--- title: Endgame File Events. embedded: true fields: # ECS - name: "@timestamp" type: date description: > Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. - name: message type: text description: > For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. - name: host description: > The host fields are used to describe the host that's publishing data. fields: - name: os description: > The description of the operating system. fields: - name: platform type: keyword description: > Currently we just try use the non-normalized "name" (i.e. macos). See https://www.elastic.co/guide/en/ecs/current/ecs-os.html for how we should be mapping this example: darwin - name: name type: keyword description: > Currently we just normalize the name (i.e. macOS, Windows, Linux). See https://www.elastic.co/guide/en/ecs/current/ecs-os.html for how we should be mapping this example: Mac OS X - name: version type: keyword description: > Operating system version as a raw string. example: 10.14.1 - name: ip type: ip description: > The IP address of the sensor, currently this is the IP that the SMP sees. example: 10.0.1.5 - name: hostname type: keyword description: > The hostname of the sensor, currently this is the hostname that the SMP sees. example: laptop-mbp - name: name type: keyword description: > The name of the sensor, currently this is the hostname that the SMP sees. example: laptop-mbp - name: event description: > The event fields are used to describe the event metadata. fields: - name: id type: keyword description: > Unique ID to describe the event. example: 8a4f500d - name: module type: keyword description: > Currently hardcoded to "endgame". example: endgame - name: dataset type: keyword description: > Currently hardcoded to "esensor". example: esensor - name: action type: keyword description: > The event action. example: process_created_event - name: kind type: keyword description: > The event kind. example: event - name: category type: keyword description: > The event category. example: process - name: type type: keyword description: > The event type. example: process_start - name: labels description: > Metadata labels for Endgame data. type: object object_type: keyword example: '{"account_id": 12321,"endpoint_id": 12321}' - name: agent description: > The agent fields are used to describe by which endgame sensor information was collected. fields: - name: version type: keyword description: > Version of the endgame sensor publishing the event. example: 5.31.2 - name: type type: keyword description: > Endgame. example: endgame - name: id type: keyword description: > Unique sensor identifier. example: 8a4f500d # Our current stuff - name: endgame description: > The current endgame fields. fields: # BaseDataBuffer - name: serial_event_id type: long # this is a uint64 right now description: "" - name: opcode type: integer # this is a uint32 right now description: "" - name: event_type_full type: keyword description: "" - name: event_subtype_full type: keyword description: "" # GenericDataBuffer - name: timestamp type: date # this is a uint64 right now description: "" - name: timestamp_utc type: keyword description: "" - name: event_message type: keyword description: "" - name: unknown_properties type: keyword # this is a generic object right now, we should get rid of it description: "" - name: pid type: integer # this is a uint32 right now description: "" - name: process_path type: keyword description: "" - name: process_name type: keyword description: "" - name: unique_pid type: long # this is a uint64 right now description: "" # GenericDataBuffer: Windows - name: user_name type: keyword description: "" - name: user_domain type: keyword description: "" - name: user_sid type: keyword description: "" - name: tid type: integer # this is a uint32 right now description: "" # GenericDataBuffer: Posix - name: real_user_name type: keyword description: "" - name: effective_user_name type: keyword description: "" - name: real_group_name type: keyword description: "" - name: effective_group_name type: keyword description: "" - name: real_uid type: integer # this is a uint32 right now description: "" - name: effective_uid type: integer # this is a uint32 right now description: "" - name: real_gid type: integer # this is a uint32 right now description: "" - name: effective_gid type: integer # this is a uint32 right now description: "" # FileDataBuffer - name: file_path type: keyword description: "" - name: file_name type: keyword description: "" - name: md5 type: keyword description: "" - name: sha1 type: keyword description: "" - name: sha256 type: keyword description: "" - name: old_file_path type: keyword description: "" - name: old_file_name type: keyword description: "" # FileDataBuffer: Windows - name: create_disposition type: integer # this is a uint32 right now description: "" - name: desired_access type: integer # this is a uint32 right now description: "" - name: create_options type: integer # this is a uint32 right now description: "" - name: share_mode type: integer # this is a uint32 right now description: "" - name: file_attributes type: integer # this is a uint32 right now description: "" - name: zone_id type: integer description: "" # FileDataBuffer: Posix - name: other_file_path type: keyword description: "" - name: fileid type: long # this is a uint64 right now description: "" - name: parent_pid type: integer # this is a uint32 right now description: "" - name: file_mode type: keyword description: ""