custom_subsets/elastic_endpoint/api/api.yaml (180 lines of code) (raw):
---
name: api
fields:
base:
fields:
"@timestamp": {}
message: {}
data_stream:
fields: "*"
destination:
fields:
ip: {}
port: {}
dll:
fields:
path: {}
hash:
fields:
sha256: {}
Ext:
fields:
code_signature:
fields:
exists: {}
status: {}
subject_name: {}
trusted: {}
ecs:
fields:
version: {}
event:
fields:
action: {}
category: {}
created: {}
dataset: {}
end: {}
hash: {}
id: {}
ingested: {}
outcome: {}
start: {}
type: {}
user:
fields:
domain: {}
hash: {}
id: {}
name: {}
host:
fields:
architecture: {}
domain: {}
hostname: {}
id: {}
ip: {}
mac: {}
name: {}
type: {}
uptime: {}
os:
fields:
family: {}
full: {}
kernel: {}
platform: {}
version: {}
name: {}
type: {}
Ext:
fields:
variant: {}
network:
fields:
transport: {}
type: {}
Target:
fields:
process:
fields:
name: {}
pid: {}
executable: {}
entity_id: {}
Ext:
fields:
created_suspended: {}
memory_region:
fields: "*"
protection: {}
token:
fields:
integrity_level_name: {}
process:
fields:
pid: {}
name: {}
executable: {}
entity_id: {}
command_line: {}
Ext:
fields:
ancestry: {}
api:
fields:
name: {}
summary: {}
behaviors: {}
metadata:
fields: "*"
parameters:
fields: "*"
created_suspended: {}
memory_region:
fields: "*"
token:
fields:
integrity_level_name: {}
protection: {}
code_signature:
fields:
exists: {}
status: {}
subject_name: {}
trusted: {}
code_signature:
fields:
exists: {}
status: {}
subject_name: {}
trusted: {}
thread:
fields:
id: {}
Ext:
fields:
call_stack:
enabled: false
fields:
module_path: {}
instruction_pointer: {}
allocation_private_bytes: {}
callsite_leading_bytes: {}
callsite_trailing_bytes: {}
protection: {}
protection_provenance: {}
symbol_info: {}
call_stack_contains_unbacked: {}
call_stack_final_hook_module:
fields:
path: {}
code_signature:
fields:
exists: {}
status: {}
subject_name: {}
trusted: {}
hash:
fields:
sha256: {}
call_stack_final_user_module:
fields:
name: {}
path: {}
allocation_private_bytes: {}
protection: {}
protection_provenance: {}
protection_provenance_path: {}
reason: {}
code_signature:
fields:
exists: {}
status: {}
subject_name: {}
trusted: {}
valid: {}
hash:
fields:
sha256: {}
call_stack_summary: {}