--- title: Endgame Network events. embedded: true fields: # ECS - name: "@timestamp" type: date description: > Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. - name: message type: text description: > For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. - name: host description: > The host fields are used to describe the host that's publishing data. fields: - name: os description: > The description of the operating system. fields: - name: platform type: keyword description: > Currently we just try use the non-normalized "name" (i.e. macos). See https://www.elastic.co/guide/en/ecs/current/ecs-os.html for how we should be mapping this example: darwin - name: name type: keyword description: > Currently we just normalize the name (i.e. macOS, Windows, Linux). See https://www.elastic.co/guide/en/ecs/current/ecs-os.html for how we should be mapping this example: Mac OS X - name: version type: keyword description: > Operating system version as a raw string. example: 10.14.1 - name: ip type: ip description: > The IP address of the sensor, currently this is the IP that the SMP sees. example: 10.0.1.5 - name: hostname type: keyword description: > The hostname of the sensor, currently this is the hostname that the SMP sees. example: laptop-mbp - name: name type: keyword description: > The name of the sensor, currently this is the hostname that the SMP sees. example: laptop-mbp - name: event description: > The event fields are used to describe the event metadata. fields: - name: id type: keyword description: > Unique ID to describe the event. example: 8a4f500d - name: module type: keyword description: > Currently hardcoded to "endgame". example: endgame - name: dataset type: keyword description: > Currently hardcoded to "esensor". example: esensor - name: action type: keyword description: > The event action. example: process_created_event - name: kind type: keyword description: > The event kind. example: event - name: category type: keyword description: > The event category. example: process - name: type type: keyword description: > The event type. example: process_start - name: labels description: > Metadata labels for Endgame data. type: object object_type: keyword example: '{"account_id": 12321,"endpoint_id": 12321}' - name: agent description: > The agent fields are used to describe by which endgame sensor information was collected. fields: - name: version type: keyword description: > Version of the endgame sensor publishing the event. example: 5.31.2 - name: type type: keyword description: > Endgame. example: endgame - name: id type: keyword description: > Unique sensor identifier. example: 8a4f500d - name: network description: > The network is defined as the communication path over which a host or network event happens. fields: - name: transport type: keyword description: > Protocol Name corresponding to the field `iana_number`. - name: protocol type: keyword description: > L7 Network protocol name. - name: community_id type: keyword description: > Learn more at https://github.com/corelight/community-id-spec. - name: bytes type: long format: bytes description: > Total bytes transferred in both directions. - name: packets type: long description: > Total packets transferred in both directions. - name: source description: > Source fields describe details about the source of a packet/event. fields: - name: address type: keyword description: > Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: ip type: ip description: > IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. - name: port type: long description: > Port of the source. - name: bytes format: bytes type: long description: > Bytes sent from the source to the destination. - name: packets type: long description: > Packets sent from the source to the destination. - name: destination description: > Destination fields describe details about the destination of a packet/event. fields: - name: address type: keyword description: "> Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is." - name: ip type: ip description: > IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. - name: port type: long description: > Port of the destination. - name: bytes format: bytes type: long description: > Bytes sent from the destination to the source. - name: packets type: long description: > Packets sent from the destination to the source. # Our current stuff - name: endgame description: > The current endgame fields. fields: # BaseDataBuffer - name: serial_event_id type: long # this is a uint64 right now description: "" - name: opcode type: integer # this is a uint32 right now description: "" - name: event_type_full type: keyword description: "" - name: event_subtype_full type: keyword description: "" # GenericDataBuffer - name: timestamp type: date # this is a uint64 right now description: "" - name: timestamp_utc type: keyword description: "" - name: event_message type: keyword description: "" - name: unknown_properties type: keyword # this is a generic object right now, we should get rid of it description: "" - name: pid type: integer # this is a uint32 right now description: "" - name: process_path type: keyword description: "" - name: process_name type: keyword description: "" - name: unique_pid type: long # this is a uint64 right now description: "" # GenericDataBuffer: Windows - name: user_name type: keyword description: "" - name: user_domain type: keyword description: "" - name: user_sid type: keyword description: "" - name: tid type: integer # this is a uint32 right now description: "" # GenericDataBuffer: Posix - name: real_user_name type: keyword description: "" - name: effective_user_name type: keyword description: "" - name: real_group_name type: keyword description: "" - name: effective_group_name type: keyword description: "" - name: real_uid type: integer # this is a uint32 right now description: "" - name: effective_uid type: integer # this is a uint32 right now description: "" - name: real_gid type: integer # this is a uint32 right now description: "" - name: effective_gid type: integer # this is a uint32 right now description: "" # NetworkDataBuffer - name: protocol type: keyword description: "" - name: connection_id type: integer # this is a uint32 right now description: "" - name: destination_address type: keyword description: "" - name: destination_port type: integer # this is a uint32 right now description: "" - name: source_port type: integer # this is a uint32 right now description: "" - name: source_address type: keyword description: "" - name: out_bytes type: integer # this is a uint32 right now description: "" - name: in_bytes type: integer # this is a uint32 right now description: "" - name: sequence_number type: integer # this is a uint32 right now description: "" - name: partial_flow type: boolean description: "" - name: total_in_bytes type: long # this is a uint64 right now description: "" - name: total_out_bytes type: long # this is a uint64 right now description: "" - name: in_packet_count type: long # this is a uint64 right now description: "" - name: out_packet_count type: long # this is a uint64 right now description: "" - name: in_bytes_mean type: double description: "" - name: out_bytes_mean type: double description: "" - name: in_bytes_standard_deviation type: double description: "" - name: out_bytes_standard_deviation type: double description: "" - name: in_interval_mean type: double description: "" - name: out_interval_mean type: double description: "" - name: in_interval_standard_deviation type: double description: "" - name: out_interval_standard_deviation type: double description: "" - name: event_id type: integer # this is a uint32 right now description: "" - name: task type: integer # this is a uint32 right now description: "" - name: size type: integer # this is a uint32 right now description: "" - name: http_request type: text description: ""