--- title: Endgame Process Events embedded: true fields: # ECS - name: "@timestamp" type: date description: > Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. - name: message type: text description: > For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. - name: host description: > The host fields are used to describe the host that's publishing data. fields: - name: os description: > The description of the operating system. fields: - name: platform type: keyword description: > Currently we just try use the non-normalized "name" (i.e. macos). See https://www.elastic.co/guide/en/ecs/current/ecs-os.html for how we should be mapping this example: darwin - name: name type: keyword description: > Currently we just normalize the name (i.e. macOS, Windows, Linux). See https://www.elastic.co/guide/en/ecs/current/ecs-os.html for how we should be mapping this example: Mac OS X - name: version type: keyword description: > Operating system version as a raw string. example: 10.14.1 - name: ip type: ip description: > The IP address of the sensor, currently this is the IP that the SMP sees. example: 10.0.1.5 - name: hostname type: keyword description: > The hostname of the sensor, currently this is the hostname that the SMP sees. example: laptop-mbp - name: name type: keyword description: > The name of the sensor, currently this is the hostname that the SMP sees. example: laptop-mbp - name: event description: > The event fields are used to describe the event metadata. fields: - name: id type: keyword description: > Unique ID to describe the event. example: 8a4f500d - name: module type: keyword description: > Currently hardcoded to "endgame". example: endgame - name: dataset type: keyword description: > Currently hardcoded to "esensor". example: esensor - name: action type: keyword description: > The event action. example: process_created_event - name: kind type: keyword description: > The event kind. example: event - name: category type: keyword description: > The event category. example: process - name: type type: keyword description: > The event type. example: process_start - name: labels description: > Metadata labels for Endgame data. type: object object_type: keyword example: '{"account_id": 12321,"endpoint_id": 12321}' - name: agent description: > The agent fields are used to describe by which endgame sensor information was collected. fields: - name: version type: keyword description: > Version of the endgame sensor publishing the event. example: 5.31.2 - name: type type: keyword description: > Endgame. example: endgame - name: id type: keyword description: > Unique sensor identifier. example: 8a4f500d - name: user description: > The user fields are used to describe by which user the event belongs to. fields: - name: group description: > The group fields are used to describe by which user group the event belongs to. fields: - name: id type: keyword description: > Unique identifier for the group on the system/platform. - name: name type: keyword description: > Name of the group. - name: id type: keyword description: > One or multiple unique identifiers of the user. - name: name type: keyword description: > Short name or login of the user. example: albert - name: process description: > The process fields are used to describe by which process the event belongs to. fields: - name: pid type: long description: > Process id. - name: ppid type: long description: > Parent process' pid. - name: name type: keyword description: > Process name. Sometimes called program name or similar. - name: executable type: keyword description: > Absolute path to the process executable. - name: args type: keyword object_type: keyword description: > Array of process arguments. May be filtered to protect sensitive information. - name: thread description: > The thread fields are used to describe by which process thread the event belongs to. fields: - name: id type: long description: > Thread ID. - name: hash description: > The hash fields are used to describe the hash values for a particular process. fields: - name: md5 type: keyword description: > MD5 hash. - name: sha1 type: keyword description: > SHA1 hash. - name: sha256 type: keyword description: > SHA256 hash. # Our current stuff - name: endgame description: > The current endgame fields. fields: # BaseDataBuffer - name: serial_event_id type: long # this is a uint64 right now description: "" - name: opcode type: integer # this is a uint32 right now description: "" - name: event_type_full type: keyword description: "" - name: event_subtype_full type: keyword description: "" # GenericDataBuffer - name: timestamp type: date # this is a uint64 right now description: "" - name: timestamp_utc type: keyword description: "" - name: event_message type: keyword description: "" - name: unknown_properties type: keyword # this is a generic object right now, we should get rid of it description: "" - name: pid type: integer # this is a uint32 right now description: "" - name: process_path type: keyword description: "" - name: process_name type: keyword description: "" - name: unique_pid type: long # this is a uint64 right now description: "" # GenericDataBuffer: Windows - name: user_name type: keyword description: "" - name: user_domain type: keyword description: "" - name: user_sid type: keyword description: "" - name: tid type: integer # this is a uint32 right now description: "" # GenericDataBuffer: Posix - name: real_user_name type: keyword description: "" - name: effective_user_name type: keyword description: "" - name: real_group_name type: keyword description: "" - name: effective_group_name type: keyword description: "" - name: real_uid type: integer # this is a uint32 right now description: "" - name: effective_uid type: integer # this is a uint32 right now description: "" - name: real_gid type: integer # this is a uint32 right now description: "" - name: effective_gid type: integer # this is a uint32 right now description: "" # ProcessDataBuffer - name: ppid type: integer # this is a uint32 right now description: "" - name: exit_code type: integer # this is a uint32 right now description: "" - name: command_line type: keyword description: "" - name: parent_process_name type: keyword description: "" - name: parent_process_path type: keyword description: "" - name: md5 type: keyword description: "" - name: sha1 type: keyword description: "" - name: sha256 type: keyword description: "" - name: unique_ppid type: long # this is a uint64 right now description: "" # ProcessDataBuffer: Windows - name: authentication_id type: long # this is a uint64 right now description: "" - name: package_name type: keyword description: "" - name: signature_signer type: keyword description: "" - name: signature_status type: keyword description: "" - name: original_file_name type: keyword description: "" - name: integrity_level type: keyword description: "" - name: elevated type: boolean description: "" - name: elevation_type type: keyword description: "" - name: true_ppid type: integer # this is a uint32 right now description: "" - name: unique_true_ppid type: long # this is a uint64 right now description: "" # ProcessDataBuffer: Posix - name: session_id type: integer description: "" - name: exit_code_full type: integer # this is a uint32 right now description: ""