custom_subsets/elastic_endpoint/alerts/linux_event_model_event.yaml (327 lines of code) (raw):
---
name: linux_event_model
fields:
base:
fields:
"@timestamp": {}
"message": {}
data_stream:
fields: "*"
agent:
fields:
ephemeral_id: {}
id: {}
name: {}
type: {}
version: {}
container:
fields:
id: {}
image:
fields:
name: {}
tag: {}
# hash:
# fields:
# all: {} # available in 8.3 ECS
name: {}
cloud:
fields:
account:
fields:
id: {}
instance:
fields:
name: {}
project:
fields:
id: {}
provider: {}
region: {}
group:
fields:
id: {}
name: {}
host:
fields:
boot:
fields:
id: {}
pid_ns_ino: {}
orchestrator:
fields:
cluster:
fields:
# id: {} # available in 8.3 ECS
name: {}
namespace: {}
resource:
fields:
# ip: {} # available in 8.3 ECS
name: {}
type: {}
# parent: # available in 8.3 ECS
# fields:
# type: {}
process:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
env_vars: {}
executable: {}
interactive: {}
name: {}
pid: {}
previous:
fields:
args: {}
args_count: {}
executable: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
user:
fields:
id: {}
name: {}
working_directory: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
parent:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
group_leader:
fields:
entity_id: {}
pid: {}
start: {}
interactive: {}
name: {}
pid: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
entry_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
entry_meta:
fields:
type: {}
source:
fields:
ip: {}
executable: {}
interactive: {}
name: {}
parent:
fields:
entity_id: {}
pid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
start: {}
pid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
session_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
parent:
fields:
entity_id: {}
pid: {}
start: {}
session_leader:
fields:
entity_id: {}
pid: {}
start: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
group_leader:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
interactive: {}
name: {}
pid: {}
same_as_process: {}
start: {}
tty:
fields:
char_device:
fields:
major: {}
minor: {}
working_directory: {}
user:
fields:
id: {}
name: {}
real_user:
fields:
id: {}
name: {}
saved_user:
fields:
id: {}
name: {}
group:
fields:
id: {}
name: {}
real_group:
fields:
id: {}
name: {}
saved_group:
fields:
id: {}
name: {}
supplemental_groups:
fields:
id: {}
name: {}
user:
fields:
id: {}
name: {}