| { | |
| "@timestamp": "date", | |
| "Effective_process.entity_id": "keyword", | |
| "Effective_process.executable": "keyword", | |
| "Effective_process.name": "keyword", | |
| "Effective_process.pid": "long", | |
| "Endpoint.capabilities": "keyword", | |
| "Endpoint.configuration": "object", | |
| "Endpoint.configuration.isolation": "boolean", | |
| "Endpoint.metrics": "object", |
Analysis of Elastic detection-rules, showing event types and field
distribution per technique. The full results are represented in the file below (fields_by_technique.json)
The structure is:
"library": { # event.category (generic if event.category not defined)
"fields": { # field distribution for that event.category within that technique
ℹ️ This was duplicated to this blog for readability and reference
The most difficult challenge with RMM detection is contextual awareness around usage to determine if it is valid or malicious.
The full schemas for elastic endpoint on Windows, MacOS, and Linux.
Also includes schemas for all integrations used by Elastic detection rules, all of which are streamed via the elastic agent.
These are all already open sourced within the detection rules repo, where they are used for unit test validation (endpoint schemas will be there soon). We even have schemas for the beats modules (similar to integrations, but on beats).