custom_subsets/elastic_endpoint/process/process.yaml (309 lines of code) (raw):
---
name: process
fields:
base:
fields:
"@timestamp": {}
message: {}
data_stream:
fields: "*"
ecs:
fields:
version: {}
# these fields are needed in the mapping so the maps page of the security app does not throw a bunch of errors
source:
fields:
geo:
fields: "*"
destination:
fields:
geo:
fields: "*"
host:
fields:
architecture: {}
domain: {}
hostname: {}
id: {}
ip: {}
mac: {}
name: {}
type: {}
uptime: {}
os:
fields:
family: {}
full: {}
kernel: {}
platform: {}
version: {}
name: {}
type: {}
Ext:
fields:
variant: {}
event:
fields:
action: {}
category: {}
created: {}
code: {}
dataset: {}
hash: {}
id: {}
ingested: {}
kind: {}
module: {}
outcome: {}
provider: {}
sequence: {}
severity: {}
type: {}
agent:
fields:
version: {}
type: {}
id: {}
group:
fields:
domain: {}
id: {}
name: {}
Ext:
fields:
real:
fields:
id: {}
name: {}
user:
fields:
domain: {}
email: {}
full_name: {}
hash: {}
id: {}
name: {}
group:
fields:
domain: {}
id: {}
name: {}
Ext:
fields:
real:
fields:
id: {}
name: {}
Ext:
fields:
real:
fields:
id: {}
name: {}
process:
fields:
args: {}
args_count: {}
code_signature:
fields:
exists: {}
signing_id: {}
status: {}
subject_name: {}
team_id: {}
trusted: {}
valid: {}
command_line: {}
end: {}
entity_id: {}
executable: {}
exit_code: {}
group:
fields:
id: {}
name: {}
hash:
fields:
md5: {}
sha1: {}
sha256: {}
sha512: {}
name: {}
pe:
fields:
company: {}
description: {}
file_version: {}
imphash: {}
original_file_name: {}
product: {}
pgid: {}
pid: {}
ppid: {}
thread:
fields:
id: {}
name: {}
capabilities:
fields:
permitted: {}
effective: {}
title: {}
uptime: {}
working_directory: {}
origin_referrer_url: {}
origin_url: {}
Ext:
fields:
ancestry: {}
architecture: {}
authentication_id: {}
trusted: {}
trusted_descendant: {}
ptrace:
fields:
child_pid: {}
request: {}
shmget:
fields:
key: {}
size: {}
flags: {}
memfd:
fields:
flag_hugetlb: {}
flag_allow_seal: {}
flags: {}
name: {}
flag_exec: {}
flag_cloexec: {}
flag_noexec_seal: {}
code_signature:
fields:
exists: {}
status: {}
subject_name: {}
trusted: {}
valid: {}
created_suspended: {}
defense_evasions: {}
mitigation_policies: {}
dll:
fields:
name: {}
path: {}
Ext:
fields:
mapped_address: {}
mapped_size: {}
effective_parent:
fields:
pid: {}
name: {}
executable: {}
entity_id: {}
protection: {}
relative_file_creation_time: {}
relative_file_name_modify_time: {}
session: {}
session_info:
fields:
logon_type: {}
client_address: {}
id: {}
authentication_package: {}
relative_logon_time: {}
relative_password_age: {}
user_flags: {}
token:
fields:
elevation: {}
elevation_level: {}
elevation_type: {}
integrity_level_name: {}
security_attributes: {}
device:
fields:
bus_type: {}
dos_name: {}
nt_name: {}
product_id: {}
serial_number: {}
vendor_id: {}
volume_device_type: {}
file_system_type: {}
windows:
fields:
zone_identifier: {}
parent:
fields:
args: {}
args_count: {}
code_signature:
fields:
exists: {}
signing_id: {}
status: {}
subject_name: {}
team_id: {}
trusted: {}
valid: {}
command_line: {}
entity_id: {}
executable: {}
exit_code: {}
hash:
fields:
md5: {}
sha1: {}
sha256: {}
sha512: {}
name: {}
pe:
fields:
company: {}
description: {}
file_version: {}
imphash: {}
original_file_name: {}
product: {}
pgid: {}
pid: {}
ppid: {}
thread:
fields:
id: {}
name: {}
Ext:
fields:
call_stack:
enabled: true
fields:
allocation_private_bytes: {}
callsite_leading_bytes: {}
callsite_trailing_bytes: {}
protection: {}
symbol_info: {}
call_stack_summary: {}
call_stack_contains_unbacked: {}
hardware_breakpoint_set: {}
title: {}
uptime: {}
working_directory: {}
Ext:
fields:
architecture: {}
real:
fields:
pid: {}
code_signature:
fields:
exists: {}
status: {}
subject_name: {}
trusted: {}
valid: {}
user: {}
protection: {}
package:
fields:
name: {}