--- title: Endgame Network events. embedded: true fields: # ECS - name: "@timestamp" type: date description: > Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. - name: message type: text description: > For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. - name: host description: > The host fields are used to describe the host that's publishing data. fields: - name: os description: > The description of the operating system. fields: - name: platform type: keyword description: > Currently we just try use the non-normalized "name" (i.e. macos). See https://www.elastic.co/guide/en/ecs/current/ecs-os.html for how we should be mapping this example: darwin - name: name type: keyword description: > Currently we just normalize the name (i.e. macOS, Windows, Linux). See https://www.elastic.co/guide/en/ecs/current/ecs-os.html for how we should be mapping this example: Mac OS X - name: version type: keyword description: > Operating system version as a raw string. example: 10.14.1 - name: ip type: ip description: > The IP address of the sensor, currently this is the IP that the SMP sees. example: 10.0.1.5 - name: hostname type: keyword description: > The hostname of the sensor, currently this is the hostname that the SMP sees. example: laptop-mbp - name: name type: keyword description: > The name of the sensor, currently this is the hostname that the SMP sees. example: laptop-mbp - name: event description: > The event fields are used to describe the event metadata. fields: - name: id type: keyword description: > Unique ID to describe the event. example: 8a4f500d - name: module type: keyword description: > Currently hardcoded to "endgame". example: endgame - name: dataset type: keyword description: > Currently hardcoded to "esensor". example: esensor - name: action type: keyword description: > The event action. example: process_created_event - name: kind type: keyword description: > The event kind. example: event - name: category type: keyword description: > The event category. example: process - name: type type: keyword description: > The event type. example: process_start - name: labels description: > Metadata labels for Endgame data. type: object object_type: keyword example: '{"account_id": 12321,"endpoint_id": 12321}' - name: agent description: > The agent fields are used to describe by which endgame sensor information was collected. fields: - name: version type: keyword description: > Version of the endgame sensor publishing the event. example: 5.31.2 - name: type type: keyword description: > Endgame. example: endgame - name: id type: keyword description: > Unique sensor identifier. example: 8a4f500d - name: network description: > The network is defined as the communication path over which a host or network event happens. fields: - name: transport type: keyword description: > Protocol Name corresponding to the field `iana_number`. - name: protocol type: keyword description: > L7 Network protocol name. - name: community_id type: keyword description: > Learn more at https://github.com/corelight/community-id-spec. - name: bytes type: long format: bytes description: > Total bytes transferred in both directions. - name: packets type: long description: > Total packets transferred in both directions. - name: source description: > Source fields describe details about the source of a packet/event. fields: - name: address type: keyword description: > Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: ip type: ip description: > IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. - name: port type: long description: > Port of the source. - name: bytes format: bytes type: long description: > Bytes sent from the source to the destination. - name: packets type: long description: > Packets sent from the source to the destination. - name: destination description: > Destination fields describe details about the destination of a packet/event. fields: - name: address type: keyword description: "> Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is." - name: ip type: ip description: > IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. - name: port type: long description: > Port of the destination. - name: bytes format: bytes type: long description: > Bytes sent from the destination to the source. - name: packets type: long description: > Packets sent from the destination to the source. - name: dns description: > Fields describing DNS queries and answers. fields: - name: question fields: - name: name type: keyword description: > The name being queried. - name: type type: keyword description: > The type of record being queried. - name: registered_domain type: keyword description: > The highest registered domain, stripped of the subdomain. - name: resolved_ip type: ip description: > Array containing all IPs. # Our current stuff - name: endgame description: > The current endgame fields. fields: # BaseDataBuffer - name: serial_event_id type: long # this is a uint64 right now description: "" - name: opcode type: integer # this is a uint32 right now description: "" - name: event_type_full type: keyword description: "" - name: event_subtype_full type: keyword description: "" # GenericDataBuffer - name: timestamp type: date # this is a uint64 right now description: "" - name: timestamp_utc type: keyword description: "" - name: event_message type: keyword description: "" - name: unknown_properties type: keyword # this is a generic object right now, we should get rid of it description: "" - name: pid type: integer # this is a uint32 right now description: "" - name: process_path type: keyword description: "" - name: process_name type: keyword description: "" - name: unique_pid type: long # this is a uint64 right now description: "" # GenericDataBuffer: Windows - name: user_name type: keyword description: "" - name: user_domain type: keyword description: "" - name: user_sid type: keyword description: "" - name: tid type: integer # this is a uint32 right now description: "" # GenericDataBuffer: Posix - name: real_user_name type: keyword description: "" - name: effective_user_name type: keyword description: "" - name: real_group_name type: keyword description: "" - name: effective_group_name type: keyword description: "" - name: real_uid type: integer # this is a uint32 right now description: "" - name: effective_uid type: integer # this is a uint32 right now description: "" - name: real_gid type: integer # this is a uint32 right now description: "" - name: effective_gid type: integer # this is a uint32 right now description: "" # DnsDataBuffer - name: query_name type: keyword description: "" - name: event_id type: integer # this is a uint32 right now description: "" - name: query_type type: integer # this is a uint32 right now description: "" - name: query_status type: integer # this is a uint32 right now description: "" - name: query_options type: long # this is a uint64 right now description: "" - name: query_results type: keyword description: ""