--- name: file fields: base: fields: "@timestamp": {} labels: {} message: {} host: fields: os: fields: platform: {} name: {} version: {} ip: {} hostname: {} name: {} event: fields: id: {} module: {} dataset: {} action: {} kind: {} category: {} type: {} agent: fields: version: {} type: {} id: {} endgame: fields: serial_event_id: {} opcode: {} event_type_full: {} event_subtype_full: {} timestamp: {} timestamp_utc: {} event_message: {} unknown_properties: {} pid: {} process_path: {} process_name: {} unique_pid: {} user_name: {} user_domain: {} user_sid: {} tid: {} real_user_name: {} effective_user_name: {} real_group_name: {} effective_group_name: {} real_uid: {} effective_uid: {} real_gid: {} effective_gid: {} # end of generic stuff file_path: {} file_name: {} md5: {} sha1: {} sha256: {} old_file_path: {} old_file_name: {} create_disposition: {} desired_access: {} create_options: {} share_mode: {} file_attributes: {} zone_id: {} other_file_path: {} fileid: {} parent_pid: {} file_mode: {}