- description: 'Bytes sent from the client to the server.',
- example: 184,
- format: 'bytes',
- name: 'bytes',
- type: 'long',
- },
- 'client.packets': {
- description: 'Packets sent from the client to the server.',
- example: 12,
- name: 'packets',
- type: 'long',
- },
- 'client.geo': {
- description:
- 'Geo fields can carry data about a specific location related to an event or geo information derived from an IP field.',
- name: 'geo',
- type: 'group',
- },
- 'client.geo.location': {
- description: 'Longitude and latitude.',
- example: '{ "lon": -73.614830, "lat": 45.505918 }',
- name: 'location',
- type: 'geo_point',
- },
- 'client.geo.continent_name': {
- description: 'Name of the continent.',
- example: 'North America',
- name: 'continent_name',
- type: 'keyword',
- },
- 'client.geo.country_name': {
- description: 'Country name.',
- example: 'Canada',
- name: 'country_name',
- type: 'keyword',
- },
- 'client.geo.region_name': {
- description: 'Region name.',
- example: 'Quebec',
- name: 'region_name',
- type: 'keyword',
- },
- 'client.geo.city_name': {
- description: 'City name.',
- example: 'Montreal',
- name: 'city_name',
- type: 'keyword',
- },
- 'client.geo.country_iso_code': {
- description: 'Country ISO code.',
- example: 'CA',
- name: 'country_iso_code',
- type: 'keyword',
- },
- 'client.geo.region_iso_code': {
- description: 'Region ISO code.',
- example: 'CA-QC',
- name: 'region_iso_code',
- type: 'keyword',
- },
- 'client.geo.name': {
- description:
- 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.',
- example: 'boston-dc',
- name: 'name',
+ 'as.organization.name': {
+ description: 'Organization name.',
+ example: 'Google LLC',
+ name: 'organization.name',
type: 'keyword',
},
},
@@ -198,175 +117,94 @@ describe('Schema Beat', () => {
convertData[0].fields = isArray(convertData[0].fields)
? convertData[0].fields!.slice(0, 6)
: [];
+
expect(convertSchemaToAssociativeArray(convertData)).toEqual({
'@timestamp': {
description:
- 'Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.',
+ 'Date/time when the event originated.\n\nThis is the date/time extracted from the event, typically representing when\nthe event was generated by the source.\n\nIf the event source has no original timestamp, this value is typically populated\nby the first time the event was received by the pipeline.\n\nRequired field for all events.',
example: '2016-05-23T08:05:34.853Z',
name: '@timestamp',
type: 'date',
},
- tags: {
- description: 'List of keywords used to tag each event.',
- example: '["production", "env2"]',
- name: 'tags',
- type: 'keyword',
- },
labels: {
description:
- 'Key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels.',
- example: '{"env":"production","application":"foo-bar"}',
+ 'Custom key/value pairs.\n\nCan be used to add meta information to events. Should not contain nested objects.\nAll values are stored as keyword.\n\nExample: `docker` and `k8s` labels.',
+ example: '{"application": "foo-bar", "env": "production"}',
name: 'labels',
type: 'object',
},
message: {
description:
- 'For log events the message field contains the log message. In other use cases the message field can be used to concatenate different values which are then freely searchable. If multiple messages exist, they can be combined into one message.',
+ 'For log events the message field contains the log message, optimized\nfor viewing in a log viewer.\n\nFor structured logs without an original message field, other fields can be concatenated\nto form a human-readable summary of the event.\n\nIf multiple messages exist, they can be combined into one message.',
example: 'Hello World',
name: 'message',
type: 'text',
},
+ tags: {
+ description: 'List of keywords used to tag each event.',
+ example: '["production", "env2"]',
+ name: 'tags',
+ type: 'keyword',
+ },
agent: {
description:
- 'The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.',
+ 'The agent fields contain the data about the software entity, if\nany, that collects, detects, or observes events on a host, or takes measurements\non a host.\n\nExamples include Beats. Agents may also run on observers. ECS agent.* fields\nshall be populated with details of the agent running on the host or observer\nwhere the event happened or the measurement was taken.',
name: 'agent',
type: 'group',
fields: {
- 'agent.version': {
- description: 'Version of the agent.',
- example: '6.0.0-rc2',
- name: 'version',
+ 'agent.ephemeral_id': {
+ description:
+ 'Ephemeral identifier of this agent (if one exists).\n\nThis id normally changes across restarts, but `agent.id` does not.',
+ example: '8a4f500f',
+ name: 'ephemeral_id',
+ type: 'keyword',
+ },
+ 'agent.id': {
+ description:
+ 'Unique identifier of this agent (if one exists).\n\nExample: For Beats this would be beat.id.',
+ example: '8a4f500d',
+ name: 'id',
type: 'keyword',
},
'agent.name': {
description:
- 'Name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.',
+ 'Custom name of the agent.\n\nThis is a name that can be given to an agent. This can be helpful if for example\ntwo Filebeat instances are running on the same host but a human readable separation\nis needed on which Filebeat instance data is coming from.\n\nIf no name is given, the name is often left empty.',
example: 'foo',
name: 'name',
type: 'keyword',
},
'agent.type': {
description:
- 'Type of the agent. The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.',
+ 'Type of the agent.\n\nThe agent type stays always the same and should be given by the agent used.\nIn case of Filebeat the agent would always be Filebeat also if two Filebeat\ninstances are run on the same machine.',
example: 'filebeat',
name: 'type',
type: 'keyword',
},
- 'agent.id': {
- description:
- 'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.',
- example: '8a4f500d',
- name: 'id',
- type: 'keyword',
- },
- 'agent.ephemeral_id': {
- description:
- 'Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not.',
- example: '8a4f500f',
- name: 'ephemeral_id',
+ 'agent.version': {
+ description: 'Version of the agent.',
+ example: '6.0.0-rc2',
+ name: 'version',
type: 'keyword',
},
},
},
- client: {
+ as: {
description:
- 'A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.',
- name: 'client',
+ 'An autonomous system (AS) is a collection of connected Internet Protocol\n(IP) routing prefixes under the control of one or more network operators on\nbehalf of a single administrative entity or domain that presents a common, clearly\ndefined routing policy to the internet.',
+ name: 'as',
type: 'group',
fields: {
- 'client.address': {
+ 'as.number': {
description:
- 'Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.',
- name: 'address',
- type: 'keyword',
- },
- 'client.ip': {
- description:
- 'IP address of the client. Can be one or multiple IPv4 or IPv6 addresses.',
- name: 'ip',
- type: 'ip',
- },
- 'client.port': {
- description: 'Port of the client.',
- name: 'port',
- type: 'long',
- },
- 'client.mac': {
- description: 'MAC address of the client.',
- name: 'mac',
- type: 'keyword',
- },
- 'client.domain': {
- description: 'Client domain.',
- name: 'domain',
- type: 'keyword',
- },
- 'client.bytes': {
- description: 'Bytes sent from the client to the server.',
- example: 184,
- format: 'bytes',
- name: 'bytes',
- type: 'long',
- },
- 'client.packets': {
- description: 'Packets sent from the client to the server.',
- example: 12,
- name: 'packets',
+ 'Unique number allocated to the autonomous system. The autonomous\nsystem number (ASN) uniquely identifies each network on the Internet.',
+ example: 15169,
+ name: 'number',
type: 'long',
},
- 'client.geo': {
- description:
- 'Geo fields can carry data about a specific location related to an event or geo information derived from an IP field.',
- name: 'geo',
- type: 'group',
- },
- 'client.geo.location': {
- description: 'Longitude and latitude.',
- example: '{ "lon": -73.614830, "lat": 45.505918 }',
- name: 'location',
- type: 'geo_point',
- },
- 'client.geo.continent_name': {
- description: 'Name of the continent.',
- example: 'North America',
- name: 'continent_name',
- type: 'keyword',
- },
- 'client.geo.country_name': {
- description: 'Country name.',
- example: 'Canada',
- name: 'country_name',
- type: 'keyword',
- },
- 'client.geo.region_name': {
- description: 'Region name.',
- example: 'Quebec',
- name: 'region_name',
- type: 'keyword',
- },
- 'client.geo.city_name': {
- description: 'City name.',
- example: 'Montreal',
- name: 'city_name',
- type: 'keyword',
- },
- 'client.geo.country_iso_code': {
- description: 'Country ISO code.',
- example: 'CA',
- name: 'country_iso_code',
- type: 'keyword',
- },
- 'client.geo.region_iso_code': {
- description: 'Region ISO code.',
- example: 'CA-QC',
- name: 'region_iso_code',
- type: 'keyword',
- },
- 'client.geo.name': {
- description:
- 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.',
- example: 'boston-dc',
- name: 'name',
+ 'as.organization.name': {
+ description: 'Organization name.',
+ example: 'Google LLC',
+ name: 'organization.name',
type: 'keyword',
},
},
@@ -379,175 +217,94 @@ describe('Schema Beat', () => {
convertData[0].fields = isArray(convertData[0].fields)
? convertData[0].fields!.slice(0, 6)
: [];
+
expect(convertSchemaToAssociativeArray(convertData)).toEqual({
'@timestamp': {
description:
- 'Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.',
+ 'Date/time when the event originated.\n\nThis is the date/time extracted from the event, typically representing when\nthe event was generated by the source.\n\nIf the event source has no original timestamp, this value is typically populated\nby the first time the event was received by the pipeline.\n\nRequired field for all events.',
example: '2016-05-23T08:05:34.853Z',
name: '@timestamp',
type: 'date',
},
- tags: {
- description: 'List of keywords used to tag each event.',
- example: '["production", "env2"]',
- name: 'tags',
- type: 'keyword',
- },
labels: {
description:
- 'Key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels.',
- example: '{"env":"production","application":"foo-bar"}',
+ 'Custom key/value pairs.\n\nCan be used to add meta information to events. Should not contain nested objects.\nAll values are stored as keyword.\n\nExample: `docker` and `k8s` labels.',
+ example: '{"application": "foo-bar", "env": "production"}',
name: 'labels',
type: 'object',
},
message: {
description:
- 'For log events the message field contains the log message. In other use cases the message field can be used to concatenate different values which are then freely searchable. If multiple messages exist, they can be combined into one message.',
+ 'For log events the message field contains the log message, optimized\nfor viewing in a log viewer.\n\nFor structured logs without an original message field, other fields can be concatenated\nto form a human-readable summary of the event.\n\nIf multiple messages exist, they can be combined into one message.',
example: 'Hello World',
name: 'message',
type: 'text',
},
+ tags: {
+ description: 'List of keywords used to tag each event.',
+ example: '["production", "env2"]',
+ name: 'tags',
+ type: 'keyword',
+ },
agent: {
description:
- 'The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.',
+ 'The agent fields contain the data about the software entity, if\nany, that collects, detects, or observes events on a host, or takes measurements\non a host.\n\nExamples include Beats. Agents may also run on observers. ECS agent.* fields\nshall be populated with details of the agent running on the host or observer\nwhere the event happened or the measurement was taken.',
name: 'agent',
type: 'group',
fields: {
- 'agent.version': {
- description: 'Version of the agent.',
- example: '6.0.0-rc2',
- name: 'version',
+ 'agent.ephemeral_id': {
+ description:
+ 'Ephemeral identifier of this agent (if one exists).\n\nThis id normally changes across restarts, but `agent.id` does not.',
+ example: '8a4f500f',
+ name: 'ephemeral_id',
+ type: 'keyword',
+ },
+ 'agent.id': {
+ description:
+ 'Unique identifier of this agent (if one exists).\n\nExample: For Beats this would be beat.id.',
+ example: '8a4f500d',
+ name: 'id',
type: 'keyword',
},
'agent.name': {
description:
- 'Name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.',
+ 'Custom name of the agent.\n\nThis is a name that can be given to an agent. This can be helpful if for example\ntwo Filebeat instances are running on the same host but a human readable separation\nis needed on which Filebeat instance data is coming from.\n\nIf no name is given, the name is often left empty.',
example: 'foo',
name: 'name',
type: 'keyword',
},
'agent.type': {
description:
- 'Type of the agent. The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.',
+ 'Type of the agent.\n\nThe agent type stays always the same and should be given by the agent used.\nIn case of Filebeat the agent would always be Filebeat also if two Filebeat\ninstances are run on the same machine.',
example: 'filebeat',
name: 'type',
type: 'keyword',
},
- 'agent.id': {
- description:
- 'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.',
- example: '8a4f500d',
- name: 'id',
- type: 'keyword',
- },
- 'agent.ephemeral_id': {
- description:
- 'Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not.',
- example: '8a4f500f',
- name: 'ephemeral_id',
+ 'agent.version': {
+ description: 'Version of the agent.',
+ example: '6.0.0-rc2',
+ name: 'version',
type: 'keyword',
},
},
},
- client: {
+ as: {
description:
- 'A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.',
- name: 'client',
+ 'An autonomous system (AS) is a collection of connected Internet Protocol\n(IP) routing prefixes under the control of one or more network operators on\nbehalf of a single administrative entity or domain that presents a common, clearly\ndefined routing policy to the internet.',
+ name: 'as',
type: 'group',
fields: {
- 'client.address': {
+ 'as.number': {
description:
- 'Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.',
- name: 'address',
- type: 'keyword',
- },
- 'client.ip': {
- description:
- 'IP address of the client. Can be one or multiple IPv4 or IPv6 addresses.',
- name: 'ip',
- type: 'ip',
- },
- 'client.port': {
- description: 'Port of the client.',
- name: 'port',
- type: 'long',
- },
- 'client.mac': {
- description: 'MAC address of the client.',
- name: 'mac',
- type: 'keyword',
- },
- 'client.domain': {
- description: 'Client domain.',
- name: 'domain',
- type: 'keyword',
- },
- 'client.bytes': {
- description: 'Bytes sent from the client to the server.',
- example: 184,
- format: 'bytes',
- name: 'bytes',
+ 'Unique number allocated to the autonomous system. The autonomous\nsystem number (ASN) uniquely identifies each network on the Internet.',
+ example: 15169,
+ name: 'number',
type: 'long',
},
- 'client.packets': {
- description: 'Packets sent from the client to the server.',
- example: 12,
- name: 'packets',
- type: 'long',
- },
- 'client.geo': {
- description:
- 'Geo fields can carry data about a specific location related to an event or geo information derived from an IP field.',
- name: 'geo',
- type: 'group',
- },
- 'client.geo.location': {
- description: 'Longitude and latitude.',
- example: '{ "lon": -73.614830, "lat": 45.505918 }',
- name: 'location',
- type: 'geo_point',
- },
- 'client.geo.continent_name': {
- description: 'Name of the continent.',
- example: 'North America',
- name: 'continent_name',
- type: 'keyword',
- },
- 'client.geo.country_name': {
- description: 'Country name.',
- example: 'Canada',
- name: 'country_name',
- type: 'keyword',
- },
- 'client.geo.region_name': {
- description: 'Region name.',
- example: 'Quebec',
- name: 'region_name',
- type: 'keyword',
- },
- 'client.geo.city_name': {
- description: 'City name.',
- example: 'Montreal',
- name: 'city_name',
- type: 'keyword',
- },
- 'client.geo.country_iso_code': {
- description: 'Country ISO code.',
- example: 'CA',
- name: 'country_iso_code',
- type: 'keyword',
- },
- 'client.geo.region_iso_code': {
- description: 'Region ISO code.',
- example: 'CA-QC',
- name: 'region_iso_code',
- type: 'keyword',
- },
- 'client.geo.name': {
- description:
- 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.',
- example: 'boston-dc',
- name: 'name',
+ 'as.organization.name': {
+ description: 'Organization name.',
+ example: 'Google LLC',
+ name: 'organization.name',
type: 'keyword',
},
},
@@ -562,40 +319,58 @@ describe('Schema Beat', () => {
'_id',
'_index',
'@timestamp',
- 'tags',
'labels',
'message',
+ 'tags',
'agent',
+ 'as',
'client',
'cloud',
+ 'code_signature',
'container',
'destination',
+ 'dll',
+ 'dns',
'ecs',
'error',
'event',
'file',
+ 'geo',
'group',
+ 'hash',
'host',
'http',
+ 'interface',
'log',
'network',
'observer',
'organization',
'os',
+ 'package',
+ 'pe',
'process',
+ 'registry',
'related',
+ 'rule',
'server',
'service',
'source',
+ 'threat',
+ 'tls',
+ 'tracing',
'url',
'user',
'user_agent',
+ 'vlan',
+ 'vulnerability',
'agent.hostname',
'beat.timezone',
'fields',
'beat.name',
'beat.hostname',
+ 'timeseries.instance',
'cloud.project.id',
+ 'cloud.image.id',
'meta.cloud.provider',
'meta.cloud.instance_id',
'meta.cloud.instance_name',
@@ -605,55 +380,17 @@ describe('Schema Beat', () => {
'meta.cloud.region',
'docker',
'kubernetes',
- 'type',
- 'server.process.name',
- 'server.process.args',
- 'server.process.executable',
- 'server.process.working_directory',
- 'server.process.start',
- 'client.process.name',
- 'client.process.args',
- 'client.process.executable',
- 'client.process.working_directory',
- 'client.process.start',
- 'real_ip',
- 'transport',
- 'flow.final',
- 'flow.id',
- 'flow.vlan',
- 'flow_id',
- 'final',
- 'vlan',
- 'source.stats.net_bytes_total',
- 'source.stats.net_packets_total',
- 'dest.stats.net_bytes_total',
- 'dest.stats.net_packets_total',
- 'status',
- 'method',
- 'resource',
- 'path',
- 'query',
- 'params',
- 'notes',
- 'request',
- 'response',
- 'bytes_in',
- 'bytes_out',
- 'amqp',
- 'no_request',
- 'cassandra',
- 'dhcpv4',
- 'dns',
- 'icmp',
- 'memcache',
- 'mongodb',
- 'mysql',
- 'nfs',
- 'rpc',
- 'pgsql',
- 'redis',
- 'thrift',
- 'tls',
+ 'jolokia.agent.version',
+ 'jolokia.agent.id',
+ 'jolokia.server.product',
+ 'jolokia.server.version',
+ 'jolokia.server.vendor',
+ 'jolokia.url',
+ 'jolokia.secured',
+ 'auditd',
+ 'geoip',
+ 'socket',
+ 'system.audit',
]);
});
});
diff --git a/x-pack/legacy/plugins/siem/server/utils/beat_schema/index.ts b/x-pack/legacy/plugins/siem/server/utils/beat_schema/index.ts
index a191bd835a7c73..3e9be4e265e637 100644
--- a/x-pack/legacy/plugins/siem/server/utils/beat_schema/index.ts
+++ b/x-pack/legacy/plugins/siem/server/utils/beat_schema/index.ts
@@ -106,19 +106,14 @@ export const getIndexSchemaDoc = memoize((index: string) => {
...extraSchemaField,
...convertSchemaToAssociativeArray(winlogbeatSchema),
};
- } else if (index.match('ecs') != null) {
- return {
- ...extraSchemaField,
- ...ecsSchema,
- };
}
- return {};
+ return {
+ ...extraSchemaField,
+ ...convertSchemaToAssociativeArray(ecsSchema),
+ };
});
export const hasDocumentation = (index: string, path: string): boolean => {
- if (index === 'unknown') {
- return false;
- }
const splitPath = path.split('.');
const category = splitPath.length > 0 ? splitPath[0] : null;
if (category === null) {
@@ -131,16 +126,13 @@ export const hasDocumentation = (index: string, path: string): boolean => {
};
export const getDocumentation = (index: string, path: string) => {
- if (index === 'unknown') {
- return '';
- }
const splitPath = path.split('.');
const category = splitPath.length > 0 ? splitPath[0] : null;
if (category === null) {
- return '';
+ return {};
}
if (splitPath.length > 1) {
- return get([category, 'fields', path], getIndexSchemaDoc(index)) || '';
+ return get([category, 'fields', path], getIndexSchemaDoc(index)) || {};
}
- return get(category, getIndexSchemaDoc(index)) || '';
+ return get(category, getIndexSchemaDoc(index)) || {};
};
diff --git a/x-pack/legacy/plugins/siem/server/utils/beat_schema/type.ts b/x-pack/legacy/plugins/siem/server/utils/beat_schema/type.ts
index f34519da34ee8a..2b7be8f4b7539e 100644
--- a/x-pack/legacy/plugins/siem/server/utils/beat_schema/type.ts
+++ b/x-pack/legacy/plugins/siem/server/utils/beat_schema/type.ts
@@ -12,25 +12,35 @@ export type IndexAlias = 'auditbeat' | 'filebeat' | 'packetbeat' | 'ecs' | 'winl
*/
export interface SchemaFields {
+ default_field: boolean;
+ default_fields: boolean;
definition: string;
+ deprecated: string;
description: string;
doc_values: boolean;
- example: string | number | object;
+ example: string | number | object | boolean;
footnote: string;
format: string;
group: number;
index: boolean;
+ ignore_above: number;
input_format: string;
level: string;
migration: boolean;
multi_fields: object[];
name: string;
+ norms: boolean;
object_type: string;
+ object_type_mapping_type: string;
+ output_format: string;
+ output_precision: number;
+ overwrite: boolean;
path: string;
possible_values: string[] | number[];
release: string;
required: boolean;
reusable: object;
+ short: string;
title: string;
type: string;
fields: Array>;
@@ -48,33 +58,6 @@ export interface SchemaItem {
export type Schema = Array>;
-/*
- * ECS Interface
- *
- */
-
-interface EcsField {
- description: string;
- example: string;
- footnote: string;
- group: number;
- level: string;
- name: string;
- required: boolean;
- type: string;
-}
-
-interface EcsNamespace {
- description: string;
- fields: Readonly>;
- group: number;
- name: string;
- title: string;
- type: string;
-}
-
-export type EcsSchema = Readonly>;
-
/*
* Associative Array Output Interface
*
diff --git a/x-pack/plugins/actions/server/builtin_action_types/lib/send_email.ts b/x-pack/plugins/actions/server/builtin_action_types/lib/send_email.ts
index 74eead0708545f..47d7aff8022ce6 100644
--- a/x-pack/plugins/actions/server/builtin_action_types/lib/send_email.ts
+++ b/x-pack/plugins/actions/server/builtin_action_types/lib/send_email.ts
@@ -65,6 +65,11 @@ export async function sendEmail(logger: Logger, options: SendEmailOptions): Prom
transportConfig.host = host;
transportConfig.port = port;
transportConfig.secure = !!secure;
+ if (!transportConfig.secure) {
+ transportConfig.tls = {
+ rejectUnauthorized: false,
+ };
+ }
}
const nodemailerTransport = nodemailer.createTransport(transportConfig);
diff --git a/x-pack/plugins/apm/server/lib/service_map/get_service_map_service_node_info.ts b/x-pack/plugins/apm/server/lib/service_map/get_service_map_service_node_info.ts
index 0fe825e8ace359..d7e28828572d55 100644
--- a/x-pack/plugins/apm/server/lib/service_map/get_service_map_service_node_info.ts
+++ b/x-pack/plugins/apm/server/lib/service_map/get_service_map_service_node_info.ts
@@ -41,9 +41,7 @@ export async function getServiceMapServiceNodeInfo({
const filter: ESFilter[] = [
{ range: rangeFilter(start, end) },
{ term: { [SERVICE_NAME]: serviceName } },
- ...(environment
- ? [{ term: { [SERVICE_ENVIRONMENT]: SERVICE_ENVIRONMENT } }]
- : [])
+ ...(environment ? [{ term: { [SERVICE_ENVIRONMENT]: environment } }] : [])
];
const minutes = Math.abs((end - start) / (1000 * 60));
diff --git a/x-pack/plugins/data_enhanced/server/search/es_search_strategy.test.ts b/x-pack/plugins/data_enhanced/server/search/es_search_strategy.test.ts
index 88c576c70bdf0e..a8a42fe11e7ceb 100644
--- a/x-pack/plugins/data_enhanced/server/search/es_search_strategy.test.ts
+++ b/x-pack/plugins/data_enhanced/server/search/es_search_strategy.test.ts
@@ -71,7 +71,7 @@ describe('ES search strategy', () => {
expect(mockApiCaller.mock.calls[0][0]).toBe('transport.request');
const { method, path, body } = mockApiCaller.mock.calls[0][1];
expect(method).toBe('POST');
- expect(path).toBe('logstash-*/_async_search');
+ expect(path).toBe('/logstash-*/_async_search');
expect(body).toEqual({ query: {} });
});
@@ -94,7 +94,7 @@ describe('ES search strategy', () => {
expect(mockApiCaller.mock.calls[0][0]).toBe('transport.request');
const { method, path, body } = mockApiCaller.mock.calls[0][1];
expect(method).toBe('GET');
- expect(path).toBe('_async_search/foo');
+ expect(path).toBe('/_async_search/foo');
expect(body).toEqual(undefined);
});
@@ -117,7 +117,7 @@ describe('ES search strategy', () => {
expect(mockApiCaller.mock.calls[0][0]).toBe('transport.request');
const { method, path } = mockApiCaller.mock.calls[0][1];
expect(method).toBe('POST');
- expect(path).toBe('foo-%E7%A8%8B/_async_search');
+ expect(path).toBe('/foo-%E7%A8%8B/_async_search');
});
it('calls the rollup API if the index is a rollup type', async () => {
@@ -139,6 +139,6 @@ describe('ES search strategy', () => {
expect(mockApiCaller.mock.calls[0][0]).toBe('transport.request');
const { method, path } = mockApiCaller.mock.calls[0][1];
expect(method).toBe('POST');
- expect(path).toBe('foo-%E7%A8%8B/_rollup_search');
+ expect(path).toBe('/foo-%E7%A8%8B/_rollup_search');
});
});
diff --git a/x-pack/plugins/data_enhanced/server/search/es_search_strategy.ts b/x-pack/plugins/data_enhanced/server/search/es_search_strategy.ts
index 301f184af7d811..6b329bccab4a73 100644
--- a/x-pack/plugins/data_enhanced/server/search/es_search_strategy.ts
+++ b/x-pack/plugins/data_enhanced/server/search/es_search_strategy.ts
@@ -45,7 +45,7 @@ export const enhancedEsSearchStrategyProvider: TSearchStrategyProvider = async id => {
const method = 'DELETE';
- const path = encodeURI(`_async_search/${id}`);
+ const path = encodeURI(`/_async_search/${id}`);
await caller('transport.request', { method, path });
};
@@ -66,7 +66,7 @@ async function asyncSearch(
const { body = undefined, index = undefined, ...queryParams } = request.id ? {} : params;
const method = request.id ? 'GET' : 'POST';
- const path = encodeURI(request.id ? `_async_search/${request.id}` : `${index}/_async_search`);
+ const path = encodeURI(request.id ? `/_async_search/${request.id}` : `/${index}/_async_search`);
// Wait up to 1s for the response to return
const query = toSnakeCase({ waitForCompletionTimeout: '1s', ...queryParams });
@@ -87,7 +87,7 @@ async function rollupSearch(
) {
const { body, index, ...params } = request.params;
const method = 'POST';
- const path = encodeURI(`${index}/_rollup_search`);
+ const path = encodeURI(`/${index}/_rollup_search`);
const query = toSnakeCase(params);
const rawResponse = await ((caller(
diff --git a/x-pack/plugins/ingest_manager/common/services/package_to_config.test.ts b/x-pack/plugins/ingest_manager/common/services/package_to_config.test.ts
index 357f4078118809..5fa7af2dda79ab 100644
--- a/x-pack/plugins/ingest_manager/common/services/package_to_config.test.ts
+++ b/x-pack/plugins/ingest_manager/common/services/package_to_config.test.ts
@@ -24,6 +24,7 @@ describe('Ingest Manager - packageToConfig', () => {
visualization: [],
search: [],
'index-pattern': [],
+ map: [],
},
},
status: InstallationStatus.notInstalled,
diff --git a/x-pack/plugins/ingest_manager/common/types/models/epm.ts b/x-pack/plugins/ingest_manager/common/types/models/epm.ts
index 28786530db0189..efa6621001038b 100644
--- a/x-pack/plugins/ingest_manager/common/types/models/epm.ts
+++ b/x-pack/plugins/ingest_manager/common/types/models/epm.ts
@@ -28,6 +28,7 @@ export enum KibanaAssetType {
visualization = 'visualization',
search = 'search',
indexPattern = 'index-pattern',
+ map = 'map',
}
export enum ElasticsearchAssetType {
diff --git a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/epm/constants.tsx b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/epm/constants.tsx
index 3a6dfe4a87dafe..685199245df18f 100644
--- a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/epm/constants.tsx
+++ b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/epm/constants.tsx
@@ -24,6 +24,7 @@ export const AssetTitleMap: Record = {
search: 'Saved Search',
visualization: 'Visualization',
input: 'Agent input',
+ map: 'Map',
};
export const ServiceTitleMap: Record = {
@@ -36,6 +37,7 @@ export const AssetIcons: Record = {
'index-pattern': 'indexPatternApp',
search: 'searchProfilerApp',
visualization: 'visualizeApp',
+ map: 'mapApp',
};
export const ServiceIcons: Record = {
diff --git a/x-pack/test/api_integration/apis/siem/sources.ts b/x-pack/test/api_integration/apis/siem/sources.ts
index 0b147022c7cd5c..e0db91449a8ccd 100644
--- a/x-pack/test/api_integration/apis/siem/sources.ts
+++ b/x-pack/test/api_integration/apis/siem/sources.ts
@@ -30,7 +30,7 @@ export default function({ getService }: FtrProviderContext) {
.then(resp => {
const sourceStatus = resp.data.source.status;
// test data in x-pack/test/functional/es_archives/auditbeat_test_data/data.json.gz
- expect(sourceStatus.indexFields.length).to.be(395);
+ expect(sourceStatus.indexFields.length).to.be(397);
expect(sourceStatus.indicesExist).to.be(true);
});
});