custom_subsets/elastic_endpoint/action_responses/action_responses.yaml (48 lines of code) (raw):
---
name: action_responses
fields:
base:
fields:
"@timestamp": {}
action_id: {}
completed_at: {}
data:
fields: "*"
status: {}
started_at: {}
agent_id: {}
EndpointActions:
fields:
action_id: {}
completed_at: {}
data:
fields: "*"
status: {}
started_at: {}
agent:
fields:
id: {}
error:
fields:
code: {}
id: {}
message: {}
stack_trace: {}
type: {}
data_stream:
fields: "*"
ecs:
fields:
version: {}
event:
fields:
action: {}
category: {}
created: {}
end: {}
hash: {}
id: {}
ingested: {}
outcome: {}
start: {}
type: {}