Created
March 10, 2023 23:26
-
-
Save brokensound77/2fe912ffbff94d806ab3a6ce5a57df00 to your computer and use it in GitHub Desktop.
Elastic Endpoint Defend (EDR) schemas as of 8.7
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"@timestamp": "date", | |
"Effective_process.entity_id": "keyword", | |
"Effective_process.executable": "keyword", | |
"Effective_process.name": "keyword", | |
"Effective_process.pid": "long", | |
"Endpoint.capabilities": "keyword", | |
"Endpoint.configuration": "object", | |
"Endpoint.configuration.isolation": "boolean", | |
"Endpoint.metrics": "object", | |
"Endpoint.metrics.cpu": "object", | |
"Endpoint.metrics.cpu.endpoint": "object", | |
"Endpoint.metrics.cpu.endpoint.histogram": "histogram", | |
"Endpoint.metrics.cpu.endpoint.latest": "half_float", | |
"Endpoint.metrics.cpu.endpoint.mean": "half_float", | |
"Endpoint.metrics.disks": "object", | |
"Endpoint.metrics.disks.device": "keyword", | |
"Endpoint.metrics.disks.endpoint_drive": "boolean", | |
"Endpoint.metrics.disks.free": "long", | |
"Endpoint.metrics.disks.fstype": "keyword", | |
"Endpoint.metrics.disks.mount": "keyword", | |
"Endpoint.metrics.disks.total": "long", | |
"Endpoint.metrics.documents_volume": "object", | |
"Endpoint.metrics.documents_volume.alerts.sent_bytes": "long", | |
"Endpoint.metrics.documents_volume.alerts.sent_count": "long", | |
"Endpoint.metrics.documents_volume.alerts.suppressed_bytes": "long", | |
"Endpoint.metrics.documents_volume.alerts.suppressed_count": "long", | |
"Endpoint.metrics.documents_volume.diagnostic_alerts.sent_bytes": "long", | |
"Endpoint.metrics.documents_volume.diagnostic_alerts.sent_count": "long", | |
"Endpoint.metrics.documents_volume.diagnostic_alerts.suppressed_bytes": "long", | |
"Endpoint.metrics.documents_volume.diagnostic_alerts.suppressed_count": "long", | |
"Endpoint.metrics.documents_volume.dns_events.sent_bytes": "long", | |
"Endpoint.metrics.documents_volume.dns_events.sent_count": "long", | |
"Endpoint.metrics.documents_volume.dns_events.suppressed_bytes": "long", | |
"Endpoint.metrics.documents_volume.dns_events.suppressed_count": "long", | |
"Endpoint.metrics.documents_volume.file_events.sent_bytes": "long", | |
"Endpoint.metrics.documents_volume.file_events.sent_count": "long", | |
"Endpoint.metrics.documents_volume.file_events.suppressed_bytes": "long", | |
"Endpoint.metrics.documents_volume.file_events.suppressed_count": "long", | |
"Endpoint.metrics.documents_volume.library_events.sent_bytes": "long", | |
"Endpoint.metrics.documents_volume.library_events.sent_count": "long", | |
"Endpoint.metrics.documents_volume.library_events.suppressed_bytes": "long", | |
"Endpoint.metrics.documents_volume.library_events.suppressed_count": "long", | |
"Endpoint.metrics.documents_volume.network_events.sent_bytes": "long", | |
"Endpoint.metrics.documents_volume.network_events.sent_count": "long", | |
"Endpoint.metrics.documents_volume.network_events.suppressed_bytes": "long", | |
"Endpoint.metrics.documents_volume.network_events.suppressed_count": "long", | |
"Endpoint.metrics.documents_volume.overall.sent_bytes": "long", | |
"Endpoint.metrics.documents_volume.overall.sent_count": "long", | |
"Endpoint.metrics.documents_volume.overall.suppressed_bytes": "long", | |
"Endpoint.metrics.documents_volume.overall.suppressed_count": "long", | |
"Endpoint.metrics.documents_volume.process_events.sent_bytes": "long", | |
"Endpoint.metrics.documents_volume.process_events.sent_count": "long", | |
"Endpoint.metrics.documents_volume.process_events.suppressed_bytes": "long", | |
"Endpoint.metrics.documents_volume.process_events.suppressed_count": "long", | |
"Endpoint.metrics.documents_volume.registry_events.sent_bytes": "long", | |
"Endpoint.metrics.documents_volume.registry_events.sent_count": "long", | |
"Endpoint.metrics.documents_volume.registry_events.suppressed_bytes": "long", | |
"Endpoint.metrics.documents_volume.registry_events.suppressed_count": "long", | |
"Endpoint.metrics.documents_volume.security_events.sent_bytes": "long", | |
"Endpoint.metrics.documents_volume.security_events.sent_count": "long", | |
"Endpoint.metrics.documents_volume.security_events.suppressed_bytes": "long", | |
"Endpoint.metrics.documents_volume.security_events.suppressed_count": "long", | |
"Endpoint.metrics.event_filter.active_global_count": "long", | |
"Endpoint.metrics.event_filter.active_user_count": "long", | |
"Endpoint.metrics.malicious_behavior_rules": "object", | |
"Endpoint.metrics.malicious_behavior_rules.endpoint_uptime_percent": "double", | |
"Endpoint.metrics.malicious_behavior_rules.id": "keyword", | |
"Endpoint.metrics.memory": "object", | |
"Endpoint.metrics.memory.endpoint": "object", | |
"Endpoint.metrics.memory.endpoint.private": "object", | |
"Endpoint.metrics.memory.endpoint.private.latest": "long", | |
"Endpoint.metrics.memory.endpoint.private.mean": "long", | |
"Endpoint.metrics.system_impact": "object", | |
"Endpoint.metrics.system_impact.authentication_events.week_idle_ms": "unsigned_long", | |
"Endpoint.metrics.system_impact.authentication_events.week_ms": "unsigned_long", | |
"Endpoint.metrics.system_impact.dns_events.week_idle_ms": "unsigned_long", | |
"Endpoint.metrics.system_impact.dns_events.week_ms": "unsigned_long", | |
"Endpoint.metrics.system_impact.etw_events.week_idle_ms": "unsigned_long", | |
"Endpoint.metrics.system_impact.etw_events.week_ms": "unsigned_long", | |
"Endpoint.metrics.system_impact.file_events.week_idle_ms": "unsigned_long", | |
"Endpoint.metrics.system_impact.file_events.week_ms": "unsigned_long", | |
"Endpoint.metrics.system_impact.library_load_events.week_idle_ms": "unsigned_long", | |
"Endpoint.metrics.system_impact.library_load_events.week_ms": "unsigned_long", | |
"Endpoint.metrics.system_impact.malware.week_idle_ms": "unsigned_long", | |
"Endpoint.metrics.system_impact.malware.week_ms": "unsigned_long", | |
"Endpoint.metrics.system_impact.network_events.week_idle_ms": "unsigned_long", | |
"Endpoint.metrics.system_impact.network_events.week_ms": "unsigned_long", | |
"Endpoint.metrics.system_impact.overall.week_idle_ms": "unsigned_long", | |
"Endpoint.metrics.system_impact.overall.week_ms": "unsigned_long", | |
"Endpoint.metrics.system_impact.process.code_signature": "nested", | |
"Endpoint.metrics.system_impact.process.code_signature.exists": "boolean", | |
"Endpoint.metrics.system_impact.process.code_signature.signing_id": "keyword", | |
"Endpoint.metrics.system_impact.process.code_signature.status": "keyword", | |
"Endpoint.metrics.system_impact.process.code_signature.subject_name": "keyword", | |
"Endpoint.metrics.system_impact.process.code_signature.team_id": "keyword", | |
"Endpoint.metrics.system_impact.process.code_signature.trusted": "boolean", | |
"Endpoint.metrics.system_impact.process.code_signature.valid": "boolean", | |
"Endpoint.metrics.system_impact.process.executable": "unsigned_long", | |
"Endpoint.metrics.system_impact.process_events.week_idle_ms": "unsigned_long", | |
"Endpoint.metrics.system_impact.process_events.week_ms": "unsigned_long", | |
"Endpoint.metrics.system_impact.registry_events.week_idle_ms": "unsigned_long", | |
"Endpoint.metrics.system_impact.registry_events.week_ms": "unsigned_long", | |
"Endpoint.metrics.threads": "object", | |
"Endpoint.metrics.threads.cpu.mean": "double", | |
"Endpoint.metrics.threads.name": "keyword", | |
"Endpoint.metrics.uptime": "object", | |
"Endpoint.metrics.uptime.endpoint": "long", | |
"Endpoint.metrics.uptime.system": "long", | |
"Endpoint.policy": "object", | |
"Endpoint.policy.applied": "object", | |
"Endpoint.policy.applied.actions": "nested", | |
"Endpoint.policy.applied.actions.message": "keyword", | |
"Endpoint.policy.applied.actions.name": "keyword", | |
"Endpoint.policy.applied.actions.status": "keyword", | |
"Endpoint.policy.applied.artifacts": "object", | |
"Endpoint.policy.applied.artifacts.global": "object", | |
"Endpoint.policy.applied.artifacts.global.identifiers": "nested", | |
"Endpoint.policy.applied.artifacts.global.identifiers.name": "keyword", | |
"Endpoint.policy.applied.artifacts.global.identifiers.sha256": "keyword", | |
"Endpoint.policy.applied.artifacts.global.version": "keyword", | |
"Endpoint.policy.applied.artifacts.user": "object", | |
"Endpoint.policy.applied.artifacts.user.identifiers": "nested", | |
"Endpoint.policy.applied.artifacts.user.identifiers.name": "keyword", | |
"Endpoint.policy.applied.artifacts.user.identifiers.sha256": "keyword", | |
"Endpoint.policy.applied.artifacts.user.version": "keyword", | |
"Endpoint.policy.applied.endpoint_policy_version": "keyword", | |
"Endpoint.policy.applied.id": "keyword", | |
"Endpoint.policy.applied.name": "keyword", | |
"Endpoint.policy.applied.response": "object", | |
"Endpoint.policy.applied.response.configurations": "object", | |
"Endpoint.policy.applied.response.configurations.antivirus_registration": "object", | |
"Endpoint.policy.applied.response.configurations.antivirus_registration.concerned_actions": "keyword", | |
"Endpoint.policy.applied.response.configurations.antivirus_registration.status": "keyword", | |
"Endpoint.policy.applied.response.configurations.attack_surface_reduction.concerned_actions": "keyword", | |
"Endpoint.policy.applied.response.configurations.attack_surface_reduction.status": "keyword", | |
"Endpoint.policy.applied.response.configurations.behavior_protection.concerned_actions": "keyword", | |
"Endpoint.policy.applied.response.configurations.behavior_protection.status": "keyword", | |
"Endpoint.policy.applied.response.configurations.events": "object", | |
"Endpoint.policy.applied.response.configurations.events.concerned_actions": "keyword", | |
"Endpoint.policy.applied.response.configurations.events.status": "keyword", | |
"Endpoint.policy.applied.response.configurations.host_isolation.concerned_actions": "keyword", | |
"Endpoint.policy.applied.response.configurations.host_isolation.status": "keyword", | |
"Endpoint.policy.applied.response.configurations.logging": "object", | |
"Endpoint.policy.applied.response.configurations.logging.concerned_actions": "keyword", | |
"Endpoint.policy.applied.response.configurations.logging.status": "keyword", | |
"Endpoint.policy.applied.response.configurations.malware": "object", | |
"Endpoint.policy.applied.response.configurations.malware.concerned_actions": "keyword", | |
"Endpoint.policy.applied.response.configurations.malware.status": "keyword", | |
"Endpoint.policy.applied.response.configurations.memory_protection": "object", | |
"Endpoint.policy.applied.response.configurations.memory_protection.concerned_actions": "keyword", | |
"Endpoint.policy.applied.response.configurations.memory_protection.status": "keyword", | |
"Endpoint.policy.applied.response.configurations.ransomware.concerned_actions": "keyword", | |
"Endpoint.policy.applied.response.configurations.ransomware.status": "keyword", | |
"Endpoint.policy.applied.response.configurations.streaming": "object", | |
"Endpoint.policy.applied.response.configurations.streaming.concerned_actions": "keyword", | |
"Endpoint.policy.applied.response.configurations.streaming.status": "keyword", | |
"Endpoint.policy.applied.response.diagnostic": "object", | |
"Endpoint.policy.applied.response.diagnostic.behavior_protection.concerned_actions": "keyword", | |
"Endpoint.policy.applied.response.diagnostic.behavior_protection.status": "keyword", | |
"Endpoint.policy.applied.response.diagnostic.credential_protection.concerned_actions": "keyword", | |
"Endpoint.policy.applied.response.diagnostic.credential_protection.status": "keyword", | |
"Endpoint.policy.applied.response.diagnostic.malware.concerned_actions": "keyword", | |
"Endpoint.policy.applied.response.diagnostic.malware.status": "keyword", | |
"Endpoint.policy.applied.response.diagnostic.memory_protection.concerned_actions": "keyword", | |
"Endpoint.policy.applied.response.diagnostic.memory_protection.status": "keyword", | |
"Endpoint.policy.applied.response.diagnostic.memory_scan.concerned_actions": "keyword", | |
"Endpoint.policy.applied.response.diagnostic.memory_scan.status": "keyword", | |
"Endpoint.policy.applied.response.diagnostic.ransomware.concerned_actions": "keyword", | |
"Endpoint.policy.applied.response.diagnostic.ransomware.status": "keyword", | |
"Endpoint.policy.applied.status": "keyword", | |
"Endpoint.policy.applied.version": "keyword", | |
"Endpoint.state": "object", | |
"Endpoint.state.isolation": "boolean", | |
"Endpoint.status": "keyword", | |
"EndpointActions.action_id": "keyword", | |
"EndpointActions.completed_at": "date", | |
"EndpointActions.data": "object", | |
"EndpointActions.data.command": "keyword", | |
"EndpointActions.data.comment": "text", | |
"EndpointActions.expiration": "date", | |
"EndpointActions.input_type": "keyword", | |
"EndpointActions.started_at": "date", | |
"EndpointActions.status": "keyword", | |
"EndpointActions.type": "keyword", | |
"Events": "object", | |
"Memory_protection.cross_session": "boolean", | |
"Memory_protection.feature": "keyword", | |
"Memory_protection.parent_to_child": "boolean", | |
"Memory_protection.self_injection": "boolean", | |
"Memory_protection.thread_count": "long", | |
"Memory_protection.unique_key_v1": "keyword", | |
"Persistence.args": "keyword", | |
"Persistence.executable": "keyword", | |
"Persistence.keepalive": "boolean", | |
"Persistence.name": "keyword", | |
"Persistence.path": "keyword", | |
"Persistence.runatload": "boolean", | |
"Ransomware.child_processes.executable": "keyword", | |
"Ransomware.child_processes.feature": "keyword", | |
"Ransomware.child_processes.files": "nested", | |
"Ransomware.child_processes.files.data": "keyword", | |
"Ransomware.child_processes.files.entropy": "double", | |
"Ransomware.child_processes.files.extension": "keyword", | |
"Ransomware.child_processes.files.metrics": "keyword", | |
"Ransomware.child_processes.files.operation": "keyword", | |
"Ransomware.child_processes.files.original.extension": "keyword", | |
"Ransomware.child_processes.files.original.path": "keyword", | |
"Ransomware.child_processes.files.path": "keyword", | |
"Ransomware.child_processes.files.score": "double", | |
"Ransomware.child_processes.pid": "long", | |
"Ransomware.child_processes.score": "double", | |
"Ransomware.child_processes.version": "keyword", | |
"Ransomware.executable": "keyword", | |
"Ransomware.feature": "keyword", | |
"Ransomware.files": "nested", | |
"Ransomware.files.data": "keyword", | |
"Ransomware.files.entropy": "double", | |
"Ransomware.files.extension": "keyword", | |
"Ransomware.files.metrics": "keyword", | |
"Ransomware.files.operation": "keyword", | |
"Ransomware.files.original.extension": "keyword", | |
"Ransomware.files.original.path": "keyword", | |
"Ransomware.files.path": "keyword", | |
"Ransomware.files.score": "double", | |
"Ransomware.pid": "long", | |
"Ransomware.score": "double", | |
"Ransomware.version": "keyword", | |
"Responses.@timestamp": "date", | |
"Responses.action": "nested", | |
"Responses.action.action": "keyword", | |
"Responses.action.field": "text", | |
"Responses.action.file.attributes": "keyword", | |
"Responses.action.file.path": "keyword", | |
"Responses.action.source.attributes": "keyword", | |
"Responses.action.source.path": "keyword", | |
"Responses.action.state": "long", | |
"Responses.action.tree": "boolean", | |
"Responses.message": "text", | |
"Responses.process": "nested", | |
"Responses.process.entity_id": "text", | |
"Responses.process.name": "keyword", | |
"Responses.process.pid": "long", | |
"Responses.result": "long", | |
"Target.dll.Ext": "object", | |
"Target.dll.Ext.code_signature": "nested", | |
"Target.dll.Ext.code_signature.exists": "boolean", | |
"Target.dll.Ext.code_signature.status": "keyword", | |
"Target.dll.Ext.code_signature.subject_name": "keyword", | |
"Target.dll.Ext.code_signature.trusted": "boolean", | |
"Target.dll.Ext.code_signature.valid": "boolean", | |
"Target.dll.Ext.compile_time": "date", | |
"Target.dll.Ext.malware_classification.features": "object", | |
"Target.dll.Ext.malware_classification.features.data.buffer": "keyword", | |
"Target.dll.Ext.malware_classification.features.data.decompressed_size": "integer", | |
"Target.dll.Ext.malware_classification.features.data.encoding": "keyword", | |
"Target.dll.Ext.malware_classification.identifier": "keyword", | |
"Target.dll.Ext.malware_classification.score": "double", | |
"Target.dll.Ext.malware_classification.threshold": "double", | |
"Target.dll.Ext.malware_classification.upx_packed": "boolean", | |
"Target.dll.Ext.malware_classification.version": "keyword", | |
"Target.dll.Ext.mapped_address": "unsigned_long", | |
"Target.dll.Ext.mapped_size": "unsigned_long", | |
"Target.dll.code_signature.exists": "boolean", | |
"Target.dll.code_signature.signing_id": "keyword", | |
"Target.dll.code_signature.status": "keyword", | |
"Target.dll.code_signature.subject_name": "keyword", | |
"Target.dll.code_signature.team_id": "keyword", | |
"Target.dll.code_signature.trusted": "boolean", | |
"Target.dll.code_signature.valid": "boolean", | |
"Target.dll.hash.md5": "keyword", | |
"Target.dll.hash.sha1": "keyword", | |
"Target.dll.hash.sha256": "keyword", | |
"Target.dll.hash.sha512": "keyword", | |
"Target.dll.name": "keyword", | |
"Target.dll.path": "keyword", | |
"Target.dll.pe.company": "keyword", | |
"Target.dll.pe.description": "keyword", | |
"Target.dll.pe.file_version": "keyword", | |
"Target.dll.pe.imphash": "keyword", | |
"Target.dll.pe.original_file_name": "keyword", | |
"Target.dll.pe.product": "keyword", | |
"Target.process.Ext": "object", | |
"Target.process.Ext.ancestry": "keyword", | |
"Target.process.Ext.architecture": "keyword", | |
"Target.process.Ext.authentication_id": "keyword", | |
"Target.process.Ext.code_signature": "nested", | |
"Target.process.Ext.code_signature.exists": "boolean", | |
"Target.process.Ext.code_signature.status": "keyword", | |
"Target.process.Ext.code_signature.subject_name": "keyword", | |
"Target.process.Ext.code_signature.trusted": "boolean", | |
"Target.process.Ext.code_signature.valid": "boolean", | |
"Target.process.Ext.dll.Ext": "object", | |
"Target.process.Ext.dll.Ext.code_signature": "nested", | |
"Target.process.Ext.dll.Ext.code_signature.exists": "boolean", | |
"Target.process.Ext.dll.Ext.code_signature.status": "keyword", | |
"Target.process.Ext.dll.Ext.code_signature.subject_name": "keyword", | |
"Target.process.Ext.dll.Ext.code_signature.trusted": "boolean", | |
"Target.process.Ext.dll.Ext.code_signature.valid": "boolean", | |
"Target.process.Ext.dll.Ext.compile_time": "date", | |
"Target.process.Ext.dll.Ext.mapped_address": "unsigned_long", | |
"Target.process.Ext.dll.Ext.mapped_size": "unsigned_long", | |
"Target.process.Ext.dll.code_signature.exists": "boolean", | |
"Target.process.Ext.dll.code_signature.signing_id": "keyword", | |
"Target.process.Ext.dll.code_signature.status": "keyword", | |
"Target.process.Ext.dll.code_signature.subject_name": "keyword", | |
"Target.process.Ext.dll.code_signature.team_id": "keyword", | |
"Target.process.Ext.dll.code_signature.trusted": "boolean", | |
"Target.process.Ext.dll.code_signature.valid": "boolean", | |
"Target.process.Ext.dll.hash.md5": "keyword", | |
"Target.process.Ext.dll.hash.sha1": "keyword", | |
"Target.process.Ext.dll.hash.sha256": "keyword", | |
"Target.process.Ext.dll.hash.sha512": "keyword", | |
"Target.process.Ext.dll.name": "keyword", | |
"Target.process.Ext.dll.path": "keyword", | |
"Target.process.Ext.dll.pe.company": "keyword", | |
"Target.process.Ext.dll.pe.description": "keyword", | |
"Target.process.Ext.dll.pe.file_version": "keyword", | |
"Target.process.Ext.dll.pe.imphash": "keyword", | |
"Target.process.Ext.dll.pe.original_file_name": "keyword", | |
"Target.process.Ext.dll.pe.product": "keyword", | |
"Target.process.Ext.malware_classification.features": "object", | |
"Target.process.Ext.malware_classification.features.data.buffer": "keyword", | |
"Target.process.Ext.malware_classification.features.data.decompressed_size": "integer", | |
"Target.process.Ext.malware_classification.features.data.encoding": "keyword", | |
"Target.process.Ext.malware_classification.identifier": "keyword", | |
"Target.process.Ext.malware_classification.score": "double", | |
"Target.process.Ext.malware_classification.threshold": "double", | |
"Target.process.Ext.malware_classification.upx_packed": "boolean", | |
"Target.process.Ext.malware_classification.version": "keyword", | |
"Target.process.Ext.memory_region.allocation_base": "unsigned_long", | |
"Target.process.Ext.memory_region.allocation_protection": "keyword", | |
"Target.process.Ext.memory_region.allocation_size": "unsigned_long", | |
"Target.process.Ext.memory_region.allocation_type": "keyword", | |
"Target.process.Ext.memory_region.bytes_address": "unsigned_long", | |
"Target.process.Ext.memory_region.bytes_allocation_offset": "unsigned_long", | |
"Target.process.Ext.memory_region.bytes_compressed": "keyword", | |
"Target.process.Ext.memory_region.bytes_compressed_present": "boolean", | |
"Target.process.Ext.memory_region.malware_signature.all_names": "keyword", | |
"Target.process.Ext.memory_region.malware_signature.identifier": "keyword", | |
"Target.process.Ext.memory_region.malware_signature.primary": "object", | |
"Target.process.Ext.memory_region.malware_signature.primary.matches": "keyword", | |
"Target.process.Ext.memory_region.malware_signature.primary.signature.hash": "nested", | |
"Target.process.Ext.memory_region.malware_signature.primary.signature.hash.sha256": "keyword", | |
"Target.process.Ext.memory_region.malware_signature.primary.signature.id": "keyword", | |
"Target.process.Ext.memory_region.malware_signature.primary.signature.name": "keyword", | |
"Target.process.Ext.memory_region.malware_signature.version": "keyword", | |
"Target.process.Ext.memory_region.mapped_path": "keyword", | |
"Target.process.Ext.memory_region.mapped_pe.company": "keyword", | |
"Target.process.Ext.memory_region.mapped_pe.description": "keyword", | |
"Target.process.Ext.memory_region.mapped_pe.file_version": "keyword", | |
"Target.process.Ext.memory_region.mapped_pe.imphash": "keyword", | |
"Target.process.Ext.memory_region.mapped_pe.original_file_name": "keyword", | |
"Target.process.Ext.memory_region.mapped_pe.product": "keyword", | |
"Target.process.Ext.memory_region.mapped_pe_detected": "boolean", | |
"Target.process.Ext.memory_region.memory_pe.company": "keyword", | |
"Target.process.Ext.memory_region.memory_pe.description": "keyword", | |
"Target.process.Ext.memory_region.memory_pe.file_version": "keyword", | |
"Target.process.Ext.memory_region.memory_pe.imphash": "keyword", | |
"Target.process.Ext.memory_region.memory_pe.original_file_name": "keyword", | |
"Target.process.Ext.memory_region.memory_pe.product": "keyword", | |
"Target.process.Ext.memory_region.memory_pe_detected": "boolean", | |
"Target.process.Ext.memory_region.region_base": "unsigned_long", | |
"Target.process.Ext.memory_region.region_protection": "keyword", | |
"Target.process.Ext.memory_region.region_size": "unsigned_long", | |
"Target.process.Ext.memory_region.region_state": "keyword", | |
"Target.process.Ext.memory_region.strings": "keyword", | |
"Target.process.Ext.protection": "keyword", | |
"Target.process.Ext.services": "keyword", | |
"Target.process.Ext.session": "keyword", | |
"Target.process.Ext.token.domain": "keyword", | |
"Target.process.Ext.token.elevation": "boolean", | |
"Target.process.Ext.token.elevation_type": "keyword", | |
"Target.process.Ext.token.impersonation_level": "keyword", | |
"Target.process.Ext.token.integrity_level": "long", | |
"Target.process.Ext.token.integrity_level_name": "keyword", | |
"Target.process.Ext.token.is_appcontainer": "boolean", | |
"Target.process.Ext.token.privileges": "nested", | |
"Target.process.Ext.token.privileges.description": "keyword", | |
"Target.process.Ext.token.privileges.enabled": "boolean", | |
"Target.process.Ext.token.privileges.name": "keyword", | |
"Target.process.Ext.token.sid": "keyword", | |
"Target.process.Ext.token.type": "keyword", | |
"Target.process.Ext.token.user": "keyword", | |
"Target.process.Ext.user": "keyword", | |
"Target.process.args": "keyword", | |
"Target.process.args_count": "long", | |
"Target.process.code_signature.exists": "boolean", | |
"Target.process.code_signature.signing_id": "keyword", | |
"Target.process.code_signature.status": "keyword", | |
"Target.process.code_signature.subject_name": "keyword", | |
"Target.process.code_signature.team_id": "keyword", | |
"Target.process.code_signature.trusted": "boolean", | |
"Target.process.code_signature.valid": "boolean", | |
"Target.process.command_line": "wildcard", | |
"Target.process.entity_id": "keyword", | |
"Target.process.executable": "keyword", | |
"Target.process.exit_code": "long", | |
"Target.process.hash.md5": "keyword", | |
"Target.process.hash.sha1": "keyword", | |
"Target.process.hash.sha256": "keyword", | |
"Target.process.hash.sha512": "keyword", | |
"Target.process.name": "keyword", | |
"Target.process.parent.Ext": "object", | |
"Target.process.parent.Ext.architecture": "keyword", | |
"Target.process.parent.Ext.code_signature": "nested", | |
"Target.process.parent.Ext.code_signature.exists": "boolean", | |
"Target.process.parent.Ext.code_signature.status": "keyword", | |
"Target.process.parent.Ext.code_signature.subject_name": "keyword", | |
"Target.process.parent.Ext.code_signature.trusted": "boolean", | |
"Target.process.parent.Ext.code_signature.valid": "boolean", | |
"Target.process.parent.Ext.dll.Ext": "object", | |
"Target.process.parent.Ext.dll.Ext.code_signature": "nested", | |
"Target.process.parent.Ext.dll.Ext.code_signature.exists": "boolean", | |
"Target.process.parent.Ext.dll.Ext.code_signature.status": "keyword", | |
"Target.process.parent.Ext.dll.Ext.code_signature.subject_name": "keyword", | |
"Target.process.parent.Ext.dll.Ext.code_signature.trusted": "boolean", | |
"Target.process.parent.Ext.dll.Ext.code_signature.valid": "boolean", | |
"Target.process.parent.Ext.dll.Ext.compile_time": "date", | |
"Target.process.parent.Ext.dll.Ext.mapped_address": "unsigned_long", | |
"Target.process.parent.Ext.dll.Ext.mapped_size": "unsigned_long", | |
"Target.process.parent.Ext.dll.code_signature.exists": "boolean", | |
"Target.process.parent.Ext.dll.code_signature.signing_id": "keyword", | |
"Target.process.parent.Ext.dll.code_signature.status": "keyword", | |
"Target.process.parent.Ext.dll.code_signature.subject_name": "keyword", | |
"Target.process.parent.Ext.dll.code_signature.team_id": "keyword", | |
"Target.process.parent.Ext.dll.code_signature.trusted": "boolean", | |
"Target.process.parent.Ext.dll.code_signature.valid": "boolean", | |
"Target.process.parent.Ext.dll.hash.md5": "keyword", | |
"Target.process.parent.Ext.dll.hash.sha1": "keyword", | |
"Target.process.parent.Ext.dll.hash.sha256": "keyword", | |
"Target.process.parent.Ext.dll.hash.sha512": "keyword", | |
"Target.process.parent.Ext.dll.name": "keyword", | |
"Target.process.parent.Ext.dll.path": "keyword", | |
"Target.process.parent.Ext.dll.pe.company": "keyword", | |
"Target.process.parent.Ext.dll.pe.description": "keyword", | |
"Target.process.parent.Ext.dll.pe.file_version": "keyword", | |
"Target.process.parent.Ext.dll.pe.imphash": "keyword", | |
"Target.process.parent.Ext.dll.pe.original_file_name": "keyword", | |
"Target.process.parent.Ext.dll.pe.product": "keyword", | |
"Target.process.parent.Ext.protection": "keyword", | |
"Target.process.parent.Ext.real": "object", | |
"Target.process.parent.Ext.real.pid": "long", | |
"Target.process.parent.Ext.token.domain": "keyword", | |
"Target.process.parent.Ext.token.elevation": "boolean", | |
"Target.process.parent.Ext.token.elevation_type": "keyword", | |
"Target.process.parent.Ext.token.impersonation_level": "keyword", | |
"Target.process.parent.Ext.token.integrity_level": "long", | |
"Target.process.parent.Ext.token.integrity_level_name": "keyword", | |
"Target.process.parent.Ext.token.is_appcontainer": "boolean", | |
"Target.process.parent.Ext.token.privileges": "nested", | |
"Target.process.parent.Ext.token.privileges.description": "keyword", | |
"Target.process.parent.Ext.token.privileges.enabled": "boolean", | |
"Target.process.parent.Ext.token.privileges.name": "keyword", | |
"Target.process.parent.Ext.token.sid": "keyword", | |
"Target.process.parent.Ext.token.type": "keyword", | |
"Target.process.parent.Ext.token.user": "keyword", | |
"Target.process.parent.Ext.user": "keyword", | |
"Target.process.parent.args": "keyword", | |
"Target.process.parent.args_count": "long", | |
"Target.process.parent.code_signature.exists": "boolean", | |
"Target.process.parent.code_signature.signing_id": "keyword", | |
"Target.process.parent.code_signature.status": "keyword", | |
"Target.process.parent.code_signature.subject_name": "keyword", | |
"Target.process.parent.code_signature.team_id": "keyword", | |
"Target.process.parent.code_signature.trusted": "boolean", | |
"Target.process.parent.code_signature.valid": "boolean", | |
"Target.process.parent.command_line": "wildcard", | |
"Target.process.parent.entity_id": "keyword", | |
"Target.process.parent.executable": "keyword", | |
"Target.process.parent.exit_code": "long", | |
"Target.process.parent.hash.md5": "keyword", | |
"Target.process.parent.hash.sha1": "keyword", | |
"Target.process.parent.hash.sha256": "keyword", | |
"Target.process.parent.hash.sha512": "keyword", | |
"Target.process.parent.name": "keyword", | |
"Target.process.parent.pe.company": "keyword", | |
"Target.process.parent.pe.description": "keyword", | |
"Target.process.parent.pe.file_version": "keyword", | |
"Target.process.parent.pe.imphash": "keyword", | |
"Target.process.parent.pe.original_file_name": "keyword", | |
"Target.process.parent.pe.product": "keyword", | |
"Target.process.parent.pgid": "long", | |
"Target.process.parent.pid": "long", | |
"Target.process.parent.ppid": "long", | |
"Target.process.parent.start": "date", | |
"Target.process.parent.thread.id": "long", | |
"Target.process.parent.thread.name": "keyword", | |
"Target.process.parent.title": "keyword", | |
"Target.process.parent.uptime": "long", | |
"Target.process.parent.working_directory": "keyword", | |
"Target.process.pe.company": "keyword", | |
"Target.process.pe.description": "keyword", | |
"Target.process.pe.file_version": "keyword", | |
"Target.process.pe.imphash": "keyword", | |
"Target.process.pe.original_file_name": "keyword", | |
"Target.process.pe.product": "keyword", | |
"Target.process.pgid": "long", | |
"Target.process.pid": "long", | |
"Target.process.ppid": "long", | |
"Target.process.start": "date", | |
"Target.process.thread.Ext": "object", | |
"Target.process.thread.Ext.call_stack": "object", | |
"Target.process.thread.Ext.call_stack.instruction_pointer": "keyword", | |
"Target.process.thread.Ext.call_stack.memory_section.memory_address": "keyword", | |
"Target.process.thread.Ext.call_stack.memory_section.memory_size": "keyword", | |
"Target.process.thread.Ext.call_stack.memory_section.protection": "keyword", | |
"Target.process.thread.Ext.call_stack.module_name": "keyword", | |
"Target.process.thread.Ext.call_stack.module_path": "keyword", | |
"Target.process.thread.Ext.call_stack.rva": "keyword", | |
"Target.process.thread.Ext.call_stack.symbol_info": "keyword", | |
"Target.process.thread.Ext.call_stack_final_user_module": "nested", | |
"Target.process.thread.Ext.call_stack_final_user_module.code_signature": "nested", | |
"Target.process.thread.Ext.call_stack_final_user_module.code_signature.exists": "boolean", | |
"Target.process.thread.Ext.call_stack_final_user_module.code_signature.status": "keyword", | |
"Target.process.thread.Ext.call_stack_final_user_module.code_signature.subject_name": "keyword", | |
"Target.process.thread.Ext.call_stack_final_user_module.code_signature.trusted": "boolean", | |
"Target.process.thread.Ext.call_stack_final_user_module.code_signature.valid": "boolean", | |
"Target.process.thread.Ext.call_stack_final_user_module.hash": "object", | |
"Target.process.thread.Ext.call_stack_final_user_module.hash.sha256": "keyword", | |
"Target.process.thread.Ext.call_stack_final_user_module.name": "keyword", | |
"Target.process.thread.Ext.call_stack_final_user_module.path": "keyword", | |
"Target.process.thread.Ext.call_stack_summary": "keyword", | |
"Target.process.thread.Ext.hardware_breakpoint_set": "boolean", | |
"Target.process.thread.Ext.parameter": "unsigned_long", | |
"Target.process.thread.Ext.parameter_bytes_compressed": "keyword", | |
"Target.process.thread.Ext.parameter_bytes_compressed_present": "boolean", | |
"Target.process.thread.Ext.service": "keyword", | |
"Target.process.thread.Ext.start": "date", | |
"Target.process.thread.Ext.start_address": "unsigned_long", | |
"Target.process.thread.Ext.start_address_allocation_offset": "unsigned_long", | |
"Target.process.thread.Ext.start_address_bytes": "keyword", | |
"Target.process.thread.Ext.start_address_bytes_disasm": "keyword", | |
"Target.process.thread.Ext.start_address_bytes_disasm_hash": "keyword", | |
"Target.process.thread.Ext.start_address_module": "keyword", | |
"Target.process.thread.Ext.token.domain": "keyword", | |
"Target.process.thread.Ext.token.elevation": "boolean", | |
"Target.process.thread.Ext.token.elevation_type": "keyword", | |
"Target.process.thread.Ext.token.impersonation_level": "keyword", | |
"Target.process.thread.Ext.token.integrity_level": "long", | |
"Target.process.thread.Ext.token.integrity_level_name": "keyword", | |
"Target.process.thread.Ext.token.is_appcontainer": "boolean", | |
"Target.process.thread.Ext.token.privileges": "nested", | |
"Target.process.thread.Ext.token.privileges.description": "keyword", | |
"Target.process.thread.Ext.token.privileges.enabled": "boolean", | |
"Target.process.thread.Ext.token.privileges.name": "keyword", | |
"Target.process.thread.Ext.token.sid": "keyword", | |
"Target.process.thread.Ext.token.type": "keyword", | |
"Target.process.thread.Ext.token.user": "keyword", | |
"Target.process.thread.Ext.uptime": "long", | |
"Target.process.thread.id": "long", | |
"Target.process.thread.name": "keyword", | |
"Target.process.title": "keyword", | |
"Target.process.uptime": "long", | |
"Target.process.working_directory": "keyword", | |
"action_id": "alias", | |
"agent.build.original": "keyword", | |
"agent.ephemeral_id": "keyword", | |
"agent.id": "keyword", | |
"agent.name": "keyword", | |
"agent.type": "keyword", | |
"agent.version": "keyword", | |
"agent_id": "alias", | |
"agents": "alias", | |
"cloud.account.id": "keyword", | |
"cloud.instance.name": "keyword", | |
"cloud.project.id": "keyword", | |
"cloud.provider": "keyword", | |
"cloud.region": "keyword", | |
"completed_at": "alias", | |
"container.id": "keyword", | |
"container.image.hash.all": "keyword", | |
"container.image.name": "keyword", | |
"container.image.tag": "keyword", | |
"container.name": "keyword", | |
"data.command": "alias", | |
"data.comment": "alias", | |
"data_stream.dataset": "constant_keyword", | |
"data_stream.namespace": "constant_keyword", | |
"data_stream.type": "constant_keyword", | |
"destination.address": "keyword", | |
"destination.as.number": "long", | |
"destination.as.organization.name": "keyword", | |
"destination.bytes": "long", | |
"destination.domain": "keyword", | |
"destination.geo.city_name": "keyword", | |
"destination.geo.continent_code": "keyword", | |
"destination.geo.continent_name": "keyword", | |
"destination.geo.country_iso_code": "keyword", | |
"destination.geo.country_name": "keyword", | |
"destination.geo.location": "geo_point", | |
"destination.geo.name": "keyword", | |
"destination.geo.postal_code": "keyword", | |
"destination.geo.region_iso_code": "keyword", | |
"destination.geo.region_name": "keyword", | |
"destination.geo.timezone": "keyword", | |
"destination.ip": "ip", | |
"destination.packets": "long", | |
"destination.port": "long", | |
"destination.registered_domain": "keyword", | |
"destination.top_level_domain": "keyword", | |
"dll.Ext": "object", | |
"dll.Ext.code_signature": "nested", | |
"dll.Ext.code_signature.exists": "boolean", | |
"dll.Ext.code_signature.status": "keyword", | |
"dll.Ext.code_signature.subject_name": "keyword", | |
"dll.Ext.code_signature.trusted": "boolean", | |
"dll.Ext.code_signature.valid": "boolean", | |
"dll.Ext.compile_time": "date", | |
"dll.Ext.defense_evasions": "keyword", | |
"dll.Ext.device.bus_type": "keyword", | |
"dll.Ext.device.dos_name": "keyword", | |
"dll.Ext.device.nt_name": "keyword", | |
"dll.Ext.device.product_id": "keyword", | |
"dll.Ext.device.serial_number": "keyword", | |
"dll.Ext.device.vendor_id": "keyword", | |
"dll.Ext.device.volume_device_type": "keyword", | |
"dll.Ext.load_index": "unsigned_long", | |
"dll.Ext.malware_classification.features": "object", | |
"dll.Ext.malware_classification.features.data.buffer": "keyword", | |
"dll.Ext.malware_classification.features.data.decompressed_size": "integer", | |
"dll.Ext.malware_classification.features.data.encoding": "keyword", | |
"dll.Ext.malware_classification.identifier": "keyword", | |
"dll.Ext.malware_classification.score": "double", | |
"dll.Ext.malware_classification.threshold": "double", | |
"dll.Ext.malware_classification.upx_packed": "boolean", | |
"dll.Ext.malware_classification.version": "keyword", | |
"dll.Ext.mapped_address": "unsigned_long", | |
"dll.Ext.mapped_size": "unsigned_long", | |
"dll.Ext.relative_file_creation_time": "double", | |
"dll.Ext.relative_file_name_modify_time": "double", | |
"dll.Ext.size": "unsigned_long", | |
"dll.code_signature.exists": "boolean", | |
"dll.code_signature.signing_id": "keyword", | |
"dll.code_signature.status": "keyword", | |
"dll.code_signature.subject_name": "keyword", | |
"dll.code_signature.team_id": "keyword", | |
"dll.code_signature.trusted": "boolean", | |
"dll.code_signature.valid": "boolean", | |
"dll.hash.md5": "keyword", | |
"dll.hash.sha1": "keyword", | |
"dll.hash.sha256": "keyword", | |
"dll.hash.sha512": "keyword", | |
"dll.name": "keyword", | |
"dll.path": "keyword", | |
"dll.pe.company": "keyword", | |
"dll.pe.description": "keyword", | |
"dll.pe.file_version": "keyword", | |
"dll.pe.imphash": "keyword", | |
"dll.pe.original_file_name": "keyword", | |
"dll.pe.product": "keyword", | |
"dns.Ext": "object", | |
"dns.Ext.options": "keyword", | |
"dns.Ext.status": "long", | |
"dns.question.name": "keyword", | |
"dns.question.registered_domain": "keyword", | |
"dns.question.subdomain": "keyword", | |
"dns.question.top_level_domain": "keyword", | |
"dns.question.type": "keyword", | |
"dns.resolved_ip": "ip", | |
"ecs.version": "keyword", | |
"elastic.agent": "object", | |
"elastic.agent.id": "keyword", | |
"error.code": "keyword", | |
"error.id": "keyword", | |
"error.message": "match_only_text", | |
"error.stack_trace": "wildcard", | |
"error.type": "keyword", | |
"event.Ext": "object", | |
"event.Ext.correlation": "object", | |
"event.Ext.correlation.id": "keyword", | |
"event.action": "keyword", | |
"event.category": "keyword", | |
"event.code": "keyword", | |
"event.created": "date", | |
"event.dataset": "keyword", | |
"event.end": "date", | |
"event.hash": "keyword", | |
"event.id": "keyword", | |
"event.ingested": "date", | |
"event.kind": "keyword", | |
"event.module": "keyword", | |
"event.outcome": "keyword", | |
"event.provider": "keyword", | |
"event.risk_score": "float", | |
"event.sequence": "long", | |
"event.severity": "long", | |
"event.start": "date", | |
"event.type": "keyword", | |
"expiration": "alias", | |
"file.Ext": "object", | |
"file.Ext.code_signature": "nested", | |
"file.Ext.code_signature.exists": "boolean", | |
"file.Ext.code_signature.status": "keyword", | |
"file.Ext.code_signature.subject_name": "keyword", | |
"file.Ext.code_signature.trusted": "boolean", | |
"file.Ext.code_signature.valid": "boolean", | |
"file.Ext.device.bus_type": "keyword", | |
"file.Ext.device.dos_name": "keyword", | |
"file.Ext.device.nt_name": "keyword", | |
"file.Ext.device.product_id": "keyword", | |
"file.Ext.device.serial_number": "keyword", | |
"file.Ext.device.vendor_id": "keyword", | |
"file.Ext.device.volume_device_type": "keyword", | |
"file.Ext.entropy": "double", | |
"file.Ext.entry_modified": "double", | |
"file.Ext.header_bytes": "keyword", | |
"file.Ext.header_data": "text", | |
"file.Ext.macro.code_page": "long", | |
"file.Ext.macro.collection": "object", | |
"file.Ext.macro.collection.hash.md5": "keyword", | |
"file.Ext.macro.collection.hash.sha1": "keyword", | |
"file.Ext.macro.collection.hash.sha256": "keyword", | |
"file.Ext.macro.collection.hash.sha512": "keyword", | |
"file.Ext.macro.errors": "nested", | |
"file.Ext.macro.errors.count": "long", | |
"file.Ext.macro.errors.error_type": "keyword", | |
"file.Ext.macro.file_extension": "keyword", | |
"file.Ext.macro.project_file": "object", | |
"file.Ext.macro.project_file.hash.md5": "keyword", | |
"file.Ext.macro.project_file.hash.sha1": "keyword", | |
"file.Ext.macro.project_file.hash.sha256": "keyword", | |
"file.Ext.macro.project_file.hash.sha512": "keyword", | |
"file.Ext.macro.stream": "nested", | |
"file.Ext.macro.stream.hash.md5": "keyword", | |
"file.Ext.macro.stream.hash.sha1": "keyword", | |
"file.Ext.macro.stream.hash.sha256": "keyword", | |
"file.Ext.macro.stream.hash.sha512": "keyword", | |
"file.Ext.macro.stream.name": "keyword", | |
"file.Ext.macro.stream.raw_code": "keyword", | |
"file.Ext.macro.stream.raw_code_size": "keyword", | |
"file.Ext.malware_classification.features": "object", | |
"file.Ext.malware_classification.features.data.buffer": "keyword", | |
"file.Ext.malware_classification.features.data.decompressed_size": "integer", | |
"file.Ext.malware_classification.features.data.encoding": "keyword", | |
"file.Ext.malware_classification.identifier": "keyword", | |
"file.Ext.malware_classification.score": "double", | |
"file.Ext.malware_classification.threshold": "double", | |
"file.Ext.malware_classification.upx_packed": "boolean", | |
"file.Ext.malware_classification.version": "keyword", | |
"file.Ext.malware_signature": "nested", | |
"file.Ext.malware_signature.all_names": "text", | |
"file.Ext.malware_signature.identifier": "text", | |
"file.Ext.malware_signature.primary": "nested", | |
"file.Ext.malware_signature.primary.matches": "nested", | |
"file.Ext.malware_signature.primary.signature": "nested", | |
"file.Ext.malware_signature.primary.signature.hash": "nested", | |
"file.Ext.malware_signature.primary.signature.hash.sha256": "keyword", | |
"file.Ext.malware_signature.primary.signature.id": "keyword", | |
"file.Ext.malware_signature.primary.signature.name": "keyword", | |
"file.Ext.malware_signature.secondary": "nested", | |
"file.Ext.malware_signature.version": "keyword", | |
"file.Ext.monotonic_id": "unsigned_long", | |
"file.Ext.original": "object", | |
"file.Ext.original.gid": "keyword", | |
"file.Ext.original.group": "keyword", | |
"file.Ext.original.mode": "keyword", | |
"file.Ext.original.name": "keyword", | |
"file.Ext.original.owner": "keyword", | |
"file.Ext.original.path": "keyword", | |
"file.Ext.original.uid": "keyword", | |
"file.Ext.quarantine_message": "keyword", | |
"file.Ext.quarantine_path": "keyword", | |
"file.Ext.quarantine_result": "boolean", | |
"file.Ext.temp_file_path": "keyword", | |
"file.Ext.windows": "object", | |
"file.Ext.windows.zone_identifier": "keyword", | |
"file.accessed": "date", | |
"file.attributes": "keyword", | |
"file.code_signature.exists": "boolean", | |
"file.code_signature.signing_id": "keyword", | |
"file.code_signature.status": "keyword", | |
"file.code_signature.subject_name": "keyword", | |
"file.code_signature.team_id": "keyword", | |
"file.code_signature.trusted": "boolean", | |
"file.code_signature.valid": "boolean", | |
"file.created": "date", | |
"file.ctime": "date", | |
"file.device": "keyword", | |
"file.directory": "keyword", | |
"file.drive_letter": "keyword", | |
"file.extension": "keyword", | |
"file.gid": "keyword", | |
"file.group": "keyword", | |
"file.hash.md5": "keyword", | |
"file.hash.sha1": "keyword", | |
"file.hash.sha256": "keyword", | |
"file.hash.sha512": "keyword", | |
"file.inode": "keyword", | |
"file.mime_type": "keyword", | |
"file.mode": "keyword", | |
"file.mtime": "date", | |
"file.name": "keyword", | |
"file.owner": "keyword", | |
"file.path": "keyword", | |
"file.pe.Ext.dotnet": "boolean", | |
"file.pe.Ext.sections": "object", | |
"file.pe.Ext.sections.hash.md5": "keyword", | |
"file.pe.Ext.sections.hash.sha256": "keyword", | |
"file.pe.Ext.sections.name": "keyword", | |
"file.pe.Ext.streams": "object", | |
"file.pe.Ext.streams.hash.md5": "keyword", | |
"file.pe.Ext.streams.hash.sha256": "keyword", | |
"file.pe.Ext.streams.name": "keyword", | |
"file.pe.company": "keyword", | |
"file.pe.description": "keyword", | |
"file.pe.file_version": "keyword", | |
"file.pe.imphash": "keyword", | |
"file.pe.original_file_name": "keyword", | |
"file.pe.product": "keyword", | |
"file.size": "long", | |
"file.target_path": "keyword", | |
"file.type": "keyword", | |
"file.uid": "keyword", | |
"group.Ext": "object", | |
"group.Ext.real": "object", | |
"group.Ext.real.id": "keyword", | |
"group.Ext.real.name": "keyword", | |
"group.domain": "keyword", | |
"group.id": "keyword", | |
"group.name": "keyword", | |
"host.architecture": "keyword", | |
"host.boot.id": "keyword", | |
"host.domain": "keyword", | |
"host.geo.city_name": "keyword", | |
"host.geo.continent_code": "keyword", | |
"host.geo.continent_name": "keyword", | |
"host.geo.country_iso_code": "keyword", | |
"host.geo.country_name": "keyword", | |
"host.geo.location": "geo_point", | |
"host.geo.name": "keyword", | |
"host.geo.postal_code": "keyword", | |
"host.geo.region_iso_code": "keyword", | |
"host.geo.region_name": "keyword", | |
"host.geo.timezone": "keyword", | |
"host.hostname": "keyword", | |
"host.id": "keyword", | |
"host.ip": "ip", | |
"host.mac": "keyword", | |
"host.name": "keyword", | |
"host.os.Ext": "object", | |
"host.os.Ext.variant": "keyword", | |
"host.os.family": "keyword", | |
"host.os.full": "keyword", | |
"host.os.kernel": "keyword", | |
"host.os.name": "keyword", | |
"host.os.platform": "keyword", | |
"host.os.type": "keyword", | |
"host.os.version": "keyword", | |
"host.pid_ns_ino": "keyword", | |
"host.type": "keyword", | |
"host.uptime": "long", | |
"host.user.Ext": "object", | |
"host.user.Ext.real": "object", | |
"host.user.Ext.real.id": "keyword", | |
"host.user.Ext.real.name": "keyword", | |
"host.user.domain": "keyword", | |
"host.user.email": "keyword", | |
"host.user.full_name": "keyword", | |
"host.user.group.Ext": "object", | |
"host.user.group.Ext.real": "object", | |
"host.user.group.Ext.real.id": "keyword", | |
"host.user.group.Ext.real.name": "keyword", | |
"host.user.group.domain": "keyword", | |
"host.user.group.id": "keyword", | |
"host.user.group.name": "keyword", | |
"host.user.hash": "keyword", | |
"host.user.id": "keyword", | |
"host.user.name": "keyword", | |
"http.request.body.bytes": "long", | |
"http.request.body.content": "wildcard", | |
"http.request.bytes": "long", | |
"http.response.Ext": "object", | |
"http.response.Ext.version": "keyword", | |
"http.response.body.bytes": "long", | |
"http.response.body.content": "wildcard", | |
"http.response.bytes": "long", | |
"http.response.status_code": "long", | |
"input_type": "alias", | |
"message": "match_only_text", | |
"network.bytes": "long", | |
"network.community_id": "keyword", | |
"network.direction": "keyword", | |
"network.iana_number": "keyword", | |
"network.packets": "long", | |
"network.protocol": "keyword", | |
"network.transport": "keyword", | |
"network.type": "keyword", | |
"orchestrator.cluster.id": "keyword", | |
"orchestrator.cluster.name": "keyword", | |
"orchestrator.namespace": "keyword", | |
"orchestrator.resource.ip": "ip", | |
"orchestrator.resource.name": "keyword", | |
"orchestrator.resource.parent.type": "keyword", | |
"orchestrator.resource.type": "keyword", | |
"package.name": "keyword", | |
"process.Ext": "object", | |
"process.Ext.ancestry": "keyword", | |
"process.Ext.api.name": "keyword", | |
"process.Ext.api.parameters.desired_access": "keyword", | |
"process.Ext.api.parameters.desired_access_numeric": "long", | |
"process.Ext.api.parameters.handle_type": "keyword", | |
"process.Ext.architecture": "keyword", | |
"process.Ext.authentication_id": "keyword", | |
"process.Ext.code_signature": "nested", | |
"process.Ext.code_signature.exists": "boolean", | |
"process.Ext.code_signature.status": "keyword", | |
"process.Ext.code_signature.subject_name": "keyword", | |
"process.Ext.code_signature.trusted": "boolean", | |
"process.Ext.code_signature.valid": "boolean", | |
"process.Ext.defense_evasions": "keyword", | |
"process.Ext.device.bus_type": "keyword", | |
"process.Ext.device.dos_name": "keyword", | |
"process.Ext.device.nt_name": "keyword", | |
"process.Ext.device.product_id": "keyword", | |
"process.Ext.device.serial_number": "keyword", | |
"process.Ext.device.vendor_id": "keyword", | |
"process.Ext.device.volume_device_type": "keyword", | |
"process.Ext.dll.Ext": "object", | |
"process.Ext.dll.Ext.code_signature": "nested", | |
"process.Ext.dll.Ext.code_signature.exists": "boolean", | |
"process.Ext.dll.Ext.code_signature.status": "keyword", | |
"process.Ext.dll.Ext.code_signature.subject_name": "keyword", | |
"process.Ext.dll.Ext.code_signature.trusted": "boolean", | |
"process.Ext.dll.Ext.code_signature.valid": "boolean", | |
"process.Ext.dll.Ext.compile_time": "date", | |
"process.Ext.dll.Ext.mapped_address": "unsigned_long", | |
"process.Ext.dll.Ext.mapped_size": "unsigned_long", | |
"process.Ext.dll.code_signature.exists": "boolean", | |
"process.Ext.dll.code_signature.signing_id": "keyword", | |
"process.Ext.dll.code_signature.status": "keyword", | |
"process.Ext.dll.code_signature.subject_name": "keyword", | |
"process.Ext.dll.code_signature.team_id": "keyword", | |
"process.Ext.dll.code_signature.trusted": "boolean", | |
"process.Ext.dll.code_signature.valid": "boolean", | |
"process.Ext.dll.hash.md5": "keyword", | |
"process.Ext.dll.hash.sha1": "keyword", | |
"process.Ext.dll.hash.sha256": "keyword", | |
"process.Ext.dll.hash.sha512": "keyword", | |
"process.Ext.dll.name": "keyword", | |
"process.Ext.dll.path": "keyword", | |
"process.Ext.dll.pe.company": "keyword", | |
"process.Ext.dll.pe.description": "keyword", | |
"process.Ext.dll.pe.file_version": "keyword", | |
"process.Ext.dll.pe.imphash": "keyword", | |
"process.Ext.dll.pe.original_file_name": "keyword", | |
"process.Ext.dll.pe.product": "keyword", | |
"process.Ext.effective_parent.entity_id": "keyword", | |
"process.Ext.effective_parent.executable": "keyword", | |
"process.Ext.effective_parent.name": "keyword", | |
"process.Ext.effective_parent.pid": "long", | |
"process.Ext.malware_classification.features": "object", | |
"process.Ext.malware_classification.features.data.buffer": "keyword", | |
"process.Ext.malware_classification.features.data.decompressed_size": "integer", | |
"process.Ext.malware_classification.features.data.encoding": "keyword", | |
"process.Ext.malware_classification.identifier": "keyword", | |
"process.Ext.malware_classification.score": "double", | |
"process.Ext.malware_classification.threshold": "double", | |
"process.Ext.malware_classification.upx_packed": "boolean", | |
"process.Ext.malware_classification.version": "keyword", | |
"process.Ext.memory_region.allocation_base": "unsigned_long", | |
"process.Ext.memory_region.allocation_protection": "keyword", | |
"process.Ext.memory_region.allocation_size": "unsigned_long", | |
"process.Ext.memory_region.allocation_type": "keyword", | |
"process.Ext.memory_region.bytes_address": "unsigned_long", | |
"process.Ext.memory_region.bytes_allocation_offset": "unsigned_long", | |
"process.Ext.memory_region.bytes_compressed": "keyword", | |
"process.Ext.memory_region.bytes_compressed_present": "boolean", | |
"process.Ext.memory_region.malware_signature.all_names": "keyword", | |
"process.Ext.memory_region.malware_signature.identifier": "keyword", | |
"process.Ext.memory_region.malware_signature.primary": "object", | |
"process.Ext.memory_region.malware_signature.primary.matches": "keyword", | |
"process.Ext.memory_region.malware_signature.primary.signature.hash": "nested", | |
"process.Ext.memory_region.malware_signature.primary.signature.hash.sha256": "keyword", | |
"process.Ext.memory_region.malware_signature.primary.signature.id": "keyword", | |
"process.Ext.memory_region.malware_signature.primary.signature.name": "keyword", | |
"process.Ext.memory_region.malware_signature.version": "keyword", | |
"process.Ext.memory_region.mapped_path": "keyword", | |
"process.Ext.memory_region.mapped_pe.company": "keyword", | |
"process.Ext.memory_region.mapped_pe.description": "keyword", | |
"process.Ext.memory_region.mapped_pe.file_version": "keyword", | |
"process.Ext.memory_region.mapped_pe.imphash": "keyword", | |
"process.Ext.memory_region.mapped_pe.original_file_name": "keyword", | |
"process.Ext.memory_region.mapped_pe.product": "keyword", | |
"process.Ext.memory_region.mapped_pe_detected": "boolean", | |
"process.Ext.memory_region.memory_pe.company": "keyword", | |
"process.Ext.memory_region.memory_pe.description": "keyword", | |
"process.Ext.memory_region.memory_pe.file_version": "keyword", | |
"process.Ext.memory_region.memory_pe.imphash": "keyword", | |
"process.Ext.memory_region.memory_pe.original_file_name": "keyword", | |
"process.Ext.memory_region.memory_pe.product": "keyword", | |
"process.Ext.memory_region.memory_pe_detected": "boolean", | |
"process.Ext.memory_region.region_base": "unsigned_long", | |
"process.Ext.memory_region.region_protection": "keyword", | |
"process.Ext.memory_region.region_size": "unsigned_long", | |
"process.Ext.memory_region.region_state": "keyword", | |
"process.Ext.memory_region.strings": "keyword", | |
"process.Ext.mitigation_policies": "keyword", | |
"process.Ext.protection": "keyword", | |
"process.Ext.relative_file_creation_time": "double", | |
"process.Ext.relative_file_name_modify_time": "double", | |
"process.Ext.services": "keyword", | |
"process.Ext.session": "keyword", | |
"process.Ext.session_info.authentication_package": "keyword", | |
"process.Ext.session_info.client_address": "keyword", | |
"process.Ext.session_info.id": "unsigned_long", | |
"process.Ext.session_info.logon_type": "keyword", | |
"process.Ext.session_info.relative_logon_time": "double", | |
"process.Ext.session_info.relative_password_age": "double", | |
"process.Ext.session_info.user_flags": "keyword", | |
"process.Ext.token.domain": "keyword", | |
"process.Ext.token.elevation": "boolean", | |
"process.Ext.token.elevation_level": "keyword", | |
"process.Ext.token.elevation_type": "keyword", | |
"process.Ext.token.impersonation_level": "keyword", | |
"process.Ext.token.integrity_level": "long", | |
"process.Ext.token.integrity_level_name": "keyword", | |
"process.Ext.token.is_appcontainer": "boolean", | |
"process.Ext.token.privileges": "nested", | |
"process.Ext.token.privileges.description": "keyword", | |
"process.Ext.token.privileges.enabled": "boolean", | |
"process.Ext.token.privileges.name": "keyword", | |
"process.Ext.token.security_attributes": "keyword", | |
"process.Ext.token.sid": "keyword", | |
"process.Ext.token.type": "keyword", | |
"process.Ext.token.user": "keyword", | |
"process.Ext.trusted": "boolean", | |
"process.Ext.trusted_descendant": "boolean", | |
"process.Ext.user": "keyword", | |
"process.args": "keyword", | |
"process.args_count": "long", | |
"process.code_signature.exists": "boolean", | |
"process.code_signature.signing_id": "keyword", | |
"process.code_signature.status": "keyword", | |
"process.code_signature.subject_name": "keyword", | |
"process.code_signature.team_id": "keyword", | |
"process.code_signature.trusted": "boolean", | |
"process.code_signature.valid": "boolean", | |
"process.command_line": "wildcard", | |
"process.end": "date", | |
"process.entity_id": "keyword", | |
"process.entry_leader.args": "keyword", | |
"process.entry_leader.args_count": "long", | |
"process.entry_leader.attested_groups.name": "keyword", | |
"process.entry_leader.attested_user.id": "keyword", | |
"process.entry_leader.attested_user.name": "keyword", | |
"process.entry_leader.command_line": "wildcard", | |
"process.entry_leader.entity_id": "keyword", | |
"process.entry_leader.entry_meta.source.ip": "ip", | |
"process.entry_leader.entry_meta.type": "keyword", | |
"process.entry_leader.executable": "keyword", | |
"process.entry_leader.group.id": "keyword", | |
"process.entry_leader.group.name": "keyword", | |
"process.entry_leader.interactive": "boolean", | |
"process.entry_leader.name": "keyword", | |
"process.entry_leader.parent.entity_id": "keyword", | |
"process.entry_leader.parent.pid": "long", | |
"process.entry_leader.parent.session_leader.entity_id": "keyword", | |
"process.entry_leader.parent.session_leader.pid": "long", | |
"process.entry_leader.parent.session_leader.start": "date", | |
"process.entry_leader.parent.start": "date", | |
"process.entry_leader.pid": "long", | |
"process.entry_leader.real_group.id": "keyword", | |
"process.entry_leader.real_group.name": "keyword", | |
"process.entry_leader.real_user.id": "keyword", | |
"process.entry_leader.real_user.name": "keyword", | |
"process.entry_leader.same_as_process": "boolean", | |
"process.entry_leader.saved_group.id": "keyword", | |
"process.entry_leader.saved_group.name": "keyword", | |
"process.entry_leader.saved_user.id": "keyword", | |
"process.entry_leader.saved_user.name": "keyword", | |
"process.entry_leader.start": "date", | |
"process.entry_leader.supplemental_groups.id": "keyword", | |
"process.entry_leader.supplemental_groups.name": "keyword", | |
"process.entry_leader.tty": "object", | |
"process.entry_leader.tty.char_device.major": "long", | |
"process.entry_leader.tty.char_device.minor": "long", | |
"process.entry_leader.user.id": "keyword", | |
"process.entry_leader.user.name": "keyword", | |
"process.entry_leader.working_directory": "keyword", | |
"process.env_vars": "keyword", | |
"process.executable": "keyword", | |
"process.exit_code": "long", | |
"process.group.id": "keyword", | |
"process.group.name": "keyword", | |
"process.group_leader.args": "keyword", | |
"process.group_leader.args_count": "long", | |
"process.group_leader.command_line": "wildcard", | |
"process.group_leader.entity_id": "keyword", | |
"process.group_leader.executable": "keyword", | |
"process.group_leader.group.id": "keyword", | |
"process.group_leader.group.name": "keyword", | |
"process.group_leader.interactive": "boolean", | |
"process.group_leader.name": "keyword", | |
"process.group_leader.pid": "long", | |
"process.group_leader.real_group.id": "keyword", | |
"process.group_leader.real_group.name": "keyword", | |
"process.group_leader.real_user.id": "keyword", | |
"process.group_leader.real_user.name": "keyword", | |
"process.group_leader.same_as_process": "boolean", | |
"process.group_leader.saved_group.id": "keyword", | |
"process.group_leader.saved_group.name": "keyword", | |
"process.group_leader.saved_user.id": "keyword", | |
"process.group_leader.saved_user.name": "keyword", | |
"process.group_leader.start": "date", | |
"process.group_leader.supplemental_groups.id": "keyword", | |
"process.group_leader.supplemental_groups.name": "keyword", | |
"process.group_leader.tty": "object", | |
"process.group_leader.tty.char_device.major": "long", | |
"process.group_leader.tty.char_device.minor": "long", | |
"process.group_leader.user.id": "keyword", | |
"process.group_leader.user.name": "keyword", | |
"process.group_leader.working_directory": "keyword", | |
"process.hash.md5": "keyword", | |
"process.hash.sha1": "keyword", | |
"process.hash.sha256": "keyword", | |
"process.hash.sha512": "keyword", | |
"process.interactive": "boolean", | |
"process.io": "object", | |
"process.io.max_bytes_per_process_exceeded": "boolean", | |
"process.io.text": "wildcard", | |
"process.io.total_bytes_captured": "long", | |
"process.io.total_bytes_skipped": "long", | |
"process.name": "keyword", | |
"process.parent.Ext": "object", | |
"process.parent.Ext.architecture": "keyword", | |
"process.parent.Ext.code_signature": "nested", | |
"process.parent.Ext.code_signature.exists": "boolean", | |
"process.parent.Ext.code_signature.status": "keyword", | |
"process.parent.Ext.code_signature.subject_name": "keyword", | |
"process.parent.Ext.code_signature.trusted": "boolean", | |
"process.parent.Ext.code_signature.valid": "boolean", | |
"process.parent.Ext.dll.Ext": "object", | |
"process.parent.Ext.dll.Ext.code_signature": "nested", | |
"process.parent.Ext.dll.Ext.code_signature.exists": "boolean", | |
"process.parent.Ext.dll.Ext.code_signature.status": "keyword", | |
"process.parent.Ext.dll.Ext.code_signature.subject_name": "keyword", | |
"process.parent.Ext.dll.Ext.code_signature.trusted": "boolean", | |
"process.parent.Ext.dll.Ext.code_signature.valid": "boolean", | |
"process.parent.Ext.dll.Ext.compile_time": "date", | |
"process.parent.Ext.dll.Ext.mapped_address": "unsigned_long", | |
"process.parent.Ext.dll.Ext.mapped_size": "unsigned_long", | |
"process.parent.Ext.dll.code_signature.exists": "boolean", | |
"process.parent.Ext.dll.code_signature.signing_id": "keyword", | |
"process.parent.Ext.dll.code_signature.status": "keyword", | |
"process.parent.Ext.dll.code_signature.subject_name": "keyword", | |
"process.parent.Ext.dll.code_signature.team_id": "keyword", | |
"process.parent.Ext.dll.code_signature.trusted": "boolean", | |
"process.parent.Ext.dll.code_signature.valid": "boolean", | |
"process.parent.Ext.dll.hash.md5": "keyword", | |
"process.parent.Ext.dll.hash.sha1": "keyword", | |
"process.parent.Ext.dll.hash.sha256": "keyword", | |
"process.parent.Ext.dll.hash.sha512": "keyword", | |
"process.parent.Ext.dll.name": "keyword", | |
"process.parent.Ext.dll.path": "keyword", | |
"process.parent.Ext.dll.pe.company": "keyword", | |
"process.parent.Ext.dll.pe.description": "keyword", | |
"process.parent.Ext.dll.pe.file_version": "keyword", | |
"process.parent.Ext.dll.pe.imphash": "keyword", | |
"process.parent.Ext.dll.pe.original_file_name": "keyword", | |
"process.parent.Ext.dll.pe.product": "keyword", | |
"process.parent.Ext.protection": "keyword", | |
"process.parent.Ext.real": "object", | |
"process.parent.Ext.real.pid": "long", | |
"process.parent.Ext.token.domain": "keyword", | |
"process.parent.Ext.token.elevation": "boolean", | |
"process.parent.Ext.token.elevation_type": "keyword", | |
"process.parent.Ext.token.impersonation_level": "keyword", | |
"process.parent.Ext.token.integrity_level": "long", | |
"process.parent.Ext.token.integrity_level_name": "keyword", | |
"process.parent.Ext.token.is_appcontainer": "boolean", | |
"process.parent.Ext.token.privileges": "nested", | |
"process.parent.Ext.token.privileges.description": "keyword", | |
"process.parent.Ext.token.privileges.enabled": "boolean", | |
"process.parent.Ext.token.privileges.name": "keyword", | |
"process.parent.Ext.token.sid": "keyword", | |
"process.parent.Ext.token.type": "keyword", | |
"process.parent.Ext.token.user": "keyword", | |
"process.parent.Ext.user": "keyword", | |
"process.parent.args": "keyword", | |
"process.parent.args_count": "long", | |
"process.parent.code_signature.exists": "boolean", | |
"process.parent.code_signature.signing_id": "keyword", | |
"process.parent.code_signature.status": "keyword", | |
"process.parent.code_signature.subject_name": "keyword", | |
"process.parent.code_signature.team_id": "keyword", | |
"process.parent.code_signature.trusted": "boolean", | |
"process.parent.code_signature.valid": "boolean", | |
"process.parent.command_line": "wildcard", | |
"process.parent.entity_id": "keyword", | |
"process.parent.executable": "keyword", | |
"process.parent.exit_code": "long", | |
"process.parent.group.id": "keyword", | |
"process.parent.group.name": "keyword", | |
"process.parent.group_leader.entity_id": "keyword", | |
"process.parent.group_leader.pid": "long", | |
"process.parent.group_leader.start": "date", | |
"process.parent.hash.md5": "keyword", | |
"process.parent.hash.sha1": "keyword", | |
"process.parent.hash.sha256": "keyword", | |
"process.parent.hash.sha512": "keyword", | |
"process.parent.interactive": "boolean", | |
"process.parent.name": "keyword", | |
"process.parent.pe.company": "keyword", | |
"process.parent.pe.description": "keyword", | |
"process.parent.pe.file_version": "keyword", | |
"process.parent.pe.imphash": "keyword", | |
"process.parent.pe.original_file_name": "keyword", | |
"process.parent.pe.product": "keyword", | |
"process.parent.pgid": "long", | |
"process.parent.pid": "long", | |
"process.parent.ppid": "long", | |
"process.parent.real_group.id": "keyword", | |
"process.parent.real_group.name": "keyword", | |
"process.parent.real_user.id": "keyword", | |
"process.parent.real_user.name": "keyword", | |
"process.parent.saved_group.id": "keyword", | |
"process.parent.saved_group.name": "keyword", | |
"process.parent.saved_user.id": "keyword", | |
"process.parent.saved_user.name": "keyword", | |
"process.parent.start": "date", | |
"process.parent.supplemental_groups.id": "keyword", | |
"process.parent.supplemental_groups.name": "keyword", | |
"process.parent.thread.Ext": "object", | |
"process.parent.thread.Ext.call_stack_contains_unbacked": "boolean", | |
"process.parent.thread.id": "long", | |
"process.parent.thread.name": "keyword", | |
"process.parent.title": "keyword", | |
"process.parent.tty": "object", | |
"process.parent.tty.char_device.major": "long", | |
"process.parent.tty.char_device.minor": "long", | |
"process.parent.uptime": "long", | |
"process.parent.user.id": "keyword", | |
"process.parent.user.name": "keyword", | |
"process.parent.working_directory": "keyword", | |
"process.pe.company": "keyword", | |
"process.pe.description": "keyword", | |
"process.pe.file_version": "keyword", | |
"process.pe.imphash": "keyword", | |
"process.pe.original_file_name": "keyword", | |
"process.pe.product": "keyword", | |
"process.pgid": "long", | |
"process.pid": "long", | |
"process.ppid": "long", | |
"process.previous.args": "keyword", | |
"process.previous.args_count": "long", | |
"process.previous.executable": "keyword", | |
"process.real_group.id": "keyword", | |
"process.real_group.name": "keyword", | |
"process.real_user.id": "keyword", | |
"process.real_user.name": "keyword", | |
"process.saved_group.id": "keyword", | |
"process.saved_group.name": "keyword", | |
"process.saved_user.id": "keyword", | |
"process.saved_user.name": "keyword", | |
"process.session_leader.args": "keyword", | |
"process.session_leader.args_count": "long", | |
"process.session_leader.command_line": "wildcard", | |
"process.session_leader.entity_id": "keyword", | |
"process.session_leader.executable": "keyword", | |
"process.session_leader.group.id": "keyword", | |
"process.session_leader.group.name": "keyword", | |
"process.session_leader.interactive": "boolean", | |
"process.session_leader.name": "keyword", | |
"process.session_leader.parent.entity_id": "keyword", | |
"process.session_leader.parent.pid": "long", | |
"process.session_leader.parent.session_leader.entity_id": "keyword", | |
"process.session_leader.parent.session_leader.pid": "long", | |
"process.session_leader.parent.session_leader.start": "date", | |
"process.session_leader.parent.start": "date", | |
"process.session_leader.pid": "long", | |
"process.session_leader.real_group.id": "keyword", | |
"process.session_leader.real_group.name": "keyword", | |
"process.session_leader.real_user.id": "keyword", | |
"process.session_leader.real_user.name": "keyword", | |
"process.session_leader.same_as_process": "boolean", | |
"process.session_leader.saved_group.id": "keyword", | |
"process.session_leader.saved_group.name": "keyword", | |
"process.session_leader.saved_user.id": "keyword", | |
"process.session_leader.saved_user.name": "keyword", | |
"process.session_leader.start": "date", | |
"process.session_leader.supplemental_groups.id": "keyword", | |
"process.session_leader.supplemental_groups.name": "keyword", | |
"process.session_leader.tty": "object", | |
"process.session_leader.tty.char_device.major": "long", | |
"process.session_leader.tty.char_device.minor": "long", | |
"process.session_leader.user.id": "keyword", | |
"process.session_leader.user.name": "keyword", | |
"process.session_leader.working_directory": "keyword", | |
"process.start": "date", | |
"process.supplemental_groups.id": "keyword", | |
"process.supplemental_groups.name": "keyword", | |
"process.thread.Ext": "object", | |
"process.thread.Ext.call_stack": "object", | |
"process.thread.Ext.call_stack.instruction_pointer": "keyword", | |
"process.thread.Ext.call_stack.memory_section.memory_address": "keyword", | |
"process.thread.Ext.call_stack.memory_section.memory_size": "keyword", | |
"process.thread.Ext.call_stack.memory_section.protection": "keyword", | |
"process.thread.Ext.call_stack.module_name": "keyword", | |
"process.thread.Ext.call_stack.module_path": "keyword", | |
"process.thread.Ext.call_stack.rva": "keyword", | |
"process.thread.Ext.call_stack.symbol_info": "keyword", | |
"process.thread.Ext.call_stack_contains_unbacked": "boolean", | |
"process.thread.Ext.call_stack_final_user_module": "nested", | |
"process.thread.Ext.call_stack_final_user_module.code_signature": "nested", | |
"process.thread.Ext.call_stack_final_user_module.code_signature.exists": "boolean", | |
"process.thread.Ext.call_stack_final_user_module.code_signature.status": "keyword", | |
"process.thread.Ext.call_stack_final_user_module.code_signature.subject_name": "keyword", | |
"process.thread.Ext.call_stack_final_user_module.code_signature.trusted": "boolean", | |
"process.thread.Ext.call_stack_final_user_module.code_signature.valid": "boolean", | |
"process.thread.Ext.call_stack_final_user_module.hash": "object", | |
"process.thread.Ext.call_stack_final_user_module.hash.sha256": "keyword", | |
"process.thread.Ext.call_stack_final_user_module.name": "keyword", | |
"process.thread.Ext.call_stack_final_user_module.path": "keyword", | |
"process.thread.Ext.call_stack_summary": "keyword", | |
"process.thread.Ext.hardware_breakpoint_set": "boolean", | |
"process.thread.Ext.parameter": "unsigned_long", | |
"process.thread.Ext.parameter_bytes_compressed": "keyword", | |
"process.thread.Ext.parameter_bytes_compressed_present": "boolean", | |
"process.thread.Ext.service": "keyword", | |
"process.thread.Ext.start": "date", | |
"process.thread.Ext.start_address": "unsigned_long", | |
"process.thread.Ext.start_address_allocation_offset": "unsigned_long", | |
"process.thread.Ext.start_address_bytes": "keyword", | |
"process.thread.Ext.start_address_bytes_disasm": "keyword", | |
"process.thread.Ext.start_address_bytes_disasm_hash": "keyword", | |
"process.thread.Ext.start_address_module": "keyword", | |
"process.thread.Ext.token.domain": "keyword", | |
"process.thread.Ext.token.elevation": "boolean", | |
"process.thread.Ext.token.elevation_type": "keyword", | |
"process.thread.Ext.token.impersonation_level": "keyword", | |
"process.thread.Ext.token.integrity_level": "long", | |
"process.thread.Ext.token.integrity_level_name": "keyword", | |
"process.thread.Ext.token.is_appcontainer": "boolean", | |
"process.thread.Ext.token.privileges": "nested", | |
"process.thread.Ext.token.privileges.description": "keyword", | |
"process.thread.Ext.token.privileges.enabled": "boolean", | |
"process.thread.Ext.token.privileges.name": "keyword", | |
"process.thread.Ext.token.sid": "keyword", | |
"process.thread.Ext.token.type": "keyword", | |
"process.thread.Ext.token.user": "keyword", | |
"process.thread.Ext.uptime": "long", | |
"process.thread.id": "long", | |
"process.thread.name": "keyword", | |
"process.title": "keyword", | |
"process.tty": "object", | |
"process.tty.char_device.major": "long", | |
"process.tty.char_device.minor": "long", | |
"process.tty.columns": "long", | |
"process.tty.rows": "long", | |
"process.uptime": "long", | |
"process.user.id": "keyword", | |
"process.user.name": "keyword", | |
"process.working_directory": "keyword", | |
"registry.data.bytes": "keyword", | |
"registry.data.strings": "wildcard", | |
"registry.data.type": "keyword", | |
"registry.hive": "keyword", | |
"registry.key": "keyword", | |
"registry.path": "keyword", | |
"registry.value": "keyword", | |
"rule.author": "keyword", | |
"rule.category": "keyword", | |
"rule.description": "keyword", | |
"rule.id": "keyword", | |
"rule.license": "keyword", | |
"rule.name": "keyword", | |
"rule.reference": "keyword", | |
"rule.ruleset": "keyword", | |
"rule.uuid": "keyword", | |
"rule.version": "keyword", | |
"source.address": "keyword", | |
"source.as.number": "long", | |
"source.as.organization.name": "keyword", | |
"source.bytes": "long", | |
"source.domain": "keyword", | |
"source.geo.city_name": "keyword", | |
"source.geo.continent_code": "keyword", | |
"source.geo.continent_name": "keyword", | |
"source.geo.country_iso_code": "keyword", | |
"source.geo.country_name": "keyword", | |
"source.geo.location": "geo_point", | |
"source.geo.name": "keyword", | |
"source.geo.postal_code": "keyword", | |
"source.geo.region_iso_code": "keyword", | |
"source.geo.region_name": "keyword", | |
"source.geo.timezone": "keyword", | |
"source.ip": "ip", | |
"source.packets": "long", | |
"source.port": "long", | |
"source.registered_domain": "keyword", | |
"source.top_level_domain": "keyword", | |
"started_at": "alias", | |
"status": "alias", | |
"threat.enrichments": "nested", | |
"threat.enrichments.indicator": "object", | |
"threat.enrichments.indicator.file.Ext": "object", | |
"threat.enrichments.indicator.file.Ext.code_signature": "nested", | |
"threat.enrichments.indicator.file.Ext.code_signature.exists": "boolean", | |
"threat.enrichments.indicator.file.Ext.code_signature.status": "keyword", | |
"threat.enrichments.indicator.file.Ext.code_signature.subject_name": "keyword", | |
"threat.enrichments.indicator.file.Ext.code_signature.trusted": "boolean", | |
"threat.enrichments.indicator.file.Ext.code_signature.valid": "boolean", | |
"threat.enrichments.indicator.file.Ext.device.bus_type": "keyword", | |
"threat.enrichments.indicator.file.Ext.device.dos_name": "keyword", | |
"threat.enrichments.indicator.file.Ext.device.nt_name": "keyword", | |
"threat.enrichments.indicator.file.Ext.device.product_id": "keyword", | |
"threat.enrichments.indicator.file.Ext.device.serial_number": "keyword", | |
"threat.enrichments.indicator.file.Ext.device.vendor_id": "keyword", | |
"threat.enrichments.indicator.file.Ext.entropy": "double", | |
"threat.enrichments.indicator.file.Ext.entry_modified": "double", | |
"threat.enrichments.indicator.file.Ext.header_bytes": "keyword", | |
"threat.enrichments.indicator.file.Ext.header_data": "text", | |
"threat.enrichments.indicator.file.Ext.malware_classification.features.data.buffer": "keyword", | |
"threat.enrichments.indicator.file.Ext.malware_classification.features.data.decompressed_size": "integer", | |
"threat.enrichments.indicator.file.Ext.malware_classification.features.data.encoding": "keyword", | |
"threat.enrichments.indicator.file.Ext.malware_classification.identifier": "keyword", | |
"threat.enrichments.indicator.file.Ext.malware_classification.score": "double", | |
"threat.enrichments.indicator.file.Ext.malware_classification.threshold": "double", | |
"threat.enrichments.indicator.file.Ext.malware_classification.upx_packed": "boolean", | |
"threat.enrichments.indicator.file.Ext.malware_classification.version": "keyword", | |
"threat.enrichments.indicator.file.Ext.malware_signature": "nested", | |
"threat.enrichments.indicator.file.Ext.malware_signature.all_names": "text", | |
"threat.enrichments.indicator.file.Ext.malware_signature.identifier": "text", | |
"threat.enrichments.indicator.file.Ext.malware_signature.primary": "nested", | |
"threat.enrichments.indicator.file.Ext.malware_signature.primary.matches": "nested", | |
"threat.enrichments.indicator.file.Ext.malware_signature.primary.signature": "nested", | |
"threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.hash": "nested", | |
"threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.hash.sha256": "keyword", | |
"threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.id": "keyword", | |
"threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.name": "keyword", | |
"threat.enrichments.indicator.file.Ext.malware_signature.secondary": "nested", | |
"threat.enrichments.indicator.file.Ext.malware_signature.version": "keyword", | |
"threat.enrichments.indicator.file.Ext.monotonic_id": "unsigned_long", | |
"threat.enrichments.indicator.file.Ext.original": "object", | |
"threat.enrichments.indicator.file.Ext.original.gid": "keyword", | |
"threat.enrichments.indicator.file.Ext.original.group": "keyword", | |
"threat.enrichments.indicator.file.Ext.original.mode": "keyword", | |
"threat.enrichments.indicator.file.Ext.original.name": "keyword", | |
"threat.enrichments.indicator.file.Ext.original.owner": "keyword", | |
"threat.enrichments.indicator.file.Ext.original.path": "keyword", | |
"threat.enrichments.indicator.file.Ext.original.uid": "keyword", | |
"threat.enrichments.indicator.file.Ext.quarantine_message": "keyword", | |
"threat.enrichments.indicator.file.Ext.quarantine_path": "keyword", | |
"threat.enrichments.indicator.file.Ext.quarantine_result": "boolean", | |
"threat.enrichments.indicator.file.Ext.temp_file_path": "keyword", | |
"threat.enrichments.indicator.file.Ext.windows": "object", | |
"threat.enrichments.indicator.file.Ext.windows.zone_identifier": "keyword", | |
"threat.enrichments.indicator.file.accessed": "date", | |
"threat.enrichments.indicator.file.attributes": "keyword", | |
"threat.enrichments.indicator.file.code_signature.exists": "boolean", | |
"threat.enrichments.indicator.file.code_signature.signing_id": "keyword", | |
"threat.enrichments.indicator.file.code_signature.status": "keyword", | |
"threat.enrichments.indicator.file.code_signature.subject_name": "keyword", | |
"threat.enrichments.indicator.file.code_signature.team_id": "keyword", | |
"threat.enrichments.indicator.file.code_signature.trusted": "boolean", | |
"threat.enrichments.indicator.file.code_signature.valid": "boolean", | |
"threat.enrichments.indicator.file.created": "date", | |
"threat.enrichments.indicator.file.ctime": "date", | |
"threat.enrichments.indicator.file.device": "keyword", | |
"threat.enrichments.indicator.file.directory": "keyword", | |
"threat.enrichments.indicator.file.drive_letter": "keyword", | |
"threat.enrichments.indicator.file.elf.architecture": "keyword", | |
"threat.enrichments.indicator.file.elf.byte_order": "keyword", | |
"threat.enrichments.indicator.file.elf.cpu_type": "keyword", | |
"threat.enrichments.indicator.file.elf.creation_date": "date", | |
"threat.enrichments.indicator.file.elf.exports": "flattened", | |
"threat.enrichments.indicator.file.elf.go_import_hash": "keyword", | |
"threat.enrichments.indicator.file.elf.go_imports": "flattened", | |
"threat.enrichments.indicator.file.elf.go_imports_names_entropy": "long", | |
"threat.enrichments.indicator.file.elf.go_imports_names_var_entropy": "long", | |
"threat.enrichments.indicator.file.elf.go_stripped": "boolean", | |
"threat.enrichments.indicator.file.elf.header.abi_version": "keyword", | |
"threat.enrichments.indicator.file.elf.header.class": "keyword", | |
"threat.enrichments.indicator.file.elf.header.data": "keyword", | |
"threat.enrichments.indicator.file.elf.header.entrypoint": "long", | |
"threat.enrichments.indicator.file.elf.header.object_version": "keyword", | |
"threat.enrichments.indicator.file.elf.header.os_abi": "keyword", | |
"threat.enrichments.indicator.file.elf.header.type": "keyword", | |
"threat.enrichments.indicator.file.elf.header.version": "keyword", | |
"threat.enrichments.indicator.file.elf.import_hash": "keyword", | |
"threat.enrichments.indicator.file.elf.imports": "flattened", | |
"threat.enrichments.indicator.file.elf.imports_names_entropy": "long", | |
"threat.enrichments.indicator.file.elf.imports_names_var_entropy": "long", | |
"threat.enrichments.indicator.file.elf.sections": "nested", | |
"threat.enrichments.indicator.file.elf.sections.chi2": "long", | |
"threat.enrichments.indicator.file.elf.sections.entropy": "long", | |
"threat.enrichments.indicator.file.elf.sections.flags": "keyword", | |
"threat.enrichments.indicator.file.elf.sections.name": "keyword", | |
"threat.enrichments.indicator.file.elf.sections.physical_offset": "keyword", | |
"threat.enrichments.indicator.file.elf.sections.physical_size": "long", | |
"threat.enrichments.indicator.file.elf.sections.type": "keyword", | |
"threat.enrichments.indicator.file.elf.sections.var_entropy": "long", | |
"threat.enrichments.indicator.file.elf.sections.virtual_address": "long", | |
"threat.enrichments.indicator.file.elf.sections.virtual_size": "long", | |
"threat.enrichments.indicator.file.elf.segments": "nested", | |
"threat.enrichments.indicator.file.elf.segments.sections": "keyword", | |
"threat.enrichments.indicator.file.elf.segments.type": "keyword", | |
"threat.enrichments.indicator.file.elf.shared_libraries": "keyword", | |
"threat.enrichments.indicator.file.elf.telfhash": "keyword", | |
"threat.enrichments.indicator.file.extension": "keyword", | |
"threat.enrichments.indicator.file.gid": "keyword", | |
"threat.enrichments.indicator.file.group": "keyword", | |
"threat.enrichments.indicator.file.hash.md5": "keyword", | |
"threat.enrichments.indicator.file.hash.sha1": "keyword", | |
"threat.enrichments.indicator.file.hash.sha256": "keyword", | |
"threat.enrichments.indicator.file.hash.sha512": "keyword", | |
"threat.enrichments.indicator.file.hash.ssdeep": "keyword", | |
"threat.enrichments.indicator.file.inode": "keyword", | |
"threat.enrichments.indicator.file.mime_type": "keyword", | |
"threat.enrichments.indicator.file.mode": "keyword", | |
"threat.enrichments.indicator.file.mtime": "date", | |
"threat.enrichments.indicator.file.name": "keyword", | |
"threat.enrichments.indicator.file.owner": "keyword", | |
"threat.enrichments.indicator.file.path": "keyword", | |
"threat.enrichments.indicator.file.pe.architecture": "keyword", | |
"threat.enrichments.indicator.file.pe.company": "keyword", | |
"threat.enrichments.indicator.file.pe.description": "keyword", | |
"threat.enrichments.indicator.file.pe.file_version": "keyword", | |
"threat.enrichments.indicator.file.pe.imphash": "keyword", | |
"threat.enrichments.indicator.file.pe.original_file_name": "keyword", | |
"threat.enrichments.indicator.file.pe.product": "keyword", | |
"threat.enrichments.indicator.file.size": "long", | |
"threat.enrichments.indicator.file.target_path": "keyword", | |
"threat.enrichments.indicator.file.type": "keyword", | |
"threat.enrichments.indicator.file.uid": "keyword", | |
"threat.enrichments.indicator.first_seen": "date", | |
"threat.enrichments.indicator.geo.city_name": "keyword", | |
"threat.enrichments.indicator.geo.continent_code": "keyword", | |
"threat.enrichments.indicator.geo.continent_name": "keyword", | |
"threat.enrichments.indicator.geo.country_iso_code": "keyword", | |
"threat.enrichments.indicator.geo.country_name": "keyword", | |
"threat.enrichments.indicator.geo.location": "geo_point", | |
"threat.enrichments.indicator.geo.name": "keyword", | |
"threat.enrichments.indicator.geo.postal_code": "keyword", | |
"threat.enrichments.indicator.geo.region_iso_code": "keyword", | |
"threat.enrichments.indicator.geo.region_name": "keyword", | |
"threat.enrichments.indicator.geo.timezone": "keyword", | |
"threat.enrichments.indicator.ip": "ip", | |
"threat.enrichments.indicator.last_seen": "date", | |
"threat.enrichments.indicator.marking.tlp": "keyword", | |
"threat.enrichments.indicator.modified_at": "date", | |
"threat.enrichments.indicator.port": "long", | |
"threat.enrichments.indicator.provider": "keyword", | |
"threat.enrichments.indicator.reference": "keyword", | |
"threat.enrichments.indicator.registry.data.bytes": "keyword", | |
"threat.enrichments.indicator.registry.data.strings": "wildcard", | |
"threat.enrichments.indicator.registry.data.type": "keyword", | |
"threat.enrichments.indicator.registry.hive": "keyword", | |
"threat.enrichments.indicator.registry.key": "keyword", | |
"threat.enrichments.indicator.registry.path": "keyword", | |
"threat.enrichments.indicator.registry.value": "keyword", | |
"threat.enrichments.indicator.scanner_stats": "long", | |
"threat.enrichments.indicator.sightings": "long", | |
"threat.enrichments.indicator.type": "keyword", | |
"threat.enrichments.indicator.url.domain": "keyword", | |
"threat.enrichments.indicator.url.extension": "keyword", | |
"threat.enrichments.indicator.url.fragment": "keyword", | |
"threat.enrichments.indicator.url.full": "wildcard", | |
"threat.enrichments.indicator.url.original": "wildcard", | |
"threat.enrichments.indicator.url.password": "keyword", | |
"threat.enrichments.indicator.url.path": "wildcard", | |
"threat.enrichments.indicator.url.port": "long", | |
"threat.enrichments.indicator.url.query": "keyword", | |
"threat.enrichments.indicator.url.registered_domain": "keyword", | |
"threat.enrichments.indicator.url.scheme": "keyword", | |
"threat.enrichments.indicator.url.subdomain": "keyword", | |
"threat.enrichments.indicator.url.top_level_domain": "keyword", | |
"threat.enrichments.indicator.url.username": "keyword", | |
"threat.enrichments.indicator.x509.alternative_names": "keyword", | |
"threat.enrichments.indicator.x509.issuer.common_name": "keyword", | |
"threat.enrichments.indicator.x509.issuer.country": "keyword", | |
"threat.enrichments.indicator.x509.issuer.distinguished_name": "keyword", | |
"threat.enrichments.indicator.x509.issuer.locality": "keyword", | |
"threat.enrichments.indicator.x509.issuer.organization": "keyword", | |
"threat.enrichments.indicator.x509.issuer.organizational_unit": "keyword", | |
"threat.enrichments.indicator.x509.issuer.state_or_province": "keyword", | |
"threat.enrichments.indicator.x509.not_after": "date", | |
"threat.enrichments.indicator.x509.not_before": "date", | |
"threat.enrichments.indicator.x509.public_key_algorithm": "keyword", | |
"threat.enrichments.indicator.x509.public_key_curve": "keyword", | |
"threat.enrichments.indicator.x509.public_key_exponent": "long", | |
"threat.enrichments.indicator.x509.public_key_size": "long", | |
"threat.enrichments.indicator.x509.serial_number": "keyword", | |
"threat.enrichments.indicator.x509.signature_algorithm": "keyword", | |
"threat.enrichments.indicator.x509.subject.common_name": "keyword", | |
"threat.enrichments.indicator.x509.subject.country": "keyword", | |
"threat.enrichments.indicator.x509.subject.distinguished_name": "keyword", | |
"threat.enrichments.indicator.x509.subject.locality": "keyword", | |
"threat.enrichments.indicator.x509.subject.organization": "keyword", | |
"threat.enrichments.indicator.x509.subject.organizational_unit": "keyword", | |
"threat.enrichments.indicator.x509.subject.state_or_province": "keyword", | |
"threat.enrichments.indicator.x509.version_number": "keyword", | |
"threat.enrichments.matched.atomic": "keyword", | |
"threat.enrichments.matched.field": "keyword", | |
"threat.enrichments.matched.id": "keyword", | |
"threat.enrichments.matched.index": "keyword", | |
"threat.enrichments.matched.type": "keyword", | |
"threat.framework": "keyword", | |
"threat.group.alias": "keyword", | |
"threat.group.id": "keyword", | |
"threat.group.name": "keyword", | |
"threat.group.reference": "keyword", | |
"threat.indicator.as.number": "long", | |
"threat.indicator.as.organization.name": "keyword", | |
"threat.indicator.confidence": "keyword", | |
"threat.indicator.description": "keyword", | |
"threat.indicator.email.address": "keyword", | |
"threat.indicator.file.Ext": "object", | |
"threat.indicator.file.Ext.code_signature": "nested", | |
"threat.indicator.file.Ext.code_signature.exists": "boolean", | |
"threat.indicator.file.Ext.code_signature.status": "keyword", | |
"threat.indicator.file.Ext.code_signature.subject_name": "keyword", | |
"threat.indicator.file.Ext.code_signature.trusted": "boolean", | |
"threat.indicator.file.Ext.code_signature.valid": "boolean", | |
"threat.indicator.file.Ext.device.bus_type": "keyword", | |
"threat.indicator.file.Ext.device.dos_name": "keyword", | |
"threat.indicator.file.Ext.device.nt_name": "keyword", | |
"threat.indicator.file.Ext.device.product_id": "keyword", | |
"threat.indicator.file.Ext.device.serial_number": "keyword", | |
"threat.indicator.file.Ext.device.vendor_id": "keyword", | |
"threat.indicator.file.Ext.entropy": "double", | |
"threat.indicator.file.Ext.entry_modified": "double", | |
"threat.indicator.file.Ext.header_bytes": "keyword", | |
"threat.indicator.file.Ext.header_data": "text", | |
"threat.indicator.file.Ext.malware_classification.features.data.buffer": "keyword", | |
"threat.indicator.file.Ext.malware_classification.features.data.decompressed_size": "integer", | |
"threat.indicator.file.Ext.malware_classification.features.data.encoding": "keyword", | |
"threat.indicator.file.Ext.malware_classification.identifier": "keyword", | |
"threat.indicator.file.Ext.malware_classification.score": "double", | |
"threat.indicator.file.Ext.malware_classification.threshold": "double", | |
"threat.indicator.file.Ext.malware_classification.upx_packed": "boolean", | |
"threat.indicator.file.Ext.malware_classification.version": "keyword", | |
"threat.indicator.file.Ext.malware_signature": "nested", | |
"threat.indicator.file.Ext.malware_signature.all_names": "text", | |
"threat.indicator.file.Ext.malware_signature.identifier": "text", | |
"threat.indicator.file.Ext.malware_signature.primary": "nested", | |
"threat.indicator.file.Ext.malware_signature.primary.matches": "nested", | |
"threat.indicator.file.Ext.malware_signature.primary.signature": "nested", | |
"threat.indicator.file.Ext.malware_signature.primary.signature.hash": "nested", | |
"threat.indicator.file.Ext.malware_signature.primary.signature.hash.sha256": "keyword", | |
"threat.indicator.file.Ext.malware_signature.primary.signature.id": "keyword", | |
"threat.indicator.file.Ext.malware_signature.primary.signature.name": "keyword", | |
"threat.indicator.file.Ext.malware_signature.secondary": "nested", | |
"threat.indicator.file.Ext.malware_signature.version": "keyword", | |
"threat.indicator.file.Ext.monotonic_id": "unsigned_long", | |
"threat.indicator.file.Ext.original": "object", | |
"threat.indicator.file.Ext.original.gid": "keyword", | |
"threat.indicator.file.Ext.original.group": "keyword", | |
"threat.indicator.file.Ext.original.mode": "keyword", | |
"threat.indicator.file.Ext.original.name": "keyword", | |
"threat.indicator.file.Ext.original.owner": "keyword", | |
"threat.indicator.file.Ext.original.path": "keyword", | |
"threat.indicator.file.Ext.original.uid": "keyword", | |
"threat.indicator.file.Ext.quarantine_message": "keyword", | |
"threat.indicator.file.Ext.quarantine_path": "keyword", | |
"threat.indicator.file.Ext.quarantine_result": "boolean", | |
"threat.indicator.file.Ext.temp_file_path": "keyword", | |
"threat.indicator.file.Ext.windows": "object", | |
"threat.indicator.file.Ext.windows.zone_identifier": "keyword", | |
"threat.indicator.file.accessed": "date", | |
"threat.indicator.file.attributes": "keyword", | |
"threat.indicator.file.code_signature.exists": "boolean", | |
"threat.indicator.file.code_signature.signing_id": "keyword", | |
"threat.indicator.file.code_signature.status": "keyword", | |
"threat.indicator.file.code_signature.subject_name": "keyword", | |
"threat.indicator.file.code_signature.team_id": "keyword", | |
"threat.indicator.file.code_signature.trusted": "boolean", | |
"threat.indicator.file.code_signature.valid": "boolean", | |
"threat.indicator.file.created": "date", | |
"threat.indicator.file.ctime": "date", | |
"threat.indicator.file.device": "keyword", | |
"threat.indicator.file.directory": "keyword", | |
"threat.indicator.file.drive_letter": "keyword", | |
"threat.indicator.file.elf.architecture": "keyword", | |
"threat.indicator.file.elf.byte_order": "keyword", | |
"threat.indicator.file.elf.cpu_type": "keyword", | |
"threat.indicator.file.elf.creation_date": "date", | |
"threat.indicator.file.elf.exports": "flattened", | |
"threat.indicator.file.elf.go_import_hash": "keyword", | |
"threat.indicator.file.elf.go_imports": "flattened", | |
"threat.indicator.file.elf.go_imports_names_entropy": "long", | |
"threat.indicator.file.elf.go_imports_names_var_entropy": "long", | |
"threat.indicator.file.elf.go_stripped": "boolean", | |
"threat.indicator.file.elf.header.abi_version": "keyword", | |
"threat.indicator.file.elf.header.class": "keyword", | |
"threat.indicator.file.elf.header.data": "keyword", | |
"threat.indicator.file.elf.header.entrypoint": "long", | |
"threat.indicator.file.elf.header.object_version": "keyword", | |
"threat.indicator.file.elf.header.os_abi": "keyword", | |
"threat.indicator.file.elf.header.type": "keyword", | |
"threat.indicator.file.elf.header.version": "keyword", | |
"threat.indicator.file.elf.import_hash": "keyword", | |
"threat.indicator.file.elf.imports": "flattened", | |
"threat.indicator.file.elf.imports_names_entropy": "long", | |
"threat.indicator.file.elf.imports_names_var_entropy": "long", | |
"threat.indicator.file.elf.sections": "nested", | |
"threat.indicator.file.elf.sections.chi2": "long", | |
"threat.indicator.file.elf.sections.entropy": "long", | |
"threat.indicator.file.elf.sections.flags": "keyword", | |
"threat.indicator.file.elf.sections.name": "keyword", | |
"threat.indicator.file.elf.sections.physical_offset": "keyword", | |
"threat.indicator.file.elf.sections.physical_size": "long", | |
"threat.indicator.file.elf.sections.type": "keyword", | |
"threat.indicator.file.elf.sections.var_entropy": "long", | |
"threat.indicator.file.elf.sections.virtual_address": "long", | |
"threat.indicator.file.elf.sections.virtual_size": "long", | |
"threat.indicator.file.elf.segments": "nested", | |
"threat.indicator.file.elf.segments.sections": "keyword", | |
"threat.indicator.file.elf.segments.type": "keyword", | |
"threat.indicator.file.elf.shared_libraries": "keyword", | |
"threat.indicator.file.elf.telfhash": "keyword", | |
"threat.indicator.file.extension": "keyword", | |
"threat.indicator.file.gid": "keyword", | |
"threat.indicator.file.group": "keyword", | |
"threat.indicator.file.hash.md5": "keyword", | |
"threat.indicator.file.hash.sha1": "keyword", | |
"threat.indicator.file.hash.sha256": "keyword", | |
"threat.indicator.file.hash.sha512": "keyword", | |
"threat.indicator.file.hash.ssdeep": "keyword", | |
"threat.indicator.file.inode": "keyword", | |
"threat.indicator.file.mime_type": "keyword", | |
"threat.indicator.file.mode": "keyword", | |
"threat.indicator.file.mtime": "date", | |
"threat.indicator.file.name": "keyword", | |
"threat.indicator.file.owner": "keyword", | |
"threat.indicator.file.path": "keyword", | |
"threat.indicator.file.pe.architecture": "keyword", | |
"threat.indicator.file.pe.company": "keyword", | |
"threat.indicator.file.pe.description": "keyword", | |
"threat.indicator.file.pe.file_version": "keyword", | |
"threat.indicator.file.pe.imphash": "keyword", | |
"threat.indicator.file.pe.original_file_name": "keyword", | |
"threat.indicator.file.pe.product": "keyword", | |
"threat.indicator.file.size": "long", | |
"threat.indicator.file.target_path": "keyword", | |
"threat.indicator.file.type": "keyword", | |
"threat.indicator.file.uid": "keyword", | |
"threat.indicator.first_seen": "date", | |
"threat.indicator.geo.city_name": "keyword", | |
"threat.indicator.geo.continent_code": "keyword", | |
"threat.indicator.geo.continent_name": "keyword", | |
"threat.indicator.geo.country_iso_code": "keyword", | |
"threat.indicator.geo.country_name": "keyword", | |
"threat.indicator.geo.location": "geo_point", | |
"threat.indicator.geo.name": "keyword", | |
"threat.indicator.geo.postal_code": "keyword", | |
"threat.indicator.geo.region_iso_code": "keyword", | |
"threat.indicator.geo.region_name": "keyword", | |
"threat.indicator.geo.timezone": "keyword", | |
"threat.indicator.ip": "ip", | |
"threat.indicator.last_seen": "date", | |
"threat.indicator.marking.tlp": "keyword", | |
"threat.indicator.modified_at": "date", | |
"threat.indicator.port": "long", | |
"threat.indicator.provider": "keyword", | |
"threat.indicator.reference": "keyword", | |
"threat.indicator.registry.data.bytes": "keyword", | |
"threat.indicator.registry.data.strings": "wildcard", | |
"threat.indicator.registry.data.type": "keyword", | |
"threat.indicator.registry.hive": "keyword", | |
"threat.indicator.registry.key": "keyword", | |
"threat.indicator.registry.path": "keyword", | |
"threat.indicator.registry.value": "keyword", | |
"threat.indicator.scanner_stats": "long", | |
"threat.indicator.sightings": "long", | |
"threat.indicator.type": "keyword", | |
"threat.indicator.url.domain": "keyword", | |
"threat.indicator.url.extension": "keyword", | |
"threat.indicator.url.fragment": "keyword", | |
"threat.indicator.url.full": "wildcard", | |
"threat.indicator.url.original": "wildcard", | |
"threat.indicator.url.password": "keyword", | |
"threat.indicator.url.path": "wildcard", | |
"threat.indicator.url.port": "long", | |
"threat.indicator.url.query": "keyword", | |
"threat.indicator.url.registered_domain": "keyword", | |
"threat.indicator.url.scheme": "keyword", | |
"threat.indicator.url.subdomain": "keyword", | |
"threat.indicator.url.top_level_domain": "keyword", | |
"threat.indicator.url.username": "keyword", | |
"threat.indicator.x509.alternative_names": "keyword", | |
"threat.indicator.x509.issuer.common_name": "keyword", | |
"threat.indicator.x509.issuer.country": "keyword", | |
"threat.indicator.x509.issuer.distinguished_name": "keyword", | |
"threat.indicator.x509.issuer.locality": "keyword", | |
"threat.indicator.x509.issuer.organization": "keyword", | |
"threat.indicator.x509.issuer.organizational_unit": "keyword", | |
"threat.indicator.x509.issuer.state_or_province": "keyword", | |
"threat.indicator.x509.not_after": "date", | |
"threat.indicator.x509.not_before": "date", | |
"threat.indicator.x509.public_key_algorithm": "keyword", | |
"threat.indicator.x509.public_key_curve": "keyword", | |
"threat.indicator.x509.public_key_exponent": "long", | |
"threat.indicator.x509.public_key_size": "long", | |
"threat.indicator.x509.serial_number": "keyword", | |
"threat.indicator.x509.signature_algorithm": "keyword", | |
"threat.indicator.x509.subject.common_name": "keyword", | |
"threat.indicator.x509.subject.country": "keyword", | |
"threat.indicator.x509.subject.distinguished_name": "keyword", | |
"threat.indicator.x509.subject.locality": "keyword", | |
"threat.indicator.x509.subject.organization": "keyword", | |
"threat.indicator.x509.subject.organizational_unit": "keyword", | |
"threat.indicator.x509.subject.state_or_province": "keyword", | |
"threat.indicator.x509.version_number": "keyword", | |
"threat.software.id": "keyword", | |
"threat.software.name": "keyword", | |
"threat.software.platforms": "keyword", | |
"threat.software.reference": "keyword", | |
"threat.software.type": "keyword", | |
"threat.tactic.id": "keyword", | |
"threat.tactic.name": "keyword", | |
"threat.tactic.reference": "keyword", | |
"threat.technique.id": "keyword", | |
"threat.technique.name": "keyword", | |
"threat.technique.reference": "keyword", | |
"threat.technique.subtechnique.id": "keyword", | |
"threat.technique.subtechnique.name": "keyword", | |
"threat.technique.subtechnique.reference": "keyword", | |
"type": "alias", | |
"user.Ext": "object", | |
"user.Ext.real": "object", | |
"user.Ext.real.id": "keyword", | |
"user.Ext.real.name": "keyword", | |
"user.domain": "keyword", | |
"user.email": "keyword", | |
"user.full_name": "keyword", | |
"user.group.Ext": "object", | |
"user.group.Ext.real": "object", | |
"user.group.Ext.real.id": "keyword", | |
"user.group.Ext.real.name": "keyword", | |
"user.group.domain": "keyword", | |
"user.group.id": "keyword", | |
"user.group.name": "keyword", | |
"user.hash": "keyword", | |
"user.id": "keyword", | |
"user.name": "keyword", | |
"user_id": "alias" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment