'@timestamp': dashed_name: timestamp description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.' example: '2016-05-23T08:05:34.853Z' flat_name: '@timestamp' level: core name: '@timestamp' normalize: [] required: true short: Date/time when the event originated. type: date Endpoint.policy: dashed_name: Endpoint-policy description: The policy fields are used to hold information about applied policy. flat_name: Endpoint.policy level: custom name: policy normalize: [] short: The policy fields are used to hold information about applied policy. type: object Endpoint.policy.applied: dashed_name: Endpoint-policy-applied description: information about the policy that is applied flat_name: Endpoint.policy.applied level: custom name: policy.applied normalize: [] short: information about the policy that is applied type: object Endpoint.policy.applied.artifacts: dashed_name: Endpoint-policy-applied-artifacts description: information about protection artifacts applied. flat_name: Endpoint.policy.applied.artifacts level: custom name: policy.applied.artifacts normalize: [] short: information about protection artifacts applied. type: object Endpoint.policy.applied.artifacts.global: dashed_name: Endpoint-policy-applied-artifacts-global description: information about global protection artifacts applied. flat_name: Endpoint.policy.applied.artifacts.global level: custom name: policy.applied.artifacts.global normalize: [] short: information about global protection artifacts applied. type: object Endpoint.policy.applied.artifacts.global.channel: dashed_name: Endpoint-policy-applied-artifacts-global-channel description: global artifacts rollout channel flat_name: Endpoint.policy.applied.artifacts.global.channel ignore_above: 1024 level: custom name: policy.applied.artifacts.global.channel normalize: [] short: global artifacts rollout channel type: keyword Endpoint.policy.applied.artifacts.global.identifiers: dashed_name: Endpoint-policy-applied-artifacts-global-identifiers description: the identifiers of global artifacts applied. flat_name: Endpoint.policy.applied.artifacts.global.identifiers level: custom name: policy.applied.artifacts.global.identifiers normalize: [] short: the identifiers of global artifacts applied. type: nested Endpoint.policy.applied.artifacts.global.identifiers.name: dashed_name: Endpoint-policy-applied-artifacts-global-identifiers-name description: the name of global artifact applied. flat_name: Endpoint.policy.applied.artifacts.global.identifiers.name ignore_above: 1024 level: custom name: policy.applied.artifacts.global.identifiers.name normalize: [] short: the name of global artifact applied. type: keyword Endpoint.policy.applied.artifacts.global.identifiers.sha256: dashed_name: Endpoint-policy-applied-artifacts-global-identifiers-sha256 description: the sha256 of global artifacts applied. flat_name: Endpoint.policy.applied.artifacts.global.identifiers.sha256 ignore_above: 1024 level: custom name: policy.applied.artifacts.global.identifiers.sha256 normalize: [] short: the sha256 of global artifacts applied. type: keyword Endpoint.policy.applied.artifacts.global.snapshot: dashed_name: Endpoint-policy-applied-artifacts-global-snapshot description: the snapshot date of applied global artifacts or 'latest' flat_name: Endpoint.policy.applied.artifacts.global.snapshot ignore_above: 1024 level: custom name: policy.applied.artifacts.global.snapshot normalize: [] short: the snapshot date of applied global artifacts or 'latest' type: keyword Endpoint.policy.applied.artifacts.global.update_age: dashed_name: Endpoint-policy-applied-artifacts-global-update-age description: number of days since global artifacts were made up-to-date flat_name: Endpoint.policy.applied.artifacts.global.update_age level: custom name: policy.applied.artifacts.global.update_age normalize: [] short: number of days since global artifacts were made up-to-date type: unsigned_long Endpoint.policy.applied.artifacts.global.version: dashed_name: Endpoint-policy-applied-artifacts-global-version description: the version of global artifacts applied. flat_name: Endpoint.policy.applied.artifacts.global.version ignore_above: 1024 level: custom name: policy.applied.artifacts.global.version normalize: [] short: the version of global artifacts applied. type: keyword Endpoint.policy.applied.artifacts.user: dashed_name: Endpoint-policy-applied-artifacts-user description: information about user protection artifacts applied. flat_name: Endpoint.policy.applied.artifacts.user level: custom name: policy.applied.artifacts.user normalize: [] short: information about user protection artifacts applied. type: object Endpoint.policy.applied.artifacts.user.identifiers: dashed_name: Endpoint-policy-applied-artifacts-user-identifiers description: the identifiers of user artifacts applied. flat_name: Endpoint.policy.applied.artifacts.user.identifiers level: custom name: policy.applied.artifacts.user.identifiers normalize: [] short: the identifiers of user artifacts applied. type: nested Endpoint.policy.applied.artifacts.user.identifiers.name: dashed_name: Endpoint-policy-applied-artifacts-user-identifiers-name description: the name of user artifact applied. flat_name: Endpoint.policy.applied.artifacts.user.identifiers.name ignore_above: 1024 level: custom name: policy.applied.artifacts.user.identifiers.name normalize: [] short: the name of user artifact applied. type: keyword Endpoint.policy.applied.artifacts.user.identifiers.sha256: dashed_name: Endpoint-policy-applied-artifacts-user-identifiers-sha256 description: the sha256 of user artifacts applied. flat_name: Endpoint.policy.applied.artifacts.user.identifiers.sha256 ignore_above: 1024 level: custom name: policy.applied.artifacts.user.identifiers.sha256 normalize: [] short: the sha256 of user artifacts applied. type: keyword Endpoint.policy.applied.artifacts.user.version: dashed_name: Endpoint-policy-applied-artifacts-user-version description: the version of user artifacts applied. flat_name: Endpoint.policy.applied.artifacts.user.version ignore_above: 1024 level: custom name: policy.applied.artifacts.user.version normalize: [] short: the version of user artifacts applied. type: keyword Endpoint.policy.applied.id: dashed_name: Endpoint-policy-applied-id description: the id of the applied policy flat_name: Endpoint.policy.applied.id ignore_above: 1024 level: custom name: policy.applied.id normalize: [] short: the id of the applied policy type: keyword Endpoint.policy.applied.name: dashed_name: Endpoint-policy-applied-name description: the name of this applied policy flat_name: Endpoint.policy.applied.name ignore_above: 1024 level: custom name: policy.applied.name normalize: [] short: the name of this applied policy type: keyword Endpoint.policy.applied.status: dashed_name: Endpoint-policy-applied-status description: the status of the applied policy flat_name: Endpoint.policy.applied.status ignore_above: 1024 level: custom name: policy.applied.status normalize: [] short: the status of the applied policy type: keyword Endpoint.policy.applied.version: dashed_name: Endpoint-policy-applied-version description: the version of this applied policy flat_name: Endpoint.policy.applied.version ignore_above: 1024 level: custom name: policy.applied.version normalize: [] short: the version of this applied policy type: keyword Ransomware.child_processes.executable: dashed_name: Ransomware-child-processes-executable description: Absolute path to the process executable. example: /usr/bin/ssh flat_name: Ransomware.child_processes.executable ignore_above: 1024 level: custom multi_fields: - flat_name: Ransomware.child_processes.executable.text name: text norms: false type: text name: executable normalize: [] original_fieldset: Ransomware short: Absolute path to the process executable. type: keyword Ransomware.child_processes.feature: dashed_name: Ransomware-child-processes-feature description: Ransomware feature which triggered the alert. flat_name: Ransomware.child_processes.feature ignore_above: 1024 level: custom name: feature normalize: [] original_fieldset: Ransomware short: Ransomware feature which triggered the alert. type: keyword Ransomware.child_processes.files: dashed_name: Ransomware-child-processes-files description: Information about each file event attributed to the ransomware. Expected to be an array. flat_name: Ransomware.child_processes.files level: custom name: files normalize: - array original_fieldset: Ransomware short: Information about each file event attributed to the ransomware. Expected to be an array. type: nested Ransomware.child_processes.files.data: dashed_name: Ransomware-child-processes-files-data description: File header or MBR bytes. flat_name: Ransomware.child_processes.files.data ignore_above: 1024 level: custom name: files.data normalize: [] original_fieldset: Ransomware short: File header or MBR bytes. type: keyword Ransomware.child_processes.files.entropy: dashed_name: Ransomware-child-processes-files-entropy description: Entropy of file contents. flat_name: Ransomware.child_processes.files.entropy level: custom name: files.entropy normalize: [] original_fieldset: Ransomware short: Entropy of file contents. type: double Ransomware.child_processes.files.extension: dashed_name: Ransomware-child-processes-files-extension description: File extension, excluding the leading dot. flat_name: Ransomware.child_processes.files.extension ignore_above: 1024 level: custom name: files.extension normalize: [] original_fieldset: Ransomware short: File extension, excluding the leading dot. type: keyword Ransomware.child_processes.files.metrics: dashed_name: Ransomware-child-processes-files-metrics description: Suspicious ransomware behaviours associated with the file event. flat_name: Ransomware.child_processes.files.metrics ignore_above: 1024 level: custom name: files.metrics normalize: - array original_fieldset: Ransomware short: Suspicious ransomware behaviours associated with the file event. type: keyword Ransomware.child_processes.files.operation: dashed_name: Ransomware-child-processes-files-operation description: Operation applied to file. flat_name: Ransomware.child_processes.files.operation ignore_above: 1024 level: custom name: files.operation normalize: [] original_fieldset: Ransomware short: Operation applied to file. type: keyword Ransomware.child_processes.files.original.extension: dashed_name: Ransomware-child-processes-files-original-extension description: Original file extension prior to the file event. flat_name: Ransomware.child_processes.files.original.extension ignore_above: 1024 level: custom name: files.original.extension normalize: [] original_fieldset: Ransomware short: Original file extension prior to the file event. type: keyword Ransomware.child_processes.files.original.path: dashed_name: Ransomware-child-processes-files-original-path description: Original file path prior to the file event. flat_name: Ransomware.child_processes.files.original.path ignore_above: 1024 level: custom name: files.original.path normalize: [] original_fieldset: Ransomware short: Original file path prior to the file event. type: keyword Ransomware.child_processes.files.path: dashed_name: Ransomware-child-processes-files-path description: Full path to the file, including the file name. flat_name: Ransomware.child_processes.files.path ignore_above: 1024 level: custom name: files.path normalize: [] original_fieldset: Ransomware short: Full path to the file, including the file name. type: keyword Ransomware.child_processes.files.score: dashed_name: Ransomware-child-processes-files-score description: Ransomware score for this particular file event. flat_name: Ransomware.child_processes.files.score level: custom name: files.score normalize: [] original_fieldset: Ransomware short: Ransomware score for this particular file event. type: double Ransomware.child_processes.pid: dashed_name: Ransomware-child-processes-pid description: Process id. example: 4242 flat_name: Ransomware.child_processes.pid format: string level: custom name: pid normalize: [] original_fieldset: Ransomware short: Process id. type: long Ransomware.child_processes.score: dashed_name: Ransomware-child-processes-score description: Total ransomware score for aggregated file events. flat_name: Ransomware.child_processes.score level: custom name: score normalize: [] original_fieldset: Ransomware short: Total ransomware score for aggregated file events. type: double Ransomware.child_processes.version: dashed_name: Ransomware-child-processes-version description: Ransomware artifact version. flat_name: Ransomware.child_processes.version ignore_above: 1024 level: custom name: version normalize: [] original_fieldset: Ransomware short: Ransomware artifact version. type: keyword Ransomware.executable: dashed_name: Ransomware-executable description: Absolute path to the process executable. example: /usr/bin/ssh flat_name: Ransomware.executable ignore_above: 1024 level: custom multi_fields: - flat_name: Ransomware.executable.text name: text norms: false type: text name: executable normalize: [] short: Absolute path to the process executable. type: keyword Ransomware.feature: dashed_name: Ransomware-feature description: Ransomware feature which triggered the alert. flat_name: Ransomware.feature ignore_above: 1024 level: custom name: feature normalize: [] short: Ransomware feature which triggered the alert. type: keyword Ransomware.files: dashed_name: Ransomware-files description: Information about each file event attributed to the ransomware. Expected to be an array. flat_name: Ransomware.files level: custom name: files normalize: - array short: Information about each file event attributed to the ransomware. Expected to be an array. type: nested Ransomware.files.data: dashed_name: Ransomware-files-data description: File header or MBR bytes. flat_name: Ransomware.files.data ignore_above: 1024 level: custom name: files.data normalize: [] short: File header or MBR bytes. type: keyword Ransomware.files.entropy: dashed_name: Ransomware-files-entropy description: Entropy of file contents. flat_name: Ransomware.files.entropy level: custom name: files.entropy normalize: [] short: Entropy of file contents. type: double Ransomware.files.extension: dashed_name: Ransomware-files-extension description: File extension, excluding the leading dot. flat_name: Ransomware.files.extension ignore_above: 1024 level: custom name: files.extension normalize: [] short: File extension, excluding the leading dot. type: keyword Ransomware.files.metrics: dashed_name: Ransomware-files-metrics description: Suspicious ransomware behaviours associated with the file event. flat_name: Ransomware.files.metrics ignore_above: 1024 level: custom name: files.metrics normalize: - array short: Suspicious ransomware behaviours associated with the file event. type: keyword Ransomware.files.operation: dashed_name: Ransomware-files-operation description: Operation applied to file. flat_name: Ransomware.files.operation ignore_above: 1024 level: custom name: files.operation normalize: [] short: Operation applied to file. type: keyword Ransomware.files.original.extension: dashed_name: Ransomware-files-original-extension description: Original file extension prior to the file event. flat_name: Ransomware.files.original.extension ignore_above: 1024 level: custom name: files.original.extension normalize: [] short: Original file extension prior to the file event. type: keyword Ransomware.files.original.path: dashed_name: Ransomware-files-original-path description: Original file path prior to the file event. flat_name: Ransomware.files.original.path ignore_above: 1024 level: custom name: files.original.path normalize: [] short: Original file path prior to the file event. type: keyword Ransomware.files.path: dashed_name: Ransomware-files-path description: Full path to the file, including the file name. flat_name: Ransomware.files.path ignore_above: 1024 level: custom name: files.path normalize: [] short: Full path to the file, including the file name. type: keyword Ransomware.files.score: dashed_name: Ransomware-files-score description: Ransomware score for this particular file event. flat_name: Ransomware.files.score level: custom name: files.score normalize: [] short: Ransomware score for this particular file event. type: double Ransomware.pid: dashed_name: Ransomware-pid description: Process id. example: 4242 flat_name: Ransomware.pid format: string level: custom name: pid normalize: [] short: Process id. type: long Ransomware.score: dashed_name: Ransomware-score description: Total ransomware score for aggregated file events. flat_name: Ransomware.score level: custom name: score normalize: [] short: Total ransomware score for aggregated file events. type: double Ransomware.version: dashed_name: Ransomware-version description: Ransomware artifact version. flat_name: Ransomware.version ignore_above: 1024 level: custom name: version normalize: [] short: Ransomware artifact version. type: keyword agent.ephemeral_id: dashed_name: agent-ephemeral-id description: 'Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not.' example: 8a4f500f flat_name: agent.ephemeral_id ignore_above: 1024 level: extended name: ephemeral_id normalize: [] short: Ephemeral identifier of this agent. type: keyword agent.id: dashed_name: agent-id description: 'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.' example: 8a4f500d flat_name: agent.id ignore_above: 1024 level: core name: id normalize: [] short: Unique identifier of this agent. type: keyword agent.name: dashed_name: agent-name description: 'Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from.' example: foo flat_name: agent.name ignore_above: 1024 level: core name: name normalize: [] short: Custom name of the agent. type: keyword agent.type: dashed_name: agent-type description: 'Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.' example: filebeat flat_name: agent.type ignore_above: 1024 level: core name: type normalize: [] short: Type of the agent. type: keyword agent.version: dashed_name: agent-version description: Version of the agent. example: 6.0.0-rc2 flat_name: agent.version ignore_above: 1024 level: core name: version normalize: [] short: Version of the agent. type: keyword data_stream.dataset: dashed_name: data-stream-dataset description: Data stream dataset name. example: nginx.access flat_name: data_stream.dataset level: custom name: dataset normalize: [] short: The field can contain anything that makes sense to signify the source of the data. type: constant_keyword data_stream.namespace: dashed_name: data-stream-namespace description: Data stream namespace. example: production flat_name: data_stream.namespace level: custom name: namespace normalize: [] short: A user defined namespace. Namespaces are useful to allow grouping of data. type: constant_keyword data_stream.type: dashed_name: data-stream-type description: Data stream type. example: logs flat_name: data_stream.type level: custom name: type normalize: [] short: An overarching type for the data stream. type: constant_keyword destination.geo.city_name: dashed_name: destination-geo-city-name description: City name. example: Montreal flat_name: destination.geo.city_name ignore_above: 1024 level: core name: city_name normalize: [] original_fieldset: geo short: City name. type: keyword destination.geo.continent_code: dashed_name: destination-geo-continent-code description: Two-letter code representing continent's name. example: NA flat_name: destination.geo.continent_code ignore_above: 1024 level: core name: continent_code normalize: [] original_fieldset: geo short: Continent code. type: keyword destination.geo.continent_name: dashed_name: destination-geo-continent-name description: Name of the continent. example: North America flat_name: destination.geo.continent_name ignore_above: 1024 level: core name: continent_name normalize: [] original_fieldset: geo short: Name of the continent. type: keyword destination.geo.country_iso_code: dashed_name: destination-geo-country-iso-code description: Country ISO code. example: CA flat_name: destination.geo.country_iso_code ignore_above: 1024 level: core name: country_iso_code normalize: [] original_fieldset: geo short: Country ISO code. type: keyword destination.geo.country_name: dashed_name: destination-geo-country-name description: Country name. example: Canada flat_name: destination.geo.country_name ignore_above: 1024 level: core name: country_name normalize: [] original_fieldset: geo short: Country name. type: keyword destination.geo.location: dashed_name: destination-geo-location description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' flat_name: destination.geo.location level: core name: location normalize: [] original_fieldset: geo short: Longitude and latitude. type: geo_point destination.geo.name: dashed_name: destination-geo-name description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc flat_name: destination.geo.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. type: keyword destination.geo.postal_code: dashed_name: destination-geo-postal-code description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 flat_name: destination.geo.postal_code ignore_above: 1024 level: core name: postal_code normalize: [] original_fieldset: geo short: Postal code. type: keyword destination.geo.region_iso_code: dashed_name: destination-geo-region-iso-code description: Region ISO code. example: CA-QC flat_name: destination.geo.region_iso_code ignore_above: 1024 level: core name: region_iso_code normalize: [] original_fieldset: geo short: Region ISO code. type: keyword destination.geo.region_name: dashed_name: destination-geo-region-name description: Region name. example: Quebec flat_name: destination.geo.region_name ignore_above: 1024 level: core name: region_name normalize: [] original_fieldset: geo short: Region name. type: keyword destination.geo.timezone: dashed_name: destination-geo-timezone description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires flat_name: destination.geo.timezone ignore_above: 1024 level: core name: timezone normalize: [] original_fieldset: geo short: Time zone. type: keyword dll.Ext: dashed_name: dll-Ext description: Object for all custom defined fields to live in. flat_name: dll.Ext level: custom name: Ext normalize: [] short: Object for all custom defined fields to live in. type: object dll.Ext.code_signature: dashed_name: dll-Ext-code-signature description: Nested version of ECS code_signature fieldset. flat_name: dll.Ext.code_signature level: custom name: Ext.code_signature normalize: [] short: Nested version of ECS code_signature fieldset. type: nested dll.Ext.code_signature.exists: dashed_name: dll-Ext-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' flat_name: dll.Ext.code_signature.exists level: custom name: Ext.code_signature.exists normalize: [] short: Boolean to capture if a signature is present. type: boolean dll.Ext.code_signature.status: dashed_name: dll-Ext-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: dll.Ext.code_signature.status ignore_above: 1024 level: custom name: Ext.code_signature.status normalize: [] short: Additional information about the certificate status. type: keyword dll.Ext.code_signature.subject_name: dashed_name: dll-Ext-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation flat_name: dll.Ext.code_signature.subject_name ignore_above: 1024 level: custom name: Ext.code_signature.subject_name normalize: [] short: Subject name of the code signer type: keyword dll.Ext.code_signature.trusted: dashed_name: dll-Ext-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' flat_name: dll.Ext.code_signature.trusted level: custom name: Ext.code_signature.trusted normalize: [] short: Stores the trust status of the certificate chain. type: boolean dll.Ext.code_signature.valid: dashed_name: dll-Ext-code-signature-valid description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' flat_name: dll.Ext.code_signature.valid level: custom name: Ext.code_signature.valid normalize: [] short: Boolean to capture if the digital signature is verified against the binary content. type: boolean dll.Ext.compile_time: dashed_name: dll-Ext-compile-time description: Timestamp from when the module was compiled. flat_name: dll.Ext.compile_time level: custom name: Ext.compile_time normalize: [] short: Timestamp from when the module was compiled. type: date dll.Ext.mapped_address: dashed_name: dll-Ext-mapped-address description: The base address where this module is loaded. flat_name: dll.Ext.mapped_address level: custom name: Ext.mapped_address normalize: [] short: The base address where this module is loaded. type: unsigned_long dll.Ext.mapped_size: dashed_name: dll-Ext-mapped-size description: The size of this module's memory mapping, in bytes. flat_name: dll.Ext.mapped_size level: custom name: Ext.mapped_size normalize: [] short: The size of this module's memory mapping, in bytes. type: unsigned_long dll.code_signature.exists: dashed_name: dll-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' flat_name: dll.code_signature.exists level: core name: exists normalize: [] original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean dll.code_signature.signing_id: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy flat_name: dll.code_signature.signing_id ignore_above: 1024 level: extended name: signing_id normalize: [] original_fieldset: code_signature short: The identifier used to sign the process. type: keyword dll.code_signature.status: dashed_name: dll-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: dll.code_signature.status ignore_above: 1024 level: extended name: status normalize: [] original_fieldset: code_signature short: Additional information about the certificate status. type: keyword dll.code_signature.subject_name: dashed_name: dll-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation flat_name: dll.code_signature.subject_name ignore_above: 1024 level: core name: subject_name normalize: [] original_fieldset: code_signature short: Subject name of the code signer type: keyword dll.code_signature.team_id: dashed_name: dll-code-signature-team-id description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV flat_name: dll.code_signature.team_id ignore_above: 1024 level: extended name: team_id normalize: [] original_fieldset: code_signature short: The team identifier used to sign the process. type: keyword dll.code_signature.trusted: dashed_name: dll-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' flat_name: dll.code_signature.trusted level: extended name: trusted normalize: [] original_fieldset: code_signature short: Stores the trust status of the certificate chain. type: boolean dll.code_signature.valid: dashed_name: dll-code-signature-valid description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' flat_name: dll.code_signature.valid level: extended name: valid normalize: [] original_fieldset: code_signature short: Boolean to capture if the digital signature is verified against the binary content. type: boolean dll.hash.md5: dashed_name: dll-hash-md5 description: MD5 hash. flat_name: dll.hash.md5 ignore_above: 1024 level: extended name: md5 normalize: [] original_fieldset: hash short: MD5 hash. type: keyword dll.hash.sha1: dashed_name: dll-hash-sha1 description: SHA1 hash. flat_name: dll.hash.sha1 ignore_above: 1024 level: extended name: sha1 normalize: [] original_fieldset: hash short: SHA1 hash. type: keyword dll.hash.sha256: dashed_name: dll-hash-sha256 description: SHA256 hash. flat_name: dll.hash.sha256 ignore_above: 1024 level: extended name: sha256 normalize: [] original_fieldset: hash short: SHA256 hash. type: keyword dll.hash.sha512: dashed_name: dll-hash-sha512 description: SHA512 hash. flat_name: dll.hash.sha512 ignore_above: 1024 level: extended name: sha512 normalize: [] original_fieldset: hash short: SHA512 hash. type: keyword dll.name: dashed_name: dll-name description: 'Name of the library. This generally maps to the name of the file on disk.' example: kernel32.dll flat_name: dll.name ignore_above: 1024 level: core name: name normalize: [] short: Name of the library. type: keyword dll.path: dashed_name: dll-path description: Full file path of the library. example: C:\Windows\System32\kernel32.dll flat_name: dll.path ignore_above: 1024 level: extended name: path normalize: [] short: Full file path of the library. type: keyword dll.pe.company: dashed_name: dll-pe-company description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation flat_name: dll.pe.company ignore_above: 1024 level: extended name: company normalize: [] original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword dll.pe.description: dashed_name: dll-pe-description description: Internal description of the file, provided at compile-time. example: Paint flat_name: dll.pe.description ignore_above: 1024 level: extended name: description normalize: [] original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword dll.pe.file_version: dashed_name: dll-pe-file-version description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 flat_name: dll.pe.file_version ignore_above: 1024 level: extended name: file_version normalize: [] original_fieldset: pe short: Process name. type: keyword dll.pe.imphash: dashed_name: dll-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf flat_name: dll.pe.imphash ignore_above: 1024 level: extended name: imphash normalize: [] original_fieldset: pe short: A hash of the imports in a PE file. type: keyword dll.pe.original_file_name: dashed_name: dll-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: dll.pe.original_file_name ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. type: keyword dll.pe.product: dashed_name: dll-pe-product description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" flat_name: dll.pe.product ignore_above: 1024 level: extended name: product normalize: [] original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword ecs.version: dashed_name: ecs-version description: 'ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.' example: 1.0.0 flat_name: ecs.version ignore_above: 1024 level: core name: version normalize: [] required: true short: ECS version this event conforms to. type: keyword elastic.agent: dashed_name: elastic-agent description: The agent fields contain data about the Elastic Agent. The Elastic Agent is the management agent that manages other agents or process on the host. flat_name: elastic.agent level: custom name: agent normalize: [] short: The agent fields contain data about the Elastic Agent. type: object elastic.agent.id: dashed_name: elastic-agent-id description: Unique identifier of this elastic agent (if one exists). example: c2a9093e-e289-4c0a-aa44-8c32a414fa7a flat_name: elastic.agent.id ignore_above: 1024 level: custom name: agent.id normalize: [] short: Unique identifier of this elastic agent (if one exists). type: keyword event.action: dashed_name: event-action description: 'The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.' example: user-password-change flat_name: event.action ignore_above: 1024 level: core name: action normalize: [] short: The action captured by the event. type: keyword event.category: allowed_values: - description: Events in this category annotate API calls that occured on a system. Typical sources for those events could be from the Operating System level through the native libraries (for example Windows Win32, Linux libc, etc.), or managed sources of events (such as ETW, syslog), but can also include network protocols (such as SOAP, RPC, Websocket, REST, etc.) expected_event_types: - access - admin - allowed - change - creation - deletion - denied - end - info - start - user name: api - description: Events in this category are related to the challenge and response process in which credentials are supplied and verified to allow the creation of a session. Common sources for these logs are Windows event logs and ssh logs. Visualize and analyze events in this category to look for failed logins, and other authentication-related activity. expected_event_types: - start - end - info name: authentication - description: 'Events in the configuration category have to deal with creating, modifying, or deleting the settings or parameters of an application, process, or system. Example sources include security policy change logs, configuration auditing logging, and system integrity monitoring.' expected_event_types: - access - change - creation - deletion - info name: configuration - description: The database category denotes events and metrics relating to a data storage and retrieval system. Note that use of this category is not limited to relational database systems. Examples include event logs from MS SQL, MySQL, Elasticsearch, MongoDB, etc. Use this category to visualize and analyze database activity such as accesses and changes. expected_event_types: - access - change - info - error name: database - description: 'Events in the driver category have to do with operating system device drivers and similar software entities such as Windows drivers, kernel extensions, kernel modules, etc. Use events and metrics in this category to visualize and analyze driver-related activity and status on hosts.' expected_event_types: - change - end - info - start name: driver - description: 'This category is used for events relating to email messages, email attachments, and email network or protocol activity. Emails events can be produced by email security gateways, mail transfer agents, email cloud service providers, or mail server monitoring applications.' expected_event_types: - info name: email - description: Relating to a set of information that has been created on, or has existed on a filesystem. Use this category of events to visualize and analyze the creation, access, and deletions of files. Events in this category can come from both host-based and network-based sources. An example source of a network-based detection of a file transfer would be the Zeek file.log. expected_event_types: - access - change - creation - deletion - info name: file - description: 'Use this category to visualize and analyze information such as host inventory or host lifecycle events. Most of the events in this category can usually be observed from the outside, such as from a hypervisor or a control plane''s point of view. Some can also be seen from within, such as "start" or "end". Note that this category is for information about hosts themselves; it is not meant to capture activity "happening on a host".' expected_event_types: - access - change - end - info - start name: host - description: Identity and access management (IAM) events relating to users, groups, and administration. Use this category to visualize and analyze IAM-related logs and data from active directory, LDAP, Okta, Duo, and other IAM systems. expected_event_types: - admin - change - creation - deletion - group - info - user name: iam - description: Relating to intrusion detections from IDS/IPS systems and functions, both network and host-based. Use this category to visualize and analyze intrusion detection alerts from systems such as Snort, Suricata, and Palo Alto threat detections. expected_event_types: - allowed - denied - info name: intrusion_detection - description: Events in this category refer to the loading of a library, such as (dll / so / dynlib), into a process. Use this category to visualize and analyze library loading related activity on hosts. Keep in mind that driver related activity will be captured under the "driver" category above. expected_event_types: - start name: library - description: Malware detection events and alerts. Use this category to visualize and analyze malware detections from EDR/EPP systems such as Elastic Endpoint Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems such as Suricata, or other sources of malware-related events such as Palo Alto Networks threat logs and Wildfire logs. expected_event_types: - info name: malware - description: Relating to all network activity, including network connection lifecycle, network traffic, and essentially any event that includes an IP address. Many events containing decoded network protocol transactions fit into this category. Use events in this category to visualize or analyze counts of network ports, protocols, addresses, geolocation information, etc. expected_event_types: - access - allowed - connection - denied - end - info - protocol - start name: network - description: Relating to software packages installed on hosts. Use this category to visualize and analyze inventory of software installed on various hosts, or to determine host vulnerability in the absence of vulnerability scan data. expected_event_types: - access - change - deletion - info - installation - start name: package - description: Use this category of events to visualize and analyze process-specific information such as lifecycle events or process ancestry. expected_event_types: - access - change - end - info - start name: process - description: Having to do with settings and assets stored in the Windows registry. Use this category to visualize and analyze activity such as registry access and modifications. expected_event_types: - access - change - creation - deletion name: registry - description: The session category is applied to events and metrics regarding logical persistent connections to hosts and services. Use this category to visualize and analyze interactive or automated persistent connections between assets. Data for this category may come from Windows Event logs, SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc. expected_event_types: - start - end - info name: session - description: Use this category to visualize and analyze events describing threat actors' targets, motives, or behaviors. expected_event_types: - indicator name: threat - description: Relating to vulnerability scan results. Use this category to analyze vulnerabilities detected by Tenable, Qualys, internal scanners, and other vulnerability management sources. expected_event_types: - info name: vulnerability - description: 'Relating to web server access. Use this category to create a dashboard of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: events from network observers such as Zeek http log may also be included in this category.' expected_event_types: - access - error - info name: web dashed_name: event-category description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.' example: authentication flat_name: event.category ignore_above: 1024 level: core name: category normalize: - array short: Event category. The second categorization field in the hierarchy. type: keyword event.code: dashed_name: event-code description: 'Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.' example: 4648 flat_name: event.code ignore_above: 1024 level: extended name: code normalize: [] short: Identification code for this event. type: keyword event.created: dashed_name: event-created description: '`event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent''s or pipeline''s ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used.' example: '2016-05-23T08:05:34.857Z' flat_name: event.created level: core name: created normalize: [] short: Time when the event was first read by an agent or by your pipeline. type: date event.dataset: dashed_name: event-dataset description: 'Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It''s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.' example: apache.access flat_name: event.dataset ignore_above: 1024 level: core name: dataset normalize: [] short: Name of the dataset. type: keyword event.hash: dashed_name: event-hash description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. example: 123456789012345678901234567890ABCD flat_name: event.hash ignore_above: 1024 level: extended name: hash normalize: [] short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. type: keyword event.id: dashed_name: event-id description: Unique ID to describe the event. example: 8a4f500d flat_name: event.id ignore_above: 1024 level: core name: id normalize: [] short: Unique ID to describe the event. type: keyword event.ingested: dashed_name: event-ingested description: 'Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It''s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' example: '2016-05-23T08:05:35.101Z' flat_name: event.ingested level: core name: ingested normalize: [] short: Timestamp when an event arrived in the central data store. type: date event.kind: allowed_values: - description: 'This value indicates an event such as an alert or notable event, triggered by a detection rule executing externally to the Elastic Stack. `event.kind:alert` is often populated for events coming from firewalls, intrusion detection systems, endpoint detection and response systems, and so on. This value is not used by Elastic solutions for alert documents that are created by rules executing within the Kibana alerting framework.' name: alert - beta: This event categorization value is beta and subject to change. description: 'This value indicates events whose primary purpose is to store an inventory of assets/entities and their attributes. Assets/entities are objects (such as users and hosts) that are expected to be subjects of detailed analysis within the system. Examples include lists of user identities or accounts ingested from directory services such as Active Directory (AD), inventory of hosts pulled from configuration management databases (CMDB), and lists of cloud storage buckets pulled from cloud provider APIs. This value is used by Elastic Security for asset management solutions. `event.kind: asset` is not used for normal system events or logs that are coming from an asset/entity, nor is it used for system events or logs coming from a directory or CMDB system.' name: asset - description: 'The `enrichment` value indicates an event collected to provide additional context, often to other events. An example is collecting indicators of compromise (IOCs) from a threat intelligence provider with the intent to use those values to enrich other events. The IOC events from the intelligence provider should be categorized as `event.kind:enrichment`.' name: enrichment - description: This value is the most general and most common value for this field. It is used to represent events that indicate that something happened. name: event - description: 'This value is used to indicate that this event describes a numeric measurement taken at given point in time. Examples include CPU utilization, memory usage, or device temperature. Metric events are often collected on a predictable frequency, such as once every few seconds, or once a minute, but can also be used to describe ad-hoc numeric metric queries.' name: metric - description: 'The state value is similar to metric, indicating that this event describes a measurement taken at given point in time, except that the measurement does not result in a numeric value, but rather one of a fixed set of categorical values that represent conditions or states. Examples include periodic events reporting Elasticsearch cluster state (green/yellow/red), the state of a TCP connection (open, closed, fin_wait, etc.), the state of a host with respect to a software vulnerability (vulnerable, not vulnerable), and the state of a system regarding compliance with a regulatory standard (compliant, not compliant). Note that an event that describes a change of state would not use `event.kind:state`, but instead would use ''event.kind:event'' since a state change fits the more general event definition of something that happened. State events are often collected on a predictable frequency, such as once every few seconds, once a minute, once an hour, or once a day, but can also be used to describe ad-hoc state queries.' name: state - description: This value indicates that an error occurred during the ingestion of this event, and that event data may be missing, inconsistent, or incorrect. `event.kind:pipeline_error` is often associated with parsing errors. name: pipeline_error - description: 'This value is used by Elastic solutions (e.g., Security, Observability) for alert documents that are created by rules executing within the Kibana alerting framework. Usage of this value is reserved, and data ingestion pipelines must not populate `event.kind` with the value "signal".' name: signal dashed_name: event-kind description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not.' example: alert flat_name: event.kind ignore_above: 1024 level: core name: kind normalize: [] short: The kind of the event. The highest categorization field in the hierarchy. type: keyword event.module: dashed_name: event-module description: 'Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.' example: apache flat_name: event.module ignore_above: 1024 level: core name: module normalize: [] short: Name of the module this data is coming from. type: keyword event.outcome: allowed_values: - description: Indicates that this event describes a failed result. A common example is `event.category:file AND event.type:access AND event.outcome:failure` to indicate that a file access was attempted, but was not successful. name: failure - description: Indicates that this event describes a successful result. A common example is `event.category:file AND event.type:create AND event.outcome:success` to indicate that a file was successfully created. name: success - description: Indicates that this event describes only an attempt for which the result is unknown from the perspective of the event producer. For example, if the event contains information only about the request side of a transaction that results in a response, populating `event.outcome:unknown` in the request event is appropriate. The unknown value should not be used when an outcome doesn't make logical sense for the event. In such cases `event.outcome` should not be populated. name: unknown dashed_name: event-outcome description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.' example: success flat_name: event.outcome ignore_above: 1024 level: core name: outcome normalize: [] short: The outcome of the event. The lowest level categorization field in the hierarchy. type: keyword event.provider: dashed_name: event-provider description: 'Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).' example: kernel flat_name: event.provider ignore_above: 1024 level: extended name: provider normalize: [] short: Source of the event. type: keyword event.sequence: dashed_name: event-sequence description: 'Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.' flat_name: event.sequence format: string level: extended name: sequence normalize: [] short: Sequence number of the event. type: long event.severity: dashed_name: event-severity description: 'The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It''s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.' example: 7 flat_name: event.severity format: string level: core name: severity normalize: [] short: Numeric severity of the event. type: long event.type: allowed_values: - description: The access event type is used for the subset of events within a category that indicate that something was accessed. Common examples include `event.category:database AND event.type:access`, or `event.category:file AND event.type:access`. Note for file access, both directory listings and file opens should be included in this subcategory. You can further distinguish access operations using the ECS `event.action` field. name: access - description: 'The admin event type is used for the subset of events within a category that are related to admin objects. For example, administrative changes within an IAM framework that do not specifically affect a user or group (e.g., adding new applications to a federation solution or connecting discrete forests in Active Directory) would fall into this subcategory. Common example: `event.category:iam AND event.type:change AND event.type:admin`. You can further distinguish admin operations using the ECS `event.action` field.' name: admin - description: The allowed event type is used for the subset of events within a category that indicate that something was allowed. Common examples include `event.category:network AND event.type:connection AND event.type:allowed` (to indicate a network firewall event for which the firewall disposition was to allow the connection to complete) and `event.category:intrusion_detection AND event.type:allowed` (to indicate a network intrusion prevention system event for which the IPS disposition was to allow the connection to complete). You can further distinguish allowed operations using the ECS `event.action` field, populating with values of your choosing, such as "allow", "detect", or "pass". name: allowed - description: The change event type is used for the subset of events within a category that indicate that something has changed. If semantics best describe an event as modified, then include them in this subcategory. Common examples include `event.category:process AND event.type:change`, and `event.category:file AND event.type:change`. You can further distinguish change operations using the ECS `event.action` field. name: change - description: Used primarily with `event.category:network` this value is used for the subset of network traffic that includes sufficient information for the event to be included in flow or connection analysis. Events in this subcategory will contain at least source and destination IP addresses, source and destination TCP/UDP ports, and will usually contain counts of bytes and/or packets transferred. Events in this subcategory may contain unidirectional or bidirectional information, including summary information. Use this subcategory to visualize and analyze network connections. Flow analysis, including Netflow, IPFIX, and other flow-related events fit in this subcategory. Note that firewall events from many Next-Generation Firewall (NGFW) devices will also fit into this subcategory. A common filter for flow/connection information would be `event.category:network AND event.type:connection AND event.type:end` (to view or analyze all completed network connections, ignoring mid-flow reports). You can further distinguish connection events using the ECS `event.action` field, populating with values of your choosing, such as "timeout", or "reset". name: connection - description: The "creation" event type is used for the subset of events within a category that indicate that something was created. A common example is `event.category:file AND event.type:creation`. name: creation - description: The deletion event type is used for the subset of events within a category that indicate that something was deleted. A common example is `event.category:file AND event.type:deletion` to indicate that a file has been deleted. name: deletion - description: The denied event type is used for the subset of events within a category that indicate that something was denied. Common examples include `event.category:network AND event.type:denied` (to indicate a network firewall event for which the firewall disposition was to deny the connection) and `event.category:intrusion_detection AND event.type:denied` (to indicate a network intrusion prevention system event for which the IPS disposition was to deny the connection to complete). You can further distinguish denied operations using the ECS `event.action` field, populating with values of your choosing, such as "blocked", "dropped", or "quarantined". name: denied - description: The end event type is used for the subset of events within a category that indicate something has ended. A common example is `event.category:process AND event.type:end`. name: end - description: The error event type is used for the subset of events within a category that indicate or describe an error. A common example is `event.category:database AND event.type:error`. Note that pipeline errors that occur during the event ingestion process should not use this `event.type` value. Instead, they should use `event.kind:pipeline_error`. name: error - description: 'The group event type is used for the subset of events within a category that are related to group objects. Common example: `event.category:iam AND event.type:creation AND event.type:group`. You can further distinguish group operations using the ECS `event.action` field.' name: group - description: 'The indicator event type is used for the subset of events within a category that contain details about indicators of compromise (IOCs). A common example is `event.category:threat AND event.type:indicator`.' name: indicator - description: The info event type is used for the subset of events within a category that indicate that they are purely informational, and don't report a state change, or any type of action. For example, an initial run of a file integrity monitoring system (FIM), where an agent reports all files under management, would fall into the "info" subcategory. Similarly, an event containing a dump of all currently running processes (as opposed to reporting that a process started/ended) would fall into the "info" subcategory. An additional common examples is `event.category:intrusion_detection AND event.type:info`. name: info - description: The installation event type is used for the subset of events within a category that indicate that something was installed. A common example is `event.category:package` AND `event.type:installation`. name: installation - description: The protocol event type is used for the subset of events within a category that indicate that they contain protocol details or analysis, beyond simply identifying the protocol. Generally, network events that contain specific protocol details will fall into this subcategory. A common example is `event.category:network AND event.type:protocol AND event.type:connection AND event.type:end` (to indicate that the event is a network connection event sent at the end of a connection that also includes a protocol detail breakdown). Note that events that only indicate the name or id of the protocol should not use the protocol value. Further note that when the protocol subcategory is used, the identified protocol is populated in the ECS `network.protocol` field. name: protocol - description: The start event type is used for the subset of events within a category that indicate something has started. A common example is `event.category:process AND event.type:start`. name: start - description: 'The user event type is used for the subset of events within a category that are related to user objects. Common example: `event.category:iam AND event.type:deletion AND event.type:user`. You can further distinguish user operations using the ECS `event.action` field.' name: user dashed_name: event-type description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.' flat_name: event.type ignore_above: 1024 level: core name: type normalize: - array short: Event type. The third categorization field in the hierarchy. type: keyword group.Ext: dashed_name: group-Ext description: Object for all custom defined fields to live in. flat_name: group.Ext level: custom name: Ext normalize: [] short: Object for all custom defined fields to live in. type: object group.Ext.real: dashed_name: group-Ext-real description: Group info prior to any setgid operations. flat_name: group.Ext.real level: custom name: Ext.real normalize: [] short: Group info prior to any setgid operations. type: object group.Ext.real.id: dashed_name: group-Ext-real-id description: Unique identifier for the group on the system/platform. flat_name: group.Ext.real.id ignore_above: 1024 level: custom name: Ext.real.id normalize: [] short: Unique identifier for the group on the system/platform. type: keyword group.Ext.real.name: dashed_name: group-Ext-real-name description: Name of the group. flat_name: group.Ext.real.name ignore_above: 1024 level: custom name: Ext.real.name normalize: [] short: Name of the group. type: keyword group.domain: dashed_name: group-domain description: Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. flat_name: group.domain ignore_above: 1024 level: extended name: domain normalize: [] short: Name of the directory the group is a member of. type: keyword group.id: dashed_name: group-id description: Unique identifier for the group on the system/platform. flat_name: group.id ignore_above: 1024 level: extended name: id normalize: [] short: Unique identifier for the group on the system/platform. type: keyword group.name: dashed_name: group-name description: Name of the group. flat_name: group.name ignore_above: 1024 level: extended name: name normalize: [] short: Name of the group. type: keyword host.architecture: dashed_name: host-architecture description: Operating system architecture. example: x86_64 flat_name: host.architecture ignore_above: 1024 level: core name: architecture normalize: [] short: Operating system architecture. type: keyword host.domain: dashed_name: host-domain description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO flat_name: host.domain ignore_above: 1024 level: extended name: domain normalize: [] short: Name of the directory the group is a member of. type: keyword host.geo.city_name: dashed_name: host-geo-city-name description: City name. example: Montreal flat_name: host.geo.city_name ignore_above: 1024 level: core name: city_name normalize: [] original_fieldset: geo short: City name. type: keyword host.geo.continent_code: dashed_name: host-geo-continent-code description: Two-letter code representing continent's name. example: NA flat_name: host.geo.continent_code ignore_above: 1024 level: core name: continent_code normalize: [] original_fieldset: geo short: Continent code. type: keyword host.geo.continent_name: dashed_name: host-geo-continent-name description: Name of the continent. example: North America flat_name: host.geo.continent_name ignore_above: 1024 level: core name: continent_name normalize: [] original_fieldset: geo short: Name of the continent. type: keyword host.geo.country_iso_code: dashed_name: host-geo-country-iso-code description: Country ISO code. example: CA flat_name: host.geo.country_iso_code ignore_above: 1024 level: core name: country_iso_code normalize: [] original_fieldset: geo short: Country ISO code. type: keyword host.geo.country_name: dashed_name: host-geo-country-name description: Country name. example: Canada flat_name: host.geo.country_name ignore_above: 1024 level: core name: country_name normalize: [] original_fieldset: geo short: Country name. type: keyword host.geo.location: dashed_name: host-geo-location description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' flat_name: host.geo.location level: core name: location normalize: [] original_fieldset: geo short: Longitude and latitude. type: geo_point host.geo.name: dashed_name: host-geo-name description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc flat_name: host.geo.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. type: keyword host.geo.postal_code: dashed_name: host-geo-postal-code description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 flat_name: host.geo.postal_code ignore_above: 1024 level: core name: postal_code normalize: [] original_fieldset: geo short: Postal code. type: keyword host.geo.region_iso_code: dashed_name: host-geo-region-iso-code description: Region ISO code. example: CA-QC flat_name: host.geo.region_iso_code ignore_above: 1024 level: core name: region_iso_code normalize: [] original_fieldset: geo short: Region ISO code. type: keyword host.geo.region_name: dashed_name: host-geo-region-name description: Region name. example: Quebec flat_name: host.geo.region_name ignore_above: 1024 level: core name: region_name normalize: [] original_fieldset: geo short: Region name. type: keyword host.geo.timezone: dashed_name: host-geo-timezone description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires flat_name: host.geo.timezone ignore_above: 1024 level: core name: timezone normalize: [] original_fieldset: geo short: Time zone. type: keyword host.hostname: dashed_name: host-hostname description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' flat_name: host.hostname ignore_above: 1024 level: core name: hostname normalize: [] short: Hostname of the host. type: keyword host.id: dashed_name: host-id description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' flat_name: host.id ignore_above: 1024 level: core name: id normalize: [] short: Unique host id. type: keyword host.ip: dashed_name: host-ip description: Host ip addresses. flat_name: host.ip level: core name: ip normalize: - array short: Host ip addresses. type: ip host.mac: dashed_name: host-mac description: 'Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.' example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' flat_name: host.mac ignore_above: 1024 level: core name: mac normalize: - array pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ short: Host MAC addresses. type: keyword host.name: dashed_name: host-name description: 'Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.' flat_name: host.name ignore_above: 1024 level: core name: name normalize: [] short: Name of the host. type: keyword host.os.Ext: dashed_name: host-os-Ext description: Object for all custom defined fields to live in. flat_name: host.os.Ext level: custom name: Ext normalize: [] original_fieldset: os short: Object for all custom defined fields to live in. type: object host.os.Ext.variant: dashed_name: host-os-Ext-variant description: A string value or phrase that further aid to classify or qualify the operating system (OS). For example the distribution for a Linux OS will be entered in this field. example: Ubuntu flat_name: host.os.Ext.variant ignore_above: 1024 level: custom name: Ext.variant normalize: [] original_fieldset: os short: A string value or phrase that further aid to classify or qualify the operating system (OS). type: keyword host.os.family: dashed_name: host-os-family description: OS family (such as redhat, debian, freebsd, windows). example: debian flat_name: host.os.family ignore_above: 1024 level: extended name: family normalize: [] original_fieldset: os short: OS family (such as redhat, debian, freebsd, windows). type: keyword host.os.full: dashed_name: host-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave flat_name: host.os.full ignore_above: 1024 level: extended multi_fields: - flat_name: host.os.full.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: host.os.full.text name: text norms: false type: text name: full normalize: [] original_fieldset: os short: Operating system name, including the version or code name. type: keyword host.os.kernel: dashed_name: host-os-kernel description: Operating system kernel version as a raw string. example: 4.4.0-112-generic flat_name: host.os.kernel ignore_above: 1024 level: extended name: kernel normalize: [] original_fieldset: os short: Operating system kernel version as a raw string. type: keyword host.os.name: dashed_name: host-os-name description: Operating system name, without the version. example: Mac OS X flat_name: host.os.name ignore_above: 1024 level: extended multi_fields: - flat_name: host.os.name.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: host.os.name.text name: text norms: false type: text name: name normalize: [] original_fieldset: os short: Operating system name, without the version. type: keyword host.os.platform: dashed_name: host-os-platform description: Operating system platform (such centos, ubuntu, windows). example: darwin flat_name: host.os.platform ignore_above: 1024 level: extended name: platform normalize: [] original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword host.os.type: dashed_name: host-os-type description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos expected_values: - linux - macos - unix - windows - ios - android flat_name: host.os.type ignore_above: 1024 level: extended name: type normalize: [] original_fieldset: os short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or android).' type: keyword host.os.version: dashed_name: host-os-version description: Operating system version as a raw string. example: 10.14.1 flat_name: host.os.version ignore_above: 1024 level: extended name: version normalize: [] original_fieldset: os short: Operating system version as a raw string. type: keyword host.type: dashed_name: host-type description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' flat_name: host.type ignore_above: 1024 level: core name: type normalize: [] short: Type of host. type: keyword host.uptime: dashed_name: host-uptime description: Seconds the host has been up. example: 1325 flat_name: host.uptime level: extended name: uptime normalize: [] short: Seconds the host has been up. type: long host.user.Ext: dashed_name: host-user-Ext description: Object for all custom defined fields to live in. flat_name: host.user.Ext level: custom name: Ext normalize: [] original_fieldset: user short: Object for all custom defined fields to live in. type: object host.user.Ext.real: dashed_name: host-user-Ext-real description: User info prior to any setuid operations. flat_name: host.user.Ext.real level: custom name: Ext.real normalize: [] original_fieldset: user short: User info prior to any setuid operations. type: object host.user.Ext.real.id: dashed_name: host-user-Ext-real-id description: One or multiple unique identifiers of the user. flat_name: host.user.Ext.real.id ignore_above: 1024 level: custom name: Ext.real.id normalize: [] original_fieldset: user short: One or multiple unique identifiers of the user. type: keyword host.user.Ext.real.name: dashed_name: host-user-Ext-real-name description: Short name or login of the user. flat_name: host.user.Ext.real.name ignore_above: 1024 level: custom name: Ext.real.name normalize: [] original_fieldset: user short: Short name or login of the user. type: keyword host.user.domain: dashed_name: host-user-domain description: 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.' flat_name: host.user.domain ignore_above: 1024 level: extended name: domain normalize: [] original_fieldset: user short: Name of the directory the user is a member of. type: keyword host.user.email: dashed_name: host-user-email description: User email address. flat_name: host.user.email ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. type: keyword host.user.full_name: dashed_name: host-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: host.user.full_name ignore_above: 1024 level: extended multi_fields: - flat_name: host.user.full_name.text name: text type: match_only_text name: full_name normalize: [] original_fieldset: user short: User's full name, if available. type: keyword host.user.group.Ext: dashed_name: host-user-group-Ext description: Object for all custom defined fields to live in. flat_name: host.user.group.Ext level: custom name: Ext normalize: [] original_fieldset: group short: Object for all custom defined fields to live in. type: object host.user.group.Ext.real: dashed_name: host-user-group-Ext-real description: Group info prior to any setgid operations. flat_name: host.user.group.Ext.real level: custom name: Ext.real normalize: [] original_fieldset: group short: Group info prior to any setgid operations. type: object host.user.group.Ext.real.id: dashed_name: host-user-group-Ext-real-id description: Unique identifier for the group on the system/platform. flat_name: host.user.group.Ext.real.id ignore_above: 1024 level: custom name: Ext.real.id normalize: [] original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword host.user.group.Ext.real.name: dashed_name: host-user-group-Ext-real-name description: Name of the group. flat_name: host.user.group.Ext.real.name ignore_above: 1024 level: custom name: Ext.real.name normalize: [] original_fieldset: group short: Name of the group. type: keyword host.user.group.domain: dashed_name: host-user-group-domain description: Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. flat_name: host.user.group.domain ignore_above: 1024 level: extended name: domain normalize: [] original_fieldset: group short: Name of the directory the group is a member of. type: keyword host.user.group.id: dashed_name: host-user-group-id description: Unique identifier for the group on the system/platform. flat_name: host.user.group.id ignore_above: 1024 level: extended name: id normalize: [] original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword host.user.group.name: dashed_name: host-user-group-name description: Name of the group. flat_name: host.user.group.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: group short: Name of the group. type: keyword host.user.hash: dashed_name: host-user-hash description: 'Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.' flat_name: host.user.hash ignore_above: 1024 level: extended name: hash normalize: [] original_fieldset: user short: Unique user hash to correlate information for a user in anonymized form. type: keyword host.user.id: dashed_name: host-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: host.user.id ignore_above: 1024 level: core name: id normalize: [] original_fieldset: user short: Unique identifier of the user. type: keyword host.user.name: dashed_name: host-user-name description: Short name or login of the user. example: a.einstein flat_name: host.user.name ignore_above: 1024 level: core multi_fields: - flat_name: host.user.name.text name: text type: match_only_text name: name normalize: [] original_fieldset: user short: Short name or login of the user. type: keyword message: dashed_name: message description: 'For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.' example: Hello World flat_name: message level: core name: message normalize: [] short: Log message optimized for viewing in a log viewer. type: match_only_text process.Ext: dashed_name: process-Ext description: Object for all custom defined fields to live in. flat_name: process.Ext level: custom name: Ext normalize: [] short: Object for all custom defined fields to live in. type: object process.Ext.ancestry: dashed_name: process-Ext-ancestry description: An array of entity_ids indicating the ancestors for this event flat_name: process.Ext.ancestry ignore_above: 1024 level: custom name: Ext.ancestry normalize: [] short: An array of entity_ids indicating the ancestors for this event type: keyword process.Ext.authentication_id: dashed_name: process-Ext-authentication-id description: Process authentication ID flat_name: process.Ext.authentication_id ignore_above: 1024 level: custom name: Ext.authentication_id normalize: [] short: Process authentication ID type: keyword process.Ext.code_signature: dashed_name: process-Ext-code-signature description: Nested version of ECS code_signature fieldset. flat_name: process.Ext.code_signature level: custom name: Ext.code_signature normalize: [] short: Nested version of ECS code_signature fieldset. type: nested process.Ext.code_signature.exists: dashed_name: process-Ext-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' flat_name: process.Ext.code_signature.exists level: custom name: Ext.code_signature.exists normalize: [] short: Boolean to capture if a signature is present. type: boolean process.Ext.code_signature.status: dashed_name: process-Ext-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: process.Ext.code_signature.status ignore_above: 1024 level: custom name: Ext.code_signature.status normalize: [] short: Additional information about the certificate status. type: keyword process.Ext.code_signature.subject_name: dashed_name: process-Ext-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation flat_name: process.Ext.code_signature.subject_name ignore_above: 1024 level: custom name: Ext.code_signature.subject_name normalize: [] short: Subject name of the code signer type: keyword process.Ext.code_signature.trusted: dashed_name: process-Ext-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' flat_name: process.Ext.code_signature.trusted level: custom name: Ext.code_signature.trusted normalize: [] short: Stores the trust status of the certificate chain. type: boolean process.Ext.code_signature.valid: dashed_name: process-Ext-code-signature-valid description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' flat_name: process.Ext.code_signature.valid level: custom name: Ext.code_signature.valid normalize: [] short: Boolean to capture if the digital signature is verified against the binary content. type: boolean process.Ext.protection: dashed_name: process-Ext-protection description: Indicates the protection level of this process. Uses the same syntax as Process Explorer. Examples include PsProtectedSignerWinTcb, PsProtectedSignerWinTcb-Light, and PsProtectedSignerWindows-Light. flat_name: process.Ext.protection ignore_above: 1024 level: custom name: Ext.protection normalize: [] short: OS-level protections granted to this process type: keyword process.Ext.services: dashed_name: process-Ext-services description: Services running in this process. flat_name: process.Ext.services ignore_above: 1024 level: custom name: Ext.services normalize: [] short: Services running in this process. type: keyword process.Ext.session: dashed_name: process-Ext-session description: Session information for the current process flat_name: process.Ext.session ignore_above: 1024 level: custom name: Ext.session normalize: [] short: Session information for the current process type: keyword process.Ext.token.domain: dashed_name: process-Ext-token-domain description: Domain of token user. flat_name: process.Ext.token.domain ignore_above: 1024 level: custom name: domain normalize: [] original_fieldset: token short: Domain of token user. type: keyword process.Ext.token.elevation: dashed_name: process-Ext-token-elevation description: Whether the token is elevated or not flat_name: process.Ext.token.elevation level: custom name: elevation normalize: [] original_fieldset: token short: Whether the token is elevated or not type: boolean process.Ext.token.elevation_type: dashed_name: process-Ext-token-elevation-type description: What level of elevation the token has example: one of "default", "full", "limited" flat_name: process.Ext.token.elevation_type ignore_above: 1024 level: custom name: elevation_type normalize: [] original_fieldset: token short: What level of elevation the token has type: keyword process.Ext.token.impersonation_level: dashed_name: process-Ext-token-impersonation-level description: Impersonation level. Only valid for impersonation tokens. flat_name: process.Ext.token.impersonation_level ignore_above: 1024 level: custom name: impersonation_level normalize: [] original_fieldset: token short: Impersonation level. Only valid for impersonation tokens. type: keyword process.Ext.token.integrity_level: dashed_name: process-Ext-token-integrity-level description: Numeric integrity level. flat_name: process.Ext.token.integrity_level level: custom name: integrity_level normalize: [] original_fieldset: token short: Numeric integrity level. type: long process.Ext.token.integrity_level_name: dashed_name: process-Ext-token-integrity-level-name description: Human readable integrity level. example: one of "system", "high", "medium", "low", "untrusted" flat_name: process.Ext.token.integrity_level_name ignore_above: 1024 level: custom name: integrity_level_name normalize: [] original_fieldset: token short: Human readable integrity level. type: keyword process.Ext.token.is_appcontainer: dashed_name: process-Ext-token-is-appcontainer description: Whether or not this is an appcontainer token. flat_name: process.Ext.token.is_appcontainer level: custom name: is_appcontainer normalize: [] original_fieldset: token short: Whether or not this is an appcontainer token. type: boolean process.Ext.token.privileges: dashed_name: process-Ext-token-privileges description: Array describing the privileges associated with the token. flat_name: process.Ext.token.privileges level: custom name: privileges normalize: [] original_fieldset: token short: Array describing the privileges associated with the token. type: nested process.Ext.token.privileges.description: dashed_name: process-Ext-token-privileges-description description: Description of the privilege. flat_name: process.Ext.token.privileges.description ignore_above: 1024 level: custom name: privileges.description normalize: [] original_fieldset: token short: Description of the privilege. type: keyword process.Ext.token.privileges.enabled: dashed_name: process-Ext-token-privileges-enabled description: Whether or not the privilege is enabled. flat_name: process.Ext.token.privileges.enabled level: custom name: privileges.enabled normalize: [] original_fieldset: token short: Whether or not the privilege is enabled. type: boolean process.Ext.token.privileges.name: dashed_name: process-Ext-token-privileges-name description: Name of the privilege. flat_name: process.Ext.token.privileges.name ignore_above: 1024 level: custom name: privileges.name normalize: [] original_fieldset: token short: Name of the privilege. type: keyword process.Ext.token.sid: dashed_name: process-Ext-token-sid description: Token user's Security Identifier (SID). flat_name: process.Ext.token.sid ignore_above: 1024 level: custom name: sid normalize: [] original_fieldset: token short: Token user's Security Identifier (SID). type: keyword process.Ext.token.type: dashed_name: process-Ext-token-type description: Type of the token, either primary or impersonation. flat_name: process.Ext.token.type ignore_above: 1024 level: custom name: type normalize: [] original_fieldset: token short: Type of the token, either primary or impersonation. type: keyword process.Ext.token.user: dashed_name: process-Ext-token-user description: Username of token owner. flat_name: process.Ext.token.user ignore_above: 1024 level: custom name: user normalize: [] original_fieldset: token short: Username of token owner. type: keyword process.Ext.user: dashed_name: process-Ext-user description: User associated with the running process. flat_name: process.Ext.user ignore_above: 1024 level: custom name: Ext.user normalize: [] short: User associated with the running process. type: keyword process.args: dashed_name: process-args description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' flat_name: process.args ignore_above: 1024 level: extended name: args normalize: - array short: Array of process arguments. type: keyword process.args_count: dashed_name: process-args-count description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 flat_name: process.args_count level: extended name: args_count normalize: [] short: Length of the process.args array. type: long process.code_signature.exists: dashed_name: process-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' flat_name: process.code_signature.exists level: core name: exists normalize: [] original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean process.code_signature.signing_id: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy flat_name: process.code_signature.signing_id ignore_above: 1024 level: extended name: signing_id normalize: [] original_fieldset: code_signature short: The identifier used to sign the process. type: keyword process.code_signature.status: dashed_name: process-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: process.code_signature.status ignore_above: 1024 level: extended name: status normalize: [] original_fieldset: code_signature short: Additional information about the certificate status. type: keyword process.code_signature.subject_name: dashed_name: process-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation flat_name: process.code_signature.subject_name ignore_above: 1024 level: core name: subject_name normalize: [] original_fieldset: code_signature short: Subject name of the code signer type: keyword process.code_signature.team_id: dashed_name: process-code-signature-team-id description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV flat_name: process.code_signature.team_id ignore_above: 1024 level: extended name: team_id normalize: [] original_fieldset: code_signature short: The team identifier used to sign the process. type: keyword process.code_signature.trusted: dashed_name: process-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' flat_name: process.code_signature.trusted level: extended name: trusted normalize: [] original_fieldset: code_signature short: Stores the trust status of the certificate chain. type: boolean process.code_signature.valid: dashed_name: process-code-signature-valid description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' flat_name: process.code_signature.valid level: extended name: valid normalize: [] original_fieldset: code_signature short: Boolean to capture if the digital signature is verified against the binary content. type: boolean process.command_line: dashed_name: process-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 flat_name: process.command_line level: extended multi_fields: - flat_name: process.command_line.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.command_line.text name: text norms: false type: text name: command_line normalize: [] short: Full command line that started the process. type: wildcard process.entity_id: dashed_name: process-entity-id description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d flat_name: process.entity_id ignore_above: 1024 level: extended name: entity_id normalize: [] short: Unique identifier for the process. type: keyword process.executable: dashed_name: process-executable description: Absolute path to the process executable. example: /usr/bin/ssh flat_name: process.executable ignore_above: 1024 level: extended multi_fields: - flat_name: process.executable.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.executable.text name: text norms: false type: text name: executable normalize: [] short: Absolute path to the process executable. type: keyword process.exit_code: dashed_name: process-exit-code description: 'The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).' example: 137 flat_name: process.exit_code level: extended name: exit_code normalize: [] short: The exit code of the process. type: long process.hash.md5: dashed_name: process-hash-md5 description: MD5 hash. flat_name: process.hash.md5 ignore_above: 1024 level: extended name: md5 normalize: [] original_fieldset: hash short: MD5 hash. type: keyword process.hash.sha1: dashed_name: process-hash-sha1 description: SHA1 hash. flat_name: process.hash.sha1 ignore_above: 1024 level: extended name: sha1 normalize: [] original_fieldset: hash short: SHA1 hash. type: keyword process.hash.sha256: dashed_name: process-hash-sha256 description: SHA256 hash. flat_name: process.hash.sha256 ignore_above: 1024 level: extended name: sha256 normalize: [] original_fieldset: hash short: SHA256 hash. type: keyword process.hash.sha512: dashed_name: process-hash-sha512 description: SHA512 hash. flat_name: process.hash.sha512 ignore_above: 1024 level: extended name: sha512 normalize: [] original_fieldset: hash short: SHA512 hash. type: keyword process.name: dashed_name: process-name description: 'Process name. Sometimes called program name or similar.' example: ssh flat_name: process.name ignore_above: 1024 level: extended multi_fields: - flat_name: process.name.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.name.text name: text norms: false type: text name: name normalize: [] short: Process name. type: keyword process.parent.Ext: dashed_name: process-parent-Ext description: Object for all custom defined fields to live in. flat_name: process.parent.Ext level: custom name: Ext normalize: [] original_fieldset: process short: Object for all custom defined fields to live in. type: object process.parent.Ext.code_signature: dashed_name: process-parent-Ext-code-signature description: Nested version of ECS code_signature fieldset. flat_name: process.parent.Ext.code_signature level: custom name: Ext.code_signature normalize: [] original_fieldset: process short: Nested version of ECS code_signature fieldset. type: nested process.parent.Ext.code_signature.exists: dashed_name: process-parent-Ext-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' flat_name: process.parent.Ext.code_signature.exists level: custom name: Ext.code_signature.exists normalize: [] original_fieldset: process short: Boolean to capture if a signature is present. type: boolean process.parent.Ext.code_signature.status: dashed_name: process-parent-Ext-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: process.parent.Ext.code_signature.status ignore_above: 1024 level: custom name: Ext.code_signature.status normalize: [] original_fieldset: process short: Additional information about the certificate status. type: keyword process.parent.Ext.code_signature.subject_name: dashed_name: process-parent-Ext-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation flat_name: process.parent.Ext.code_signature.subject_name ignore_above: 1024 level: custom name: Ext.code_signature.subject_name normalize: [] original_fieldset: process short: Subject name of the code signer type: keyword process.parent.Ext.code_signature.trusted: dashed_name: process-parent-Ext-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' flat_name: process.parent.Ext.code_signature.trusted level: custom name: Ext.code_signature.trusted normalize: [] original_fieldset: process short: Stores the trust status of the certificate chain. type: boolean process.parent.Ext.code_signature.valid: dashed_name: process-parent-Ext-code-signature-valid description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' flat_name: process.parent.Ext.code_signature.valid level: custom name: Ext.code_signature.valid normalize: [] original_fieldset: process short: Boolean to capture if the digital signature is verified against the binary content. type: boolean process.parent.Ext.protection: dashed_name: process-parent-Ext-protection description: Indicates the protection level of this process. Uses the same syntax as Process Explorer. Examples include PsProtectedSignerWinTcb, PsProtectedSignerWinTcb-Light, and PsProtectedSignerWindows-Light. flat_name: process.parent.Ext.protection ignore_above: 1024 level: custom name: Ext.protection normalize: [] original_fieldset: process short: OS-level protections granted to this process type: keyword process.parent.Ext.real: dashed_name: process-parent-Ext-real description: The field set containing process info in case of any pid spoofing. This is mainly useful for process.parent. flat_name: process.parent.Ext.real level: custom name: Ext.real normalize: [] original_fieldset: process short: The field set containing process info in case of any pid spoofing. This is mainly useful for process.parent. type: object process.parent.Ext.real.pid: dashed_name: process-parent-Ext-real-pid description: For process.parent this will be the ppid of the process that actually spawned the current process. flat_name: process.parent.Ext.real.pid level: custom name: Ext.real.pid normalize: [] original_fieldset: process short: The real pid of the process if ppid spoofing is happening. type: long process.parent.args: dashed_name: process-parent-args description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' flat_name: process.parent.args ignore_above: 1024 level: extended name: args normalize: - array original_fieldset: process short: Array of process arguments. type: keyword process.parent.args_count: dashed_name: process-parent-args-count description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 flat_name: process.parent.args_count level: extended name: args_count normalize: [] original_fieldset: process short: Length of the process.args array. type: long process.parent.code_signature.exists: dashed_name: process-parent-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' flat_name: process.parent.code_signature.exists level: core name: exists normalize: [] original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean process.parent.code_signature.signing_id: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy flat_name: process.parent.code_signature.signing_id ignore_above: 1024 level: extended name: signing_id normalize: [] original_fieldset: code_signature short: The identifier used to sign the process. type: keyword process.parent.code_signature.status: dashed_name: process-parent-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: process.parent.code_signature.status ignore_above: 1024 level: extended name: status normalize: [] original_fieldset: code_signature short: Additional information about the certificate status. type: keyword process.parent.code_signature.subject_name: dashed_name: process-parent-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation flat_name: process.parent.code_signature.subject_name ignore_above: 1024 level: core name: subject_name normalize: [] original_fieldset: code_signature short: Subject name of the code signer type: keyword process.parent.code_signature.team_id: dashed_name: process-parent-code-signature-team-id description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV flat_name: process.parent.code_signature.team_id ignore_above: 1024 level: extended name: team_id normalize: [] original_fieldset: code_signature short: The team identifier used to sign the process. type: keyword process.parent.code_signature.trusted: dashed_name: process-parent-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' flat_name: process.parent.code_signature.trusted level: extended name: trusted normalize: [] original_fieldset: code_signature short: Stores the trust status of the certificate chain. type: boolean process.parent.code_signature.valid: dashed_name: process-parent-code-signature-valid description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' flat_name: process.parent.code_signature.valid level: extended name: valid normalize: [] original_fieldset: code_signature short: Boolean to capture if the digital signature is verified against the binary content. type: boolean process.parent.command_line: dashed_name: process-parent-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 flat_name: process.parent.command_line level: extended multi_fields: - flat_name: process.parent.command_line.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.parent.command_line.text name: text norms: false type: text name: command_line normalize: [] original_fieldset: process short: Full command line that started the process. type: wildcard process.parent.entity_id: dashed_name: process-parent-entity-id description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d flat_name: process.parent.entity_id ignore_above: 1024 level: extended name: entity_id normalize: [] original_fieldset: process short: Unique identifier for the process. type: keyword process.parent.executable: dashed_name: process-parent-executable description: Absolute path to the process executable. example: /usr/bin/ssh flat_name: process.parent.executable ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.executable.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.parent.executable.text name: text norms: false type: text name: executable normalize: [] original_fieldset: process short: Absolute path to the process executable. type: keyword process.parent.exit_code: dashed_name: process-parent-exit-code description: 'The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).' example: 137 flat_name: process.parent.exit_code level: extended name: exit_code normalize: [] original_fieldset: process short: The exit code of the process. type: long process.parent.hash.md5: dashed_name: process-parent-hash-md5 description: MD5 hash. flat_name: process.parent.hash.md5 ignore_above: 1024 level: extended name: md5 normalize: [] original_fieldset: hash short: MD5 hash. type: keyword process.parent.hash.sha1: dashed_name: process-parent-hash-sha1 description: SHA1 hash. flat_name: process.parent.hash.sha1 ignore_above: 1024 level: extended name: sha1 normalize: [] original_fieldset: hash short: SHA1 hash. type: keyword process.parent.hash.sha256: dashed_name: process-parent-hash-sha256 description: SHA256 hash. flat_name: process.parent.hash.sha256 ignore_above: 1024 level: extended name: sha256 normalize: [] original_fieldset: hash short: SHA256 hash. type: keyword process.parent.hash.sha512: dashed_name: process-parent-hash-sha512 description: SHA512 hash. flat_name: process.parent.hash.sha512 ignore_above: 1024 level: extended name: sha512 normalize: [] original_fieldset: hash short: SHA512 hash. type: keyword process.parent.name: dashed_name: process-parent-name description: 'Process name. Sometimes called program name or similar.' example: ssh flat_name: process.parent.name ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.name.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.parent.name.text name: text norms: false type: text name: name normalize: [] original_fieldset: process short: Process name. type: keyword process.parent.pgid: dashed_name: process-parent-pgid description: 'Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to.' flat_name: process.parent.pgid format: string level: extended name: pgid normalize: [] original_fieldset: process short: Deprecated identifier of the group of processes the process belongs to. type: long process.parent.pid: dashed_name: process-parent-pid description: Process id. example: 4242 flat_name: process.parent.pid format: string level: core name: pid normalize: [] original_fieldset: process short: Process id. type: long process.parent.ppid: dashed_name: process-parent-ppid description: Parent process' pid. example: 4241 flat_name: process.parent.ppid format: string level: extended name: ppid normalize: [] original_fieldset: process short: Parent process' pid. type: long process.parent.start: dashed_name: process-parent-start description: The time the process started. example: '2016-05-23T08:05:34.853Z' flat_name: process.parent.start level: extended name: start normalize: [] original_fieldset: process short: The time the process started. type: date process.parent.thread.id: dashed_name: process-parent-thread-id description: Thread ID. example: 4242 flat_name: process.parent.thread.id format: string level: extended name: thread.id normalize: [] original_fieldset: process short: Thread ID. type: long process.parent.thread.name: dashed_name: process-parent-thread-name description: Thread name. example: thread-0 flat_name: process.parent.thread.name ignore_above: 1024 level: extended name: thread.name normalize: [] original_fieldset: process short: Thread name. type: keyword process.parent.title: dashed_name: process-parent-title description: 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' flat_name: process.parent.title ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.title.text name: text type: match_only_text name: title normalize: [] original_fieldset: process short: Process title. type: keyword process.parent.uptime: dashed_name: process-parent-uptime description: Seconds the process has been up. example: 1325 flat_name: process.parent.uptime level: extended name: uptime normalize: [] original_fieldset: process short: Seconds the process has been up. type: long process.parent.working_directory: dashed_name: process-parent-working-directory description: The working directory of the process. example: /home/alice flat_name: process.parent.working_directory ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.working_directory.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.parent.working_directory.text name: text norms: false type: text name: working_directory normalize: [] original_fieldset: process short: The working directory of the process. type: keyword process.pe.company: dashed_name: process-pe-company description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation flat_name: process.pe.company ignore_above: 1024 level: extended name: company normalize: [] original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword process.pe.description: dashed_name: process-pe-description description: Internal description of the file, provided at compile-time. example: Paint flat_name: process.pe.description ignore_above: 1024 level: extended name: description normalize: [] original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword process.pe.file_version: dashed_name: process-pe-file-version description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 flat_name: process.pe.file_version ignore_above: 1024 level: extended name: file_version normalize: [] original_fieldset: pe short: Process name. type: keyword process.pe.imphash: dashed_name: process-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf flat_name: process.pe.imphash ignore_above: 1024 level: extended name: imphash normalize: [] original_fieldset: pe short: A hash of the imports in a PE file. type: keyword process.pe.original_file_name: dashed_name: process-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: process.pe.original_file_name ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. type: keyword process.pe.product: dashed_name: process-pe-product description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" flat_name: process.pe.product ignore_above: 1024 level: extended name: product normalize: [] original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword process.pgid: dashed_name: process-pgid description: 'Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to.' flat_name: process.pgid format: string level: extended name: pgid normalize: [] short: Deprecated identifier of the group of processes the process belongs to. type: long process.pid: dashed_name: process-pid description: Process id. example: 4242 flat_name: process.pid format: string level: core name: pid normalize: [] short: Process id. type: long process.ppid: dashed_name: process-ppid description: Parent process' pid. example: 4241 flat_name: process.ppid format: string level: extended name: ppid normalize: [] short: Parent process' pid. type: long process.start: dashed_name: process-start description: The time the process started. example: '2016-05-23T08:05:34.853Z' flat_name: process.start level: extended name: start normalize: [] short: The time the process started. type: date process.thread.Ext: dashed_name: process-thread-Ext description: Object for all custom defined fields to live in. flat_name: process.thread.Ext level: custom name: thread.Ext normalize: [] short: Object for all custom defined fields to live in. type: object process.thread.Ext.call_stack: dashed_name: process-thread-Ext-call-stack description: Fields describing a stack frame. call_stack is expected to be an array where each array element represents a stack frame. enabled: false flat_name: process.thread.Ext.call_stack level: custom name: call_stack normalize: [] original_fieldset: call_stack short: Fields describing a stack frame. type: object process.thread.Ext.call_stack.instruction_pointer: dashed_name: process-thread-Ext-call-stack-instruction-pointer description: The return address of this stack frame. flat_name: process.thread.Ext.call_stack.instruction_pointer ignore_above: 1024 level: custom name: instruction_pointer normalize: [] original_fieldset: call_stack short: The return address of this stack frame. type: keyword process.thread.Ext.call_stack.memory_section.memory_address: dashed_name: process-thread-Ext-call-stack-memory-section-memory-address description: Base address of the memory region containing `instruction_pointer`. Corresponds to `MEMORY_BASIC_INFORMATION.BaseAddress` doc_values: false flat_name: process.thread.Ext.call_stack.memory_section.memory_address index: false level: custom name: memory_section.memory_address normalize: [] original_fieldset: call_stack short: Base address of the memory region containing `instruction_pointer`. type: keyword process.thread.Ext.call_stack.memory_section.memory_size: dashed_name: process-thread-Ext-call-stack-memory-section-memory-size description: Size of the memory region containing `instruction_pointer`. Corresponds to `MEMORY_BASIC_INFORMATION.RegionSize` doc_values: false flat_name: process.thread.Ext.call_stack.memory_section.memory_size index: false level: custom name: memory_section.memory_size normalize: [] original_fieldset: call_stack short: Size of the memory region containing `instruction_pointer`. Corresponds to `MEMORY_BASIC_INFORMATION.RegionSize` type: keyword process.thread.Ext.call_stack.memory_section.protection: dashed_name: process-thread-Ext-call-stack-memory-section-protection description: Memory protection flags of this memory region. Corresponds to `MEMORY_BASIC_INFORMATION.Protect` flat_name: process.thread.Ext.call_stack.memory_section.protection ignore_above: 1024 level: custom name: memory_section.protection normalize: [] original_fieldset: call_stack short: Memory protection flags of this memory region. Corresponds to `MEMORY_BASIC_INFORMATION.Protect` type: keyword process.thread.Ext.call_stack.module_path: dashed_name: process-thread-Ext-call-stack-module-path description: The path to the DLL/module containing `instruction_pointer`. flat_name: process.thread.Ext.call_stack.module_path ignore_above: 1024 level: custom name: module_path normalize: [] original_fieldset: call_stack short: The path to the DLL/module containing `instruction_pointer`. type: keyword process.thread.Ext.call_stack.rva: dashed_name: process-thread-Ext-call-stack-rva description: The relative virtual address of `instruction_pointer`. Computed as `instruction_pointer - MEMORY_BASIC_INFORMATION.AllocationBase`. flat_name: process.thread.Ext.call_stack.rva ignore_above: 1024 level: custom name: rva normalize: [] original_fieldset: call_stack short: The relative virtual address of `instruction_pointer`. type: keyword process.thread.Ext.call_stack.symbol_info: dashed_name: process-thread-Ext-call-stack-symbol-info description: The nearest symbol for `instruction_pointer`. flat_name: process.thread.Ext.call_stack.symbol_info ignore_above: 1024 level: custom name: symbol_info normalize: [] original_fieldset: call_stack short: The nearest symbol for `instruction_pointer`. type: keyword process.thread.Ext.service: dashed_name: process-thread-Ext-service description: Service associated with the thread. example: VaultSvc flat_name: process.thread.Ext.service ignore_above: 1024 level: custom name: thread.Ext.service normalize: [] short: Service associated with the thread. type: keyword process.thread.Ext.start: dashed_name: process-thread-Ext-start description: The time the thread started. example: '2016-05-23T08:05:34.853Z' flat_name: process.thread.Ext.start level: custom name: thread.Ext.start normalize: [] short: The time the thread started. type: date process.thread.Ext.start_address: dashed_name: process-thread-Ext-start-address description: Memory address where the thread began execution. example: 4194304 flat_name: process.thread.Ext.start_address level: custom name: thread.Ext.start_address normalize: [] short: Memory address where the thread began execution. type: unsigned_long process.thread.Ext.start_address_module: dashed_name: process-thread-Ext-start-address-module description: The dll/module where the thread began execution. example: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe flat_name: process.thread.Ext.start_address_module ignore_above: 1024 level: custom name: thread.Ext.start_address_module normalize: [] short: The dll/module where the thread began execution. type: keyword process.thread.Ext.token.domain: dashed_name: process-thread-Ext-token-domain description: Domain of token user. flat_name: process.thread.Ext.token.domain ignore_above: 1024 level: custom name: domain normalize: [] original_fieldset: token short: Domain of token user. type: keyword process.thread.Ext.token.elevation: dashed_name: process-thread-Ext-token-elevation description: Whether the token is elevated or not flat_name: process.thread.Ext.token.elevation level: custom name: elevation normalize: [] original_fieldset: token short: Whether the token is elevated or not type: boolean process.thread.Ext.token.elevation_type: dashed_name: process-thread-Ext-token-elevation-type description: What level of elevation the token has example: one of "default", "full", "limited" flat_name: process.thread.Ext.token.elevation_type ignore_above: 1024 level: custom name: elevation_type normalize: [] original_fieldset: token short: What level of elevation the token has type: keyword process.thread.Ext.token.impersonation_level: dashed_name: process-thread-Ext-token-impersonation-level description: Impersonation level. Only valid for impersonation tokens. flat_name: process.thread.Ext.token.impersonation_level ignore_above: 1024 level: custom name: impersonation_level normalize: [] original_fieldset: token short: Impersonation level. Only valid for impersonation tokens. type: keyword process.thread.Ext.token.integrity_level: dashed_name: process-thread-Ext-token-integrity-level description: Numeric integrity level. flat_name: process.thread.Ext.token.integrity_level level: custom name: integrity_level normalize: [] original_fieldset: token short: Numeric integrity level. type: long process.thread.Ext.token.integrity_level_name: dashed_name: process-thread-Ext-token-integrity-level-name description: Human readable integrity level. example: one of "system", "high", "medium", "low", "untrusted" flat_name: process.thread.Ext.token.integrity_level_name ignore_above: 1024 level: custom name: integrity_level_name normalize: [] original_fieldset: token short: Human readable integrity level. type: keyword process.thread.Ext.token.is_appcontainer: dashed_name: process-thread-Ext-token-is-appcontainer description: Whether or not this is an appcontainer token. flat_name: process.thread.Ext.token.is_appcontainer level: custom name: is_appcontainer normalize: [] original_fieldset: token short: Whether or not this is an appcontainer token. type: boolean process.thread.Ext.token.privileges: dashed_name: process-thread-Ext-token-privileges description: Array describing the privileges associated with the token. flat_name: process.thread.Ext.token.privileges level: custom name: privileges normalize: [] original_fieldset: token short: Array describing the privileges associated with the token. type: nested process.thread.Ext.token.privileges.description: dashed_name: process-thread-Ext-token-privileges-description description: Description of the privilege. flat_name: process.thread.Ext.token.privileges.description ignore_above: 1024 level: custom name: privileges.description normalize: [] original_fieldset: token short: Description of the privilege. type: keyword process.thread.Ext.token.privileges.enabled: dashed_name: process-thread-Ext-token-privileges-enabled description: Whether or not the privilege is enabled. flat_name: process.thread.Ext.token.privileges.enabled level: custom name: privileges.enabled normalize: [] original_fieldset: token short: Whether or not the privilege is enabled. type: boolean process.thread.Ext.token.privileges.name: dashed_name: process-thread-Ext-token-privileges-name description: Name of the privilege. flat_name: process.thread.Ext.token.privileges.name ignore_above: 1024 level: custom name: privileges.name normalize: [] original_fieldset: token short: Name of the privilege. type: keyword process.thread.Ext.token.sid: dashed_name: process-thread-Ext-token-sid description: Token user's Security Identifier (SID). flat_name: process.thread.Ext.token.sid ignore_above: 1024 level: custom name: sid normalize: [] original_fieldset: token short: Token user's Security Identifier (SID). type: keyword process.thread.Ext.token.type: dashed_name: process-thread-Ext-token-type description: Type of the token, either primary or impersonation. flat_name: process.thread.Ext.token.type ignore_above: 1024 level: custom name: type normalize: [] original_fieldset: token short: Type of the token, either primary or impersonation. type: keyword process.thread.Ext.token.user: dashed_name: process-thread-Ext-token-user description: Username of token owner. flat_name: process.thread.Ext.token.user ignore_above: 1024 level: custom name: user normalize: [] original_fieldset: token short: Username of token owner. type: keyword process.thread.Ext.uptime: dashed_name: process-thread-Ext-uptime description: Seconds since thread started. flat_name: process.thread.Ext.uptime level: custom name: thread.Ext.uptime normalize: [] short: Seconds since thread started. type: long process.thread.id: dashed_name: process-thread-id description: Thread ID. example: 4242 flat_name: process.thread.id format: string level: extended name: thread.id normalize: [] short: Thread ID. type: long process.thread.name: dashed_name: process-thread-name description: Thread name. example: thread-0 flat_name: process.thread.name ignore_above: 1024 level: extended name: thread.name normalize: [] short: Thread name. type: keyword process.title: dashed_name: process-title description: 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' flat_name: process.title ignore_above: 1024 level: extended multi_fields: - flat_name: process.title.text name: text type: match_only_text name: title normalize: [] short: Process title. type: keyword process.uptime: dashed_name: process-uptime description: Seconds the process has been up. example: 1325 flat_name: process.uptime level: extended name: uptime normalize: [] short: Seconds the process has been up. type: long process.working_directory: dashed_name: process-working-directory description: The working directory of the process. example: /home/alice flat_name: process.working_directory ignore_above: 1024 level: extended multi_fields: - flat_name: process.working_directory.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.working_directory.text name: text norms: false type: text name: working_directory normalize: [] short: The working directory of the process. type: keyword rule.author: dashed_name: rule-author description: Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. example: '["Star-Lord"]' flat_name: rule.author ignore_above: 1024 level: extended name: author normalize: - array short: Rule author type: keyword rule.category: dashed_name: rule-category description: A categorization value keyword used by the entity using the rule for detection of this event. example: Attempted Information Leak flat_name: rule.category ignore_above: 1024 level: extended name: category normalize: [] short: Rule category type: keyword rule.description: dashed_name: rule-description description: The description of the rule generating the event. example: Block requests to public DNS over HTTPS / TLS protocols flat_name: rule.description ignore_above: 1024 level: extended name: description normalize: [] short: Rule description type: keyword rule.id: dashed_name: rule-id description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. example: 101 flat_name: rule.id ignore_above: 1024 level: extended name: id normalize: [] short: Rule ID type: keyword rule.license: dashed_name: rule-license description: Name of the license under which the rule used to generate this event is made available. example: Apache 2.0 flat_name: rule.license ignore_above: 1024 level: extended name: license normalize: [] short: Rule license type: keyword rule.name: dashed_name: rule-name description: The name of the rule or signature generating the event. example: BLOCK_DNS_over_TLS flat_name: rule.name ignore_above: 1024 level: extended name: name normalize: [] short: Rule name type: keyword rule.reference: dashed_name: rule-reference description: 'Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor''s documentation about the rule. If that''s not available, it can also be a link to a more general page describing this type of alert.' example: https://en.wikipedia.org/wiki/DNS_over_TLS flat_name: rule.reference ignore_above: 1024 level: extended name: reference normalize: [] short: Rule reference URL type: keyword rule.ruleset: dashed_name: rule-ruleset description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. example: Standard_Protocol_Filters flat_name: rule.ruleset ignore_above: 1024 level: extended name: ruleset normalize: [] short: Rule ruleset type: keyword rule.uuid: dashed_name: rule-uuid description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. example: 1100110011 flat_name: rule.uuid ignore_above: 1024 level: extended name: uuid normalize: [] short: Rule UUID type: keyword rule.version: dashed_name: rule-version description: The version / revision of the rule being used for analysis. example: 1.1 flat_name: rule.version ignore_above: 1024 level: extended name: version normalize: [] short: Rule version type: keyword source.geo.city_name: dashed_name: source-geo-city-name description: City name. example: Montreal flat_name: source.geo.city_name ignore_above: 1024 level: core name: city_name normalize: [] original_fieldset: geo short: City name. type: keyword source.geo.continent_code: dashed_name: source-geo-continent-code description: Two-letter code representing continent's name. example: NA flat_name: source.geo.continent_code ignore_above: 1024 level: core name: continent_code normalize: [] original_fieldset: geo short: Continent code. type: keyword source.geo.continent_name: dashed_name: source-geo-continent-name description: Name of the continent. example: North America flat_name: source.geo.continent_name ignore_above: 1024 level: core name: continent_name normalize: [] original_fieldset: geo short: Name of the continent. type: keyword source.geo.country_iso_code: dashed_name: source-geo-country-iso-code description: Country ISO code. example: CA flat_name: source.geo.country_iso_code ignore_above: 1024 level: core name: country_iso_code normalize: [] original_fieldset: geo short: Country ISO code. type: keyword source.geo.country_name: dashed_name: source-geo-country-name description: Country name. example: Canada flat_name: source.geo.country_name ignore_above: 1024 level: core name: country_name normalize: [] original_fieldset: geo short: Country name. type: keyword source.geo.location: dashed_name: source-geo-location description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' flat_name: source.geo.location level: core name: location normalize: [] original_fieldset: geo short: Longitude and latitude. type: geo_point source.geo.name: dashed_name: source-geo-name description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc flat_name: source.geo.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. type: keyword source.geo.postal_code: dashed_name: source-geo-postal-code description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 flat_name: source.geo.postal_code ignore_above: 1024 level: core name: postal_code normalize: [] original_fieldset: geo short: Postal code. type: keyword source.geo.region_iso_code: dashed_name: source-geo-region-iso-code description: Region ISO code. example: CA-QC flat_name: source.geo.region_iso_code ignore_above: 1024 level: core name: region_iso_code normalize: [] original_fieldset: geo short: Region ISO code. type: keyword source.geo.region_name: dashed_name: source-geo-region-name description: Region name. example: Quebec flat_name: source.geo.region_name ignore_above: 1024 level: core name: region_name normalize: [] original_fieldset: geo short: Region name. type: keyword source.geo.timezone: dashed_name: source-geo-timezone description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires flat_name: source.geo.timezone ignore_above: 1024 level: core name: timezone normalize: [] original_fieldset: geo short: Time zone. type: keyword threat.enrichments: dashed_name: threat-enrichments description: A list of associated indicators objects enriching the event, and the context of that association/enrichment. flat_name: threat.enrichments level: extended name: enrichments normalize: - array short: List of objects containing indicators enriching the event. type: nested threat.enrichments.indicator: dashed_name: threat-enrichments-indicator description: Object containing associated indicators enriching the event. flat_name: threat.enrichments.indicator level: extended name: enrichments.indicator normalize: [] short: Object containing indicators enriching the event. type: object threat.enrichments.indicator.file.Ext: dashed_name: threat-enrichments-indicator-file-Ext description: Object for all custom defined fields to live in. flat_name: threat.enrichments.indicator.file.Ext level: custom name: Ext normalize: [] original_fieldset: file short: Object for all custom defined fields to live in. type: object threat.enrichments.indicator.file.Ext.code_signature: dashed_name: threat-enrichments-indicator-file-Ext-code-signature description: Nested version of ECS code_signature fieldset. flat_name: threat.enrichments.indicator.file.Ext.code_signature level: custom name: Ext.code_signature normalize: [] original_fieldset: file short: Nested version of ECS code_signature fieldset. type: nested threat.enrichments.indicator.file.Ext.code_signature.exists: dashed_name: threat-enrichments-indicator-file-Ext-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' flat_name: threat.enrichments.indicator.file.Ext.code_signature.exists level: core name: Ext.code_signature.exists normalize: [] original_fieldset: file short: Boolean to capture if a signature is present. type: boolean threat.enrichments.indicator.file.Ext.code_signature.status: dashed_name: threat-enrichments-indicator-file-Ext-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: threat.enrichments.indicator.file.Ext.code_signature.status ignore_above: 1024 level: custom name: Ext.code_signature.status normalize: [] original_fieldset: file short: Additional information about the certificate status. type: keyword threat.enrichments.indicator.file.Ext.code_signature.subject_name: dashed_name: threat-enrichments-indicator-file-Ext-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation flat_name: threat.enrichments.indicator.file.Ext.code_signature.subject_name ignore_above: 1024 level: core name: Ext.code_signature.subject_name normalize: [] original_fieldset: file short: Subject name of the code signer type: keyword threat.enrichments.indicator.file.Ext.code_signature.trusted: dashed_name: threat-enrichments-indicator-file-Ext-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' flat_name: threat.enrichments.indicator.file.Ext.code_signature.trusted level: custom name: Ext.code_signature.trusted normalize: [] original_fieldset: file short: Stores the trust status of the certificate chain. type: boolean threat.enrichments.indicator.file.Ext.code_signature.valid: dashed_name: threat-enrichments-indicator-file-Ext-code-signature-valid description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' flat_name: threat.enrichments.indicator.file.Ext.code_signature.valid level: custom name: Ext.code_signature.valid normalize: [] original_fieldset: file short: Boolean to capture if the digital signature is verified against the binary content. type: boolean threat.enrichments.indicator.file.Ext.device.bus_type: dashed_name: threat-enrichments-indicator-file-Ext-device-bus-type description: Bus type of the device, such as Nvme, Usb, FileBackedVirtual,... etc. flat_name: threat.enrichments.indicator.file.Ext.device.bus_type ignore_above: 1024 level: custom name: Ext.device.bus_type normalize: [] original_fieldset: file short: Bus type of the device. type: keyword threat.enrichments.indicator.file.Ext.device.dos_name: dashed_name: threat-enrichments-indicator-file-Ext-device-dos-name description: DOS name of the device. DOS device name is in the format of driver letters such as C:, D:,... flat_name: threat.enrichments.indicator.file.Ext.device.dos_name ignore_above: 1024 level: custom name: Ext.device.dos_name normalize: [] original_fieldset: file short: DOS name of the device. type: keyword threat.enrichments.indicator.file.Ext.device.nt_name: dashed_name: threat-enrichments-indicator-file-Ext-device-nt-name description: 'NT name of the device. NT device name is in the format such as: \Device\HarddiskVolume2' flat_name: threat.enrichments.indicator.file.Ext.device.nt_name ignore_above: 1024 level: custom name: Ext.device.nt_name normalize: [] original_fieldset: file short: NT name of the device. type: keyword threat.enrichments.indicator.file.Ext.device.product_id: dashed_name: threat-enrichments-indicator-file-Ext-device-product-id description: ProductID of the device. It is provided by the vendor of the device if any. flat_name: threat.enrichments.indicator.file.Ext.device.product_id ignore_above: 1024 level: custom name: Ext.device.product_id normalize: [] original_fieldset: file short: ProductID of the device. type: keyword threat.enrichments.indicator.file.Ext.device.serial_number: dashed_name: threat-enrichments-indicator-file-Ext-device-serial-number description: Serial Number of the device. It is provided by the vendor of the device if any. flat_name: threat.enrichments.indicator.file.Ext.device.serial_number ignore_above: 1024 level: custom name: Ext.device.serial_number normalize: [] original_fieldset: file short: Serial Number of the device. type: keyword threat.enrichments.indicator.file.Ext.device.vendor_id: dashed_name: threat-enrichments-indicator-file-Ext-device-vendor-id description: VendorID of the device. It is provided by the vendor of the device. flat_name: threat.enrichments.indicator.file.Ext.device.vendor_id ignore_above: 1024 level: custom name: Ext.device.vendor_id normalize: [] original_fieldset: file short: VendorID of the device. type: keyword threat.enrichments.indicator.file.Ext.entropy: dashed_name: threat-enrichments-indicator-file-Ext-entropy description: Entropy calculation of file's header and footer used to check file integrity. flat_name: threat.enrichments.indicator.file.Ext.entropy level: custom name: Ext.entropy normalize: [] original_fieldset: file short: File entropy value type: double threat.enrichments.indicator.file.Ext.entry_modified: dashed_name: threat-enrichments-indicator-file-Ext-entry-modified description: Time of last status change. See `st_ctim` member of `struct stat`. flat_name: threat.enrichments.indicator.file.Ext.entry_modified level: custom name: Ext.entry_modified normalize: [] original_fieldset: file short: Time of last status change. See `st_ctim` member of `struct stat`. type: double threat.enrichments.indicator.file.Ext.header_bytes: dashed_name: threat-enrichments-indicator-file-Ext-header-bytes description: First 16 bytes of file used to check file integrity. flat_name: threat.enrichments.indicator.file.Ext.header_bytes ignore_above: 1024 level: custom name: Ext.header_bytes normalize: [] original_fieldset: file short: Header bytes type: keyword threat.enrichments.indicator.file.Ext.header_data: dashed_name: threat-enrichments-indicator-file-Ext-header-data description: First 16 bytes of file used to check file integrity. flat_name: threat.enrichments.indicator.file.Ext.header_data level: custom name: Ext.header_data normalize: [] norms: false original_fieldset: file short: Header data type: text threat.enrichments.indicator.file.Ext.malware_classification.features.data.buffer: dashed_name: threat-enrichments-indicator-file-Ext-malware-classification-features-data-buffer description: The features extracted from this file and evaluated by the model. Usually an array of floats. Likely zlib-encoded. flat_name: threat.enrichments.indicator.file.Ext.malware_classification.features.data.buffer ignore_above: 1024 level: custom name: features.data.buffer normalize: [] original_fieldset: malware_classification short: The features extracted from this file and evaluated by the model. Usually an array of floats. Likely zlib-encoded. type: keyword threat.enrichments.indicator.file.Ext.malware_classification.features.data.decompressed_size: dashed_name: threat-enrichments-indicator-file-Ext-malware-classification-features-data-decompressed-size description: The decompressed size of buffer. flat_name: threat.enrichments.indicator.file.Ext.malware_classification.features.data.decompressed_size level: custom name: features.data.decompressed_size normalize: [] original_fieldset: malware_classification short: The decompressed size of buffer. type: integer threat.enrichments.indicator.file.Ext.malware_classification.features.data.encoding: dashed_name: threat-enrichments-indicator-file-Ext-malware-classification-features-data-encoding description: The encoding of buffer (e.g. zlib). flat_name: threat.enrichments.indicator.file.Ext.malware_classification.features.data.encoding ignore_above: 1024 level: custom name: features.data.encoding normalize: [] original_fieldset: malware_classification short: The encoding of buffer (e.g. zlib). type: keyword threat.enrichments.indicator.file.Ext.malware_classification.identifier: dashed_name: threat-enrichments-indicator-file-Ext-malware-classification-identifier description: The model's unique identifier. flat_name: threat.enrichments.indicator.file.Ext.malware_classification.identifier ignore_above: 1024 level: custom name: identifier normalize: [] original_fieldset: malware_classification short: The model's unique identifier. type: keyword threat.enrichments.indicator.file.Ext.malware_classification.score: dashed_name: threat-enrichments-indicator-file-Ext-malware-classification-score description: The score produced by the classification model. flat_name: threat.enrichments.indicator.file.Ext.malware_classification.score level: custom name: score normalize: [] original_fieldset: malware_classification short: The score produced by the classification model. type: double threat.enrichments.indicator.file.Ext.malware_classification.threshold: dashed_name: threat-enrichments-indicator-file-Ext-malware-classification-threshold description: The score threshold for the model. Files that score above this threshold are considered malicious. flat_name: threat.enrichments.indicator.file.Ext.malware_classification.threshold level: custom name: threshold normalize: [] original_fieldset: malware_classification short: The score threshold for the model. Files that score above this threshold are considered malicious. type: double threat.enrichments.indicator.file.Ext.malware_classification.upx_packed: dashed_name: threat-enrichments-indicator-file-Ext-malware-classification-upx-packed description: Whether UPX packing was detected. flat_name: threat.enrichments.indicator.file.Ext.malware_classification.upx_packed level: custom name: upx_packed normalize: [] original_fieldset: malware_classification short: Whether UPX packing was detected. type: boolean threat.enrichments.indicator.file.Ext.malware_classification.version: dashed_name: threat-enrichments-indicator-file-Ext-malware-classification-version description: The version of the model used. flat_name: threat.enrichments.indicator.file.Ext.malware_classification.version ignore_above: 1024 level: custom name: version normalize: [] original_fieldset: malware_classification short: The version of the model used. type: keyword threat.enrichments.indicator.file.Ext.malware_signature: dashed_name: threat-enrichments-indicator-file-Ext-malware-signature description: Nested version of malware_signature fieldset. flat_name: threat.enrichments.indicator.file.Ext.malware_signature level: custom name: Ext.malware_signature normalize: [] original_fieldset: file short: Nested version of malware_signature fieldset. type: nested threat.enrichments.indicator.file.Ext.malware_signature.all_names: dashed_name: threat-enrichments-indicator-file-Ext-malware-signature-all-names description: The concatenated names of all yara signatures flat_name: threat.enrichments.indicator.file.Ext.malware_signature.all_names level: custom name: Ext.malware_signature.all_names normalize: [] norms: false original_fieldset: file short: Yara signature names type: text threat.enrichments.indicator.file.Ext.malware_signature.identifier: dashed_name: threat-enrichments-indicator-file-Ext-malware-signature-identifier description: Malware artifact identifier. flat_name: threat.enrichments.indicator.file.Ext.malware_signature.identifier level: custom name: Ext.malware_signature.identifier normalize: [] norms: false original_fieldset: file short: Malware artifact identifier type: text threat.enrichments.indicator.file.Ext.malware_signature.primary: dashed_name: threat-enrichments-indicator-file-Ext-malware-signature-primary description: Primary malware signature match. flat_name: threat.enrichments.indicator.file.Ext.malware_signature.primary level: custom name: Ext.malware_signature.primary normalize: [] original_fieldset: file short: Primary malware signature match type: nested threat.enrichments.indicator.file.Ext.malware_signature.primary.matches: dashed_name: threat-enrichments-indicator-file-Ext-malware-signature-primary-matches description: An array of bytes representing yara signature matches flat_name: threat.enrichments.indicator.file.Ext.malware_signature.primary.matches level: custom name: Ext.malware_signature.primary.matches normalize: - array original_fieldset: file short: signature match bytes type: nested threat.enrichments.indicator.file.Ext.malware_signature.primary.signature: dashed_name: threat-enrichments-indicator-file-Ext-malware-signature-primary-signature description: Primary malware signature match. flat_name: threat.enrichments.indicator.file.Ext.malware_signature.primary.signature level: custom name: Ext.malware_signature.primary.signature normalize: [] original_fieldset: file short: Primary malware signature match type: nested threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.hash: dashed_name: threat-enrichments-indicator-file-Ext-malware-signature-primary-signature-hash description: Primary malware signature hash. flat_name: threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.hash level: custom name: Ext.malware_signature.primary.signature.hash normalize: [] original_fieldset: file short: Primary malware signature hash type: nested threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.hash.sha256: dashed_name: threat-enrichments-indicator-file-Ext-malware-signature-primary-signature-hash-sha256 description: Primary malware signature sha256. flat_name: threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.hash.sha256 ignore_above: 1024 level: custom name: Ext.malware_signature.primary.signature.hash.sha256 normalize: [] original_fieldset: file short: Primary malware signature sha256 type: keyword threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.id: dashed_name: threat-enrichments-indicator-file-Ext-malware-signature-primary-signature-id description: Primary malware signature id. flat_name: threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.id ignore_above: 1024 level: custom name: Ext.malware_signature.primary.signature.id normalize: [] original_fieldset: file short: Primary malware signature id type: keyword threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.name: dashed_name: threat-enrichments-indicator-file-Ext-malware-signature-primary-signature-name description: Primary malware signature name. flat_name: threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.name ignore_above: 1024 level: custom name: Ext.malware_signature.primary.signature.name normalize: [] original_fieldset: file short: Primary malware signature name type: keyword threat.enrichments.indicator.file.Ext.malware_signature.secondary: dashed_name: threat-enrichments-indicator-file-Ext-malware-signature-secondary description: An array of malware signature matches flat_name: threat.enrichments.indicator.file.Ext.malware_signature.secondary level: custom name: Ext.malware_signature.secondary normalize: - array original_fieldset: file short: secondary signature matches type: nested threat.enrichments.indicator.file.Ext.malware_signature.version: dashed_name: threat-enrichments-indicator-file-Ext-malware-signature-version description: Primary malware signature version. flat_name: threat.enrichments.indicator.file.Ext.malware_signature.version ignore_above: 1024 level: custom name: Ext.malware_signature.version normalize: [] original_fieldset: file short: Primary malware signature version type: keyword threat.enrichments.indicator.file.Ext.monotonic_id: dashed_name: threat-enrichments-indicator-file-Ext-monotonic-id description: File event monotonic ID. flat_name: threat.enrichments.indicator.file.Ext.monotonic_id level: custom name: Ext.monotonic_id normalize: [] original_fieldset: file short: File event monotonic ID type: unsigned_long threat.enrichments.indicator.file.Ext.original: dashed_name: threat-enrichments-indicator-file-Ext-original description: Original file information during a modification event. flat_name: threat.enrichments.indicator.file.Ext.original level: custom name: Ext.original normalize: [] original_fieldset: file short: Original file information during a modification event. type: object threat.enrichments.indicator.file.Ext.original.gid: dashed_name: threat-enrichments-indicator-file-Ext-original-gid description: Primary group ID (GID) of the file. example: '1001' flat_name: threat.enrichments.indicator.file.Ext.original.gid ignore_above: 1024 level: custom name: Ext.original.gid normalize: [] original_fieldset: file short: Primary group ID (GID) of the file. type: keyword threat.enrichments.indicator.file.Ext.original.group: dashed_name: threat-enrichments-indicator-file-Ext-original-group description: Primary group name of the file. example: alice flat_name: threat.enrichments.indicator.file.Ext.original.group ignore_above: 1024 level: custom name: Ext.original.group normalize: [] original_fieldset: file short: Primary group name of the file. type: keyword threat.enrichments.indicator.file.Ext.original.mode: dashed_name: threat-enrichments-indicator-file-Ext-original-mode description: Original file mode prior to a modification event flat_name: threat.enrichments.indicator.file.Ext.original.mode ignore_above: 1024 level: custom name: Ext.original.mode normalize: [] original_fieldset: file short: Original file mode prior to a modification event type: keyword threat.enrichments.indicator.file.Ext.original.name: dashed_name: threat-enrichments-indicator-file-Ext-original-name description: Original file name prior to a modification event flat_name: threat.enrichments.indicator.file.Ext.original.name ignore_above: 1024 level: custom name: Ext.original.name normalize: [] original_fieldset: file short: Original file name prior to a modification event type: keyword threat.enrichments.indicator.file.Ext.original.owner: dashed_name: threat-enrichments-indicator-file-Ext-original-owner description: File owner's username. example: alice flat_name: threat.enrichments.indicator.file.Ext.original.owner ignore_above: 1024 level: custom name: Ext.original.owner normalize: [] original_fieldset: file short: File owner's username. type: keyword threat.enrichments.indicator.file.Ext.original.path: dashed_name: threat-enrichments-indicator-file-Ext-original-path description: Original file path prior to a modification event flat_name: threat.enrichments.indicator.file.Ext.original.path ignore_above: 1024 level: custom name: Ext.original.path normalize: [] original_fieldset: file short: Original file path prior to a modification event type: keyword threat.enrichments.indicator.file.Ext.original.uid: dashed_name: threat-enrichments-indicator-file-Ext-original-uid description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' flat_name: threat.enrichments.indicator.file.Ext.original.uid ignore_above: 1024 level: custom name: Ext.original.uid normalize: [] original_fieldset: file short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword threat.enrichments.indicator.file.Ext.quarantine_message: dashed_name: threat-enrichments-indicator-file-Ext-quarantine-message description: Message describing quarantine results. flat_name: threat.enrichments.indicator.file.Ext.quarantine_message ignore_above: 1024 level: custom name: Ext.quarantine_message normalize: [] original_fieldset: file short: Message describing quarantine results. type: keyword threat.enrichments.indicator.file.Ext.quarantine_path: dashed_name: threat-enrichments-indicator-file-Ext-quarantine-path description: Path on endpoint the quarantined file was originally. flat_name: threat.enrichments.indicator.file.Ext.quarantine_path ignore_above: 1024 level: custom name: Ext.quarantine_path normalize: [] original_fieldset: file short: Path on endpoint the quarantined file was originally. type: keyword threat.enrichments.indicator.file.Ext.quarantine_result: dashed_name: threat-enrichments-indicator-file-Ext-quarantine-result description: Boolean representing whether or not file quarantine succeeded. flat_name: threat.enrichments.indicator.file.Ext.quarantine_result level: custom name: Ext.quarantine_result normalize: [] original_fieldset: file short: Boolean representing whether or not file quarantine succeeded. type: boolean threat.enrichments.indicator.file.Ext.temp_file_path: dashed_name: threat-enrichments-indicator-file-Ext-temp-file-path description: Path on endpoint where a copy of the file is being stored. Used to make ephemeral files retrievable. flat_name: threat.enrichments.indicator.file.Ext.temp_file_path ignore_above: 1024 level: custom name: Ext.temp_file_path normalize: [] original_fieldset: file short: Path on endpoint where a copy of the file is being stored. Used to make ephemeral files retrievable. type: keyword threat.enrichments.indicator.file.Ext.windows: dashed_name: threat-enrichments-indicator-file-Ext-windows description: Platform-specific Windows fields flat_name: threat.enrichments.indicator.file.Ext.windows level: custom name: Ext.windows normalize: [] original_fieldset: file short: Platform-specific Windows fields type: object threat.enrichments.indicator.file.Ext.windows.zone_identifier: dashed_name: threat-enrichments-indicator-file-Ext-windows-zone-identifier description: Windows zone identifier for a file flat_name: threat.enrichments.indicator.file.Ext.windows.zone_identifier ignore_above: 1024 level: custom name: Ext.windows.zone_identifier normalize: [] original_fieldset: file short: Windows zone identifier for a file type: keyword threat.enrichments.indicator.file.accessed: dashed_name: threat-enrichments-indicator-file-accessed description: 'Last time the file was accessed. Note that not all filesystems keep track of access time.' flat_name: threat.enrichments.indicator.file.accessed level: extended name: accessed normalize: [] original_fieldset: file short: Last time the file was accessed. type: date threat.enrichments.indicator.file.attributes: dashed_name: threat-enrichments-indicator-file-attributes description: 'Array of file attributes. Attributes names will vary by platform. Here''s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.' example: '["readonly", "system"]' flat_name: threat.enrichments.indicator.file.attributes ignore_above: 1024 level: extended name: attributes normalize: - array original_fieldset: file short: Array of file attributes. type: keyword threat.enrichments.indicator.file.code_signature.exists: dashed_name: threat-enrichments-indicator-file-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' flat_name: threat.enrichments.indicator.file.code_signature.exists level: core name: exists normalize: [] original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean threat.enrichments.indicator.file.code_signature.signing_id: dashed_name: threat-enrichments-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy flat_name: threat.enrichments.indicator.file.code_signature.signing_id ignore_above: 1024 level: extended name: signing_id normalize: [] original_fieldset: code_signature short: The identifier used to sign the process. type: keyword threat.enrichments.indicator.file.code_signature.status: dashed_name: threat-enrichments-indicator-file-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: threat.enrichments.indicator.file.code_signature.status ignore_above: 1024 level: extended name: status normalize: [] original_fieldset: code_signature short: Additional information about the certificate status. type: keyword threat.enrichments.indicator.file.code_signature.subject_name: dashed_name: threat-enrichments-indicator-file-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation flat_name: threat.enrichments.indicator.file.code_signature.subject_name ignore_above: 1024 level: core name: subject_name normalize: [] original_fieldset: code_signature short: Subject name of the code signer type: keyword threat.enrichments.indicator.file.code_signature.team_id: dashed_name: threat-enrichments-indicator-file-code-signature-team-id description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV flat_name: threat.enrichments.indicator.file.code_signature.team_id ignore_above: 1024 level: extended name: team_id normalize: [] original_fieldset: code_signature short: The team identifier used to sign the process. type: keyword threat.enrichments.indicator.file.code_signature.trusted: dashed_name: threat-enrichments-indicator-file-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' flat_name: threat.enrichments.indicator.file.code_signature.trusted level: extended name: trusted normalize: [] original_fieldset: code_signature short: Stores the trust status of the certificate chain. type: boolean threat.enrichments.indicator.file.code_signature.valid: dashed_name: threat-enrichments-indicator-file-code-signature-valid description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' flat_name: threat.enrichments.indicator.file.code_signature.valid level: extended name: valid normalize: [] original_fieldset: code_signature short: Boolean to capture if the digital signature is verified against the binary content. type: boolean threat.enrichments.indicator.file.created: dashed_name: threat-enrichments-indicator-file-created description: 'File creation time. Note that not all filesystems store the creation time.' flat_name: threat.enrichments.indicator.file.created level: extended name: created normalize: [] original_fieldset: file short: File creation time. type: date threat.enrichments.indicator.file.ctime: dashed_name: threat-enrichments-indicator-file-ctime description: 'Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.' flat_name: threat.enrichments.indicator.file.ctime level: extended name: ctime normalize: [] original_fieldset: file short: Last time the file attributes or metadata changed. type: date threat.enrichments.indicator.file.device: dashed_name: threat-enrichments-indicator-file-device description: Device that is the source of the file. example: sda flat_name: threat.enrichments.indicator.file.device ignore_above: 1024 level: extended name: device normalize: [] original_fieldset: file short: Device that is the source of the file. type: keyword threat.enrichments.indicator.file.directory: dashed_name: threat-enrichments-indicator-file-directory description: Directory where the file is located. It should include the drive letter, when appropriate. example: /home/alice flat_name: threat.enrichments.indicator.file.directory ignore_above: 1024 level: extended name: directory normalize: [] original_fieldset: file short: Directory where the file is located. type: keyword threat.enrichments.indicator.file.drive_letter: dashed_name: threat-enrichments-indicator-file-drive-letter description: 'Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.' example: C flat_name: threat.enrichments.indicator.file.drive_letter ignore_above: 1 level: extended name: drive_letter normalize: [] original_fieldset: file short: Drive letter where the file is located. type: keyword threat.enrichments.indicator.file.elf.architecture: dashed_name: threat-enrichments-indicator-file-elf-architecture description: Machine architecture of the ELF file. example: x86-64 flat_name: threat.enrichments.indicator.file.elf.architecture ignore_above: 1024 level: extended name: architecture normalize: [] original_fieldset: elf short: Machine architecture of the ELF file. type: keyword threat.enrichments.indicator.file.elf.byte_order: dashed_name: threat-enrichments-indicator-file-elf-byte-order description: Byte sequence of ELF file. example: Little Endian flat_name: threat.enrichments.indicator.file.elf.byte_order ignore_above: 1024 level: extended name: byte_order normalize: [] original_fieldset: elf short: Byte sequence of ELF file. type: keyword threat.enrichments.indicator.file.elf.cpu_type: dashed_name: threat-enrichments-indicator-file-elf-cpu-type description: CPU type of the ELF file. example: Intel flat_name: threat.enrichments.indicator.file.elf.cpu_type ignore_above: 1024 level: extended name: cpu_type normalize: [] original_fieldset: elf short: CPU type of the ELF file. type: keyword threat.enrichments.indicator.file.elf.creation_date: dashed_name: threat-enrichments-indicator-file-elf-creation-date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. flat_name: threat.enrichments.indicator.file.elf.creation_date level: extended name: creation_date normalize: [] original_fieldset: elf short: Build or compile date. type: date threat.enrichments.indicator.file.elf.exports: dashed_name: threat-enrichments-indicator-file-elf-exports description: List of exported element names and types. flat_name: threat.enrichments.indicator.file.elf.exports level: extended name: exports normalize: - array original_fieldset: elf short: List of exported element names and types. type: flattened threat.enrichments.indicator.file.elf.go_import_hash: dashed_name: threat-enrichments-indicator-file-elf-go-import-hash description: 'A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).' example: 10bddcb4cee42080f76c88d9ff964491 flat_name: threat.enrichments.indicator.file.elf.go_import_hash ignore_above: 1024 level: extended name: go_import_hash normalize: [] original_fieldset: elf short: A hash of the Go language imports in an ELF file. type: keyword threat.enrichments.indicator.file.elf.go_imports: dashed_name: threat-enrichments-indicator-file-elf-go-imports description: List of imported Go language element names and types. flat_name: threat.enrichments.indicator.file.elf.go_imports level: extended name: go_imports normalize: [] original_fieldset: elf short: List of imported Go language element names and types. type: flattened threat.enrichments.indicator.file.elf.go_imports_names_entropy: dashed_name: threat-enrichments-indicator-file-elf-go-imports-names-entropy description: Shannon entropy calculation from the list of Go imports. flat_name: threat.enrichments.indicator.file.elf.go_imports_names_entropy format: number level: extended name: go_imports_names_entropy normalize: [] original_fieldset: elf short: Shannon entropy calculation from the list of Go imports. type: long threat.enrichments.indicator.file.elf.go_imports_names_var_entropy: dashed_name: threat-enrichments-indicator-file-elf-go-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of Go imports. flat_name: threat.enrichments.indicator.file.elf.go_imports_names_var_entropy format: number level: extended name: go_imports_names_var_entropy normalize: [] original_fieldset: elf short: Variance for Shannon entropy calculation from the list of Go imports. type: long threat.enrichments.indicator.file.elf.go_stripped: dashed_name: threat-enrichments-indicator-file-elf-go-stripped description: Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. flat_name: threat.enrichments.indicator.file.elf.go_stripped level: extended name: go_stripped normalize: [] original_fieldset: elf short: Whether the file is a stripped or obfuscated Go executable. type: boolean threat.enrichments.indicator.file.elf.header.abi_version: dashed_name: threat-enrichments-indicator-file-elf-header-abi-version description: Version of the ELF Application Binary Interface (ABI). flat_name: threat.enrichments.indicator.file.elf.header.abi_version ignore_above: 1024 level: extended name: header.abi_version normalize: [] original_fieldset: elf short: Version of the ELF Application Binary Interface (ABI). type: keyword threat.enrichments.indicator.file.elf.header.class: dashed_name: threat-enrichments-indicator-file-elf-header-class description: Header class of the ELF file. flat_name: threat.enrichments.indicator.file.elf.header.class ignore_above: 1024 level: extended name: header.class normalize: [] original_fieldset: elf short: Header class of the ELF file. type: keyword threat.enrichments.indicator.file.elf.header.data: dashed_name: threat-enrichments-indicator-file-elf-header-data description: Data table of the ELF header. flat_name: threat.enrichments.indicator.file.elf.header.data ignore_above: 1024 level: extended name: header.data normalize: [] original_fieldset: elf short: Data table of the ELF header. type: keyword threat.enrichments.indicator.file.elf.header.entrypoint: dashed_name: threat-enrichments-indicator-file-elf-header-entrypoint description: Header entrypoint of the ELF file. flat_name: threat.enrichments.indicator.file.elf.header.entrypoint format: string level: extended name: header.entrypoint normalize: [] original_fieldset: elf short: Header entrypoint of the ELF file. type: long threat.enrichments.indicator.file.elf.header.object_version: dashed_name: threat-enrichments-indicator-file-elf-header-object-version description: '"0x1" for original ELF files.' flat_name: threat.enrichments.indicator.file.elf.header.object_version ignore_above: 1024 level: extended name: header.object_version normalize: [] original_fieldset: elf short: '"0x1" for original ELF files.' type: keyword threat.enrichments.indicator.file.elf.header.os_abi: dashed_name: threat-enrichments-indicator-file-elf-header-os-abi description: Application Binary Interface (ABI) of the Linux OS. flat_name: threat.enrichments.indicator.file.elf.header.os_abi ignore_above: 1024 level: extended name: header.os_abi normalize: [] original_fieldset: elf short: Application Binary Interface (ABI) of the Linux OS. type: keyword threat.enrichments.indicator.file.elf.header.type: dashed_name: threat-enrichments-indicator-file-elf-header-type description: Header type of the ELF file. flat_name: threat.enrichments.indicator.file.elf.header.type ignore_above: 1024 level: extended name: header.type normalize: [] original_fieldset: elf short: Header type of the ELF file. type: keyword threat.enrichments.indicator.file.elf.header.version: dashed_name: threat-enrichments-indicator-file-elf-header-version description: Version of the ELF header. flat_name: threat.enrichments.indicator.file.elf.header.version ignore_above: 1024 level: extended name: header.version normalize: [] original_fieldset: elf short: Version of the ELF header. type: keyword threat.enrichments.indicator.file.elf.import_hash: dashed_name: threat-enrichments-indicator-file-elf-import-hash description: 'A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is an ELF implementation of the Windows PE imphash.' example: d41d8cd98f00b204e9800998ecf8427e flat_name: threat.enrichments.indicator.file.elf.import_hash ignore_above: 1024 level: extended name: import_hash normalize: [] original_fieldset: elf short: A hash of the imports in an ELF file. type: keyword threat.enrichments.indicator.file.elf.imports: dashed_name: threat-enrichments-indicator-file-elf-imports description: List of imported element names and types. flat_name: threat.enrichments.indicator.file.elf.imports level: extended name: imports normalize: - array original_fieldset: elf short: List of imported element names and types. type: flattened threat.enrichments.indicator.file.elf.imports_names_entropy: dashed_name: threat-enrichments-indicator-file-elf-imports-names-entropy description: Shannon entropy calculation from the list of imported element names and types. flat_name: threat.enrichments.indicator.file.elf.imports_names_entropy format: number level: extended name: imports_names_entropy normalize: [] original_fieldset: elf short: Shannon entropy calculation from the list of imported element names and types. type: long threat.enrichments.indicator.file.elf.imports_names_var_entropy: dashed_name: threat-enrichments-indicator-file-elf-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of imported element names and types. flat_name: threat.enrichments.indicator.file.elf.imports_names_var_entropy format: number level: extended name: imports_names_var_entropy normalize: [] original_fieldset: elf short: Variance for Shannon entropy calculation from the list of imported element names and types. type: long threat.enrichments.indicator.file.elf.sections: dashed_name: threat-enrichments-indicator-file-elf-sections description: 'An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.' flat_name: threat.enrichments.indicator.file.elf.sections level: extended name: sections normalize: - array original_fieldset: elf short: Section information of the ELF file. type: nested threat.enrichments.indicator.file.elf.sections.chi2: dashed_name: threat-enrichments-indicator-file-elf-sections-chi2 description: Chi-square probability distribution of the section. flat_name: threat.enrichments.indicator.file.elf.sections.chi2 format: number level: extended name: sections.chi2 normalize: [] original_fieldset: elf short: Chi-square probability distribution of the section. type: long threat.enrichments.indicator.file.elf.sections.entropy: dashed_name: threat-enrichments-indicator-file-elf-sections-entropy description: Shannon entropy calculation from the section. flat_name: threat.enrichments.indicator.file.elf.sections.entropy format: number level: extended name: sections.entropy normalize: [] original_fieldset: elf short: Shannon entropy calculation from the section. type: long threat.enrichments.indicator.file.elf.sections.flags: dashed_name: threat-enrichments-indicator-file-elf-sections-flags description: ELF Section List flags. flat_name: threat.enrichments.indicator.file.elf.sections.flags ignore_above: 1024 level: extended name: sections.flags normalize: [] original_fieldset: elf short: ELF Section List flags. type: keyword threat.enrichments.indicator.file.elf.sections.name: dashed_name: threat-enrichments-indicator-file-elf-sections-name description: ELF Section List name. flat_name: threat.enrichments.indicator.file.elf.sections.name ignore_above: 1024 level: extended name: sections.name normalize: [] original_fieldset: elf short: ELF Section List name. type: keyword threat.enrichments.indicator.file.elf.sections.physical_offset: dashed_name: threat-enrichments-indicator-file-elf-sections-physical-offset description: ELF Section List offset. flat_name: threat.enrichments.indicator.file.elf.sections.physical_offset ignore_above: 1024 level: extended name: sections.physical_offset normalize: [] original_fieldset: elf short: ELF Section List offset. type: keyword threat.enrichments.indicator.file.elf.sections.physical_size: dashed_name: threat-enrichments-indicator-file-elf-sections-physical-size description: ELF Section List physical size. flat_name: threat.enrichments.indicator.file.elf.sections.physical_size format: bytes level: extended name: sections.physical_size normalize: [] original_fieldset: elf short: ELF Section List physical size. type: long threat.enrichments.indicator.file.elf.sections.type: dashed_name: threat-enrichments-indicator-file-elf-sections-type description: ELF Section List type. flat_name: threat.enrichments.indicator.file.elf.sections.type ignore_above: 1024 level: extended name: sections.type normalize: [] original_fieldset: elf short: ELF Section List type. type: keyword threat.enrichments.indicator.file.elf.sections.var_entropy: dashed_name: threat-enrichments-indicator-file-elf-sections-var-entropy description: Variance for Shannon entropy calculation from the section. flat_name: threat.enrichments.indicator.file.elf.sections.var_entropy format: number level: extended name: sections.var_entropy normalize: [] original_fieldset: elf short: Variance for Shannon entropy calculation from the section. type: long threat.enrichments.indicator.file.elf.sections.virtual_address: dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-address description: ELF Section List virtual address. flat_name: threat.enrichments.indicator.file.elf.sections.virtual_address format: string level: extended name: sections.virtual_address normalize: [] original_fieldset: elf short: ELF Section List virtual address. type: long threat.enrichments.indicator.file.elf.sections.virtual_size: dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-size description: ELF Section List virtual size. flat_name: threat.enrichments.indicator.file.elf.sections.virtual_size format: string level: extended name: sections.virtual_size normalize: [] original_fieldset: elf short: ELF Section List virtual size. type: long threat.enrichments.indicator.file.elf.segments: dashed_name: threat-enrichments-indicator-file-elf-segments description: 'An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.' flat_name: threat.enrichments.indicator.file.elf.segments level: extended name: segments normalize: - array original_fieldset: elf short: ELF object segment list. type: nested threat.enrichments.indicator.file.elf.segments.sections: dashed_name: threat-enrichments-indicator-file-elf-segments-sections description: ELF object segment sections. flat_name: threat.enrichments.indicator.file.elf.segments.sections ignore_above: 1024 level: extended name: segments.sections normalize: [] original_fieldset: elf short: ELF object segment sections. type: keyword threat.enrichments.indicator.file.elf.segments.type: dashed_name: threat-enrichments-indicator-file-elf-segments-type description: ELF object segment type. flat_name: threat.enrichments.indicator.file.elf.segments.type ignore_above: 1024 level: extended name: segments.type normalize: [] original_fieldset: elf short: ELF object segment type. type: keyword threat.enrichments.indicator.file.elf.shared_libraries: dashed_name: threat-enrichments-indicator-file-elf-shared-libraries description: List of shared libraries used by this ELF object. flat_name: threat.enrichments.indicator.file.elf.shared_libraries ignore_above: 1024 level: extended name: shared_libraries normalize: - array original_fieldset: elf short: List of shared libraries used by this ELF object. type: keyword threat.enrichments.indicator.file.elf.telfhash: dashed_name: threat-enrichments-indicator-file-elf-telfhash description: telfhash symbol hash for ELF file. flat_name: threat.enrichments.indicator.file.elf.telfhash ignore_above: 1024 level: extended name: telfhash normalize: [] original_fieldset: elf short: telfhash hash for ELF file. type: keyword threat.enrichments.indicator.file.extension: dashed_name: threat-enrichments-indicator-file-extension description: 'File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png flat_name: threat.enrichments.indicator.file.extension ignore_above: 1024 level: extended name: extension normalize: [] original_fieldset: file short: File extension, excluding the leading dot. type: keyword threat.enrichments.indicator.file.gid: dashed_name: threat-enrichments-indicator-file-gid description: Primary group ID (GID) of the file. example: '1001' flat_name: threat.enrichments.indicator.file.gid ignore_above: 1024 level: extended name: gid normalize: [] original_fieldset: file short: Primary group ID (GID) of the file. type: keyword threat.enrichments.indicator.file.group: dashed_name: threat-enrichments-indicator-file-group description: Primary group name of the file. example: alice flat_name: threat.enrichments.indicator.file.group ignore_above: 1024 level: extended name: group normalize: [] original_fieldset: file short: Primary group name of the file. type: keyword threat.enrichments.indicator.file.hash.md5: dashed_name: threat-enrichments-indicator-file-hash-md5 description: MD5 hash. flat_name: threat.enrichments.indicator.file.hash.md5 ignore_above: 1024 level: extended name: md5 normalize: [] original_fieldset: hash short: MD5 hash. type: keyword threat.enrichments.indicator.file.hash.sha1: dashed_name: threat-enrichments-indicator-file-hash-sha1 description: SHA1 hash. flat_name: threat.enrichments.indicator.file.hash.sha1 ignore_above: 1024 level: extended name: sha1 normalize: [] original_fieldset: hash short: SHA1 hash. type: keyword threat.enrichments.indicator.file.hash.sha256: dashed_name: threat-enrichments-indicator-file-hash-sha256 description: SHA256 hash. flat_name: threat.enrichments.indicator.file.hash.sha256 ignore_above: 1024 level: extended name: sha256 normalize: [] original_fieldset: hash short: SHA256 hash. type: keyword threat.enrichments.indicator.file.hash.sha512: dashed_name: threat-enrichments-indicator-file-hash-sha512 description: SHA512 hash. flat_name: threat.enrichments.indicator.file.hash.sha512 ignore_above: 1024 level: extended name: sha512 normalize: [] original_fieldset: hash short: SHA512 hash. type: keyword threat.enrichments.indicator.file.hash.ssdeep: dashed_name: threat-enrichments-indicator-file-hash-ssdeep description: SSDEEP hash. flat_name: threat.enrichments.indicator.file.hash.ssdeep ignore_above: 1024 level: extended name: ssdeep normalize: [] original_fieldset: hash short: SSDEEP hash. type: keyword threat.enrichments.indicator.file.inode: dashed_name: threat-enrichments-indicator-file-inode description: Inode representing the file in the filesystem. example: '256383' flat_name: threat.enrichments.indicator.file.inode ignore_above: 1024 level: extended name: inode normalize: [] original_fieldset: file short: Inode representing the file in the filesystem. type: keyword threat.enrichments.indicator.file.mime_type: dashed_name: threat-enrichments-indicator-file-mime-type description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. flat_name: threat.enrichments.indicator.file.mime_type ignore_above: 1024 level: extended name: mime_type normalize: [] original_fieldset: file short: Media type of file, document, or arrangement of bytes. type: keyword threat.enrichments.indicator.file.mode: dashed_name: threat-enrichments-indicator-file-mode description: Mode of the file in octal representation. example: '0640' flat_name: threat.enrichments.indicator.file.mode ignore_above: 1024 level: extended name: mode normalize: [] original_fieldset: file short: Mode of the file in octal representation. type: keyword threat.enrichments.indicator.file.mtime: dashed_name: threat-enrichments-indicator-file-mtime description: Last time the file content was modified. flat_name: threat.enrichments.indicator.file.mtime level: extended name: mtime normalize: [] original_fieldset: file short: Last time the file content was modified. type: date threat.enrichments.indicator.file.name: dashed_name: threat-enrichments-indicator-file-name description: Name of the file including the extension, without the directory. example: example.png flat_name: threat.enrichments.indicator.file.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: file short: Name of the file including the extension, without the directory. type: keyword threat.enrichments.indicator.file.owner: dashed_name: threat-enrichments-indicator-file-owner description: File owner's username. example: alice flat_name: threat.enrichments.indicator.file.owner ignore_above: 1024 level: extended name: owner normalize: [] original_fieldset: file short: File owner's username. type: keyword threat.enrichments.indicator.file.path: dashed_name: threat-enrichments-indicator-file-path description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png flat_name: threat.enrichments.indicator.file.path ignore_above: 1024 level: extended multi_fields: - flat_name: threat.enrichments.indicator.file.path.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: threat.enrichments.indicator.file.path.text name: text norms: false type: text name: path normalize: [] original_fieldset: file short: Full path to the file, including the file name. type: keyword threat.enrichments.indicator.file.pe.architecture: dashed_name: threat-enrichments-indicator-file-pe-architecture description: CPU architecture target for the file. example: x64 flat_name: threat.enrichments.indicator.file.pe.architecture ignore_above: 1024 level: extended name: architecture normalize: [] original_fieldset: pe short: CPU architecture target for the file. type: keyword threat.enrichments.indicator.file.pe.company: dashed_name: threat-enrichments-indicator-file-pe-company description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation flat_name: threat.enrichments.indicator.file.pe.company ignore_above: 1024 level: extended name: company normalize: [] original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword threat.enrichments.indicator.file.pe.description: dashed_name: threat-enrichments-indicator-file-pe-description description: Internal description of the file, provided at compile-time. example: Paint flat_name: threat.enrichments.indicator.file.pe.description ignore_above: 1024 level: extended name: description normalize: [] original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword threat.enrichments.indicator.file.pe.file_version: dashed_name: threat-enrichments-indicator-file-pe-file-version description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 flat_name: threat.enrichments.indicator.file.pe.file_version ignore_above: 1024 level: extended name: file_version normalize: [] original_fieldset: pe short: Process name. type: keyword threat.enrichments.indicator.file.pe.imphash: dashed_name: threat-enrichments-indicator-file-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf flat_name: threat.enrichments.indicator.file.pe.imphash ignore_above: 1024 level: extended name: imphash normalize: [] original_fieldset: pe short: A hash of the imports in a PE file. type: keyword threat.enrichments.indicator.file.pe.original_file_name: dashed_name: threat-enrichments-indicator-file-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: threat.enrichments.indicator.file.pe.original_file_name ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. type: keyword threat.enrichments.indicator.file.pe.product: dashed_name: threat-enrichments-indicator-file-pe-product description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" flat_name: threat.enrichments.indicator.file.pe.product ignore_above: 1024 level: extended name: product normalize: [] original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword threat.enrichments.indicator.file.size: dashed_name: threat-enrichments-indicator-file-size description: 'File size in bytes. Only relevant when `file.type` is "file".' example: 16384 flat_name: threat.enrichments.indicator.file.size level: extended name: size normalize: [] original_fieldset: file short: File size in bytes. type: long threat.enrichments.indicator.file.target_path: dashed_name: threat-enrichments-indicator-file-target-path description: Target path for symlinks. flat_name: threat.enrichments.indicator.file.target_path ignore_above: 1024 level: extended multi_fields: - flat_name: threat.enrichments.indicator.file.target_path.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: threat.enrichments.indicator.file.target_path.text name: text norms: false type: text name: target_path normalize: [] original_fieldset: file short: Target path for symlinks. type: keyword threat.enrichments.indicator.file.type: dashed_name: threat-enrichments-indicator-file-type description: File type (file, dir, or symlink). example: file flat_name: threat.enrichments.indicator.file.type ignore_above: 1024 level: extended name: type normalize: [] original_fieldset: file short: File type (file, dir, or symlink). type: keyword threat.enrichments.indicator.file.uid: dashed_name: threat-enrichments-indicator-file-uid description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' flat_name: threat.enrichments.indicator.file.uid ignore_above: 1024 level: extended name: uid normalize: [] original_fieldset: file short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword threat.enrichments.indicator.first_seen: dashed_name: threat-enrichments-indicator-first-seen description: The date and time when intelligence source first reported sighting this indicator. example: '2020-11-05T17:25:47.000Z' flat_name: threat.enrichments.indicator.first_seen level: extended name: enrichments.indicator.first_seen normalize: [] short: Date/time indicator was first reported. type: date threat.enrichments.indicator.geo.city_name: dashed_name: threat-enrichments-indicator-geo-city-name description: City name. example: Montreal flat_name: threat.enrichments.indicator.geo.city_name ignore_above: 1024 level: core name: city_name normalize: [] original_fieldset: geo short: City name. type: keyword threat.enrichments.indicator.geo.continent_code: dashed_name: threat-enrichments-indicator-geo-continent-code description: Two-letter code representing continent's name. example: NA flat_name: threat.enrichments.indicator.geo.continent_code ignore_above: 1024 level: core name: continent_code normalize: [] original_fieldset: geo short: Continent code. type: keyword threat.enrichments.indicator.geo.continent_name: dashed_name: threat-enrichments-indicator-geo-continent-name description: Name of the continent. example: North America flat_name: threat.enrichments.indicator.geo.continent_name ignore_above: 1024 level: core name: continent_name normalize: [] original_fieldset: geo short: Name of the continent. type: keyword threat.enrichments.indicator.geo.country_iso_code: dashed_name: threat-enrichments-indicator-geo-country-iso-code description: Country ISO code. example: CA flat_name: threat.enrichments.indicator.geo.country_iso_code ignore_above: 1024 level: core name: country_iso_code normalize: [] original_fieldset: geo short: Country ISO code. type: keyword threat.enrichments.indicator.geo.country_name: dashed_name: threat-enrichments-indicator-geo-country-name description: Country name. example: Canada flat_name: threat.enrichments.indicator.geo.country_name ignore_above: 1024 level: core name: country_name normalize: [] original_fieldset: geo short: Country name. type: keyword threat.enrichments.indicator.geo.location: dashed_name: threat-enrichments-indicator-geo-location description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' flat_name: threat.enrichments.indicator.geo.location level: core name: location normalize: [] original_fieldset: geo short: Longitude and latitude. type: geo_point threat.enrichments.indicator.geo.name: dashed_name: threat-enrichments-indicator-geo-name description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc flat_name: threat.enrichments.indicator.geo.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. type: keyword threat.enrichments.indicator.geo.postal_code: dashed_name: threat-enrichments-indicator-geo-postal-code description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 flat_name: threat.enrichments.indicator.geo.postal_code ignore_above: 1024 level: core name: postal_code normalize: [] original_fieldset: geo short: Postal code. type: keyword threat.enrichments.indicator.geo.region_iso_code: dashed_name: threat-enrichments-indicator-geo-region-iso-code description: Region ISO code. example: CA-QC flat_name: threat.enrichments.indicator.geo.region_iso_code ignore_above: 1024 level: core name: region_iso_code normalize: [] original_fieldset: geo short: Region ISO code. type: keyword threat.enrichments.indicator.geo.region_name: dashed_name: threat-enrichments-indicator-geo-region-name description: Region name. example: Quebec flat_name: threat.enrichments.indicator.geo.region_name ignore_above: 1024 level: core name: region_name normalize: [] original_fieldset: geo short: Region name. type: keyword threat.enrichments.indicator.geo.timezone: dashed_name: threat-enrichments-indicator-geo-timezone description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires flat_name: threat.enrichments.indicator.geo.timezone ignore_above: 1024 level: core name: timezone normalize: [] original_fieldset: geo short: Time zone. type: keyword threat.enrichments.indicator.ip: dashed_name: threat-enrichments-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of direction). example: 1.2.3.4 flat_name: threat.enrichments.indicator.ip level: extended name: enrichments.indicator.ip normalize: [] short: Indicator IP address type: ip threat.enrichments.indicator.last_seen: dashed_name: threat-enrichments-indicator-last-seen description: The date and time when intelligence source last reported sighting this indicator. example: '2020-11-05T17:25:47.000Z' flat_name: threat.enrichments.indicator.last_seen level: extended name: enrichments.indicator.last_seen normalize: [] short: Date/time indicator was last reported. type: date threat.enrichments.indicator.marking.tlp: dashed_name: threat-enrichments-indicator-marking-tlp description: Traffic Light Protocol sharing markings. example: CLEAR expected_values: - WHITE - CLEAR - GREEN - AMBER - AMBER+STRICT - RED flat_name: threat.enrichments.indicator.marking.tlp ignore_above: 1024 level: extended name: enrichments.indicator.marking.tlp normalize: [] short: Indicator TLP marking type: keyword threat.enrichments.indicator.modified_at: dashed_name: threat-enrichments-indicator-modified-at description: The date and time when intelligence source last modified information for this indicator. example: '2020-11-05T17:25:47.000Z' flat_name: threat.enrichments.indicator.modified_at level: extended name: enrichments.indicator.modified_at normalize: [] short: Date/time indicator was last updated. type: date threat.enrichments.indicator.port: dashed_name: threat-enrichments-indicator-port description: Identifies a threat indicator as a port number (irrespective of direction). example: 443 flat_name: threat.enrichments.indicator.port level: extended name: enrichments.indicator.port normalize: [] short: Indicator port type: long threat.enrichments.indicator.provider: dashed_name: threat-enrichments-indicator-provider description: The name of the indicator's provider. example: lrz_urlhaus flat_name: threat.enrichments.indicator.provider ignore_above: 1024 level: extended name: enrichments.indicator.provider normalize: [] short: Indicator provider type: keyword threat.enrichments.indicator.reference: dashed_name: threat-enrichments-indicator-reference description: Reference URL linking to additional information about this indicator. example: https://system.example.com/indicator/0001234 flat_name: threat.enrichments.indicator.reference ignore_above: 1024 level: extended name: enrichments.indicator.reference normalize: [] short: Indicator reference URL type: keyword threat.enrichments.indicator.registry.data.bytes: dashed_name: threat-enrichments-indicator-registry-data-bytes description: 'Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.' example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= flat_name: threat.enrichments.indicator.registry.data.bytes ignore_above: 1024 level: extended name: data.bytes normalize: [] original_fieldset: registry short: Original bytes written with base64 encoding. type: keyword threat.enrichments.indicator.registry.data.strings: dashed_name: threat-enrichments-indicator-registry-data-strings description: 'Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' flat_name: threat.enrichments.indicator.registry.data.strings level: core name: data.strings normalize: - array original_fieldset: registry short: List of strings representing what was written to the registry. type: wildcard threat.enrichments.indicator.registry.data.type: dashed_name: threat-enrichments-indicator-registry-data-type description: Standard registry type for encoding contents example: REG_SZ flat_name: threat.enrichments.indicator.registry.data.type ignore_above: 1024 level: core name: data.type normalize: [] original_fieldset: registry short: Standard registry type for encoding contents type: keyword threat.enrichments.indicator.registry.hive: dashed_name: threat-enrichments-indicator-registry-hive description: Abbreviated name for the hive. example: HKLM flat_name: threat.enrichments.indicator.registry.hive ignore_above: 1024 level: core name: hive normalize: [] original_fieldset: registry short: Abbreviated name for the hive. type: keyword threat.enrichments.indicator.registry.key: dashed_name: threat-enrichments-indicator-registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe flat_name: threat.enrichments.indicator.registry.key ignore_above: 1024 level: core name: key normalize: [] original_fieldset: registry short: Hive-relative path of keys. type: keyword threat.enrichments.indicator.registry.path: dashed_name: threat-enrichments-indicator-registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger flat_name: threat.enrichments.indicator.registry.path ignore_above: 1024 level: core name: path normalize: [] original_fieldset: registry short: Full path, including hive, key and value type: keyword threat.enrichments.indicator.registry.value: dashed_name: threat-enrichments-indicator-registry-value description: Name of the value written. example: Debugger flat_name: threat.enrichments.indicator.registry.value ignore_above: 1024 level: core name: value normalize: [] original_fieldset: registry short: Name of the value written. type: keyword threat.enrichments.indicator.scanner_stats: dashed_name: threat-enrichments-indicator-scanner-stats description: Count of AV/EDR vendors that successfully detected malicious file or URL. example: 4 flat_name: threat.enrichments.indicator.scanner_stats level: extended name: enrichments.indicator.scanner_stats normalize: [] short: Scanner statistics type: long threat.enrichments.indicator.sightings: dashed_name: threat-enrichments-indicator-sightings description: Number of times this indicator was observed conducting threat activity. example: 20 flat_name: threat.enrichments.indicator.sightings level: extended name: enrichments.indicator.sightings normalize: [] short: Number of times indicator observed type: long threat.enrichments.indicator.type: dashed_name: threat-enrichments-indicator-type description: Type of indicator as represented by Cyber Observable in STIX 2.0. example: ipv4-addr expected_values: - autonomous-system - artifact - directory - domain-name - email-addr - file - ipv4-addr - ipv6-addr - mac-addr - mutex - port - process - software - url - user-account - windows-registry-key - x509-certificate flat_name: threat.enrichments.indicator.type ignore_above: 1024 level: extended name: enrichments.indicator.type normalize: [] short: Type of indicator type: keyword threat.enrichments.indicator.url.domain: dashed_name: threat-enrichments-indicator-url-domain description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.' example: www.elastic.co flat_name: threat.enrichments.indicator.url.domain ignore_above: 1024 level: extended name: domain normalize: [] original_fieldset: url short: Domain of the url. type: keyword threat.enrichments.indicator.url.extension: dashed_name: threat-enrichments-indicator-url-extension description: 'The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png flat_name: threat.enrichments.indicator.url.extension ignore_above: 1024 level: extended name: extension normalize: [] original_fieldset: url short: File extension from the request url, excluding the leading dot. type: keyword threat.enrichments.indicator.url.fragment: dashed_name: threat-enrichments-indicator-url-fragment description: 'Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.' flat_name: threat.enrichments.indicator.url.fragment ignore_above: 1024 level: extended name: fragment normalize: [] original_fieldset: url short: Portion of the url after the `#`. type: keyword threat.enrichments.indicator.url.full: dashed_name: threat-enrichments-indicator-url-full description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top flat_name: threat.enrichments.indicator.url.full level: extended multi_fields: - flat_name: threat.enrichments.indicator.url.full.text name: text type: match_only_text name: full normalize: [] original_fieldset: url short: Full unparsed URL. type: wildcard threat.enrichments.indicator.url.original: dashed_name: threat-enrichments-indicator-url-original description: 'Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch flat_name: threat.enrichments.indicator.url.original level: extended multi_fields: - flat_name: threat.enrichments.indicator.url.original.text name: text type: match_only_text name: original normalize: [] original_fieldset: url short: Unmodified original url as seen in the event source. type: wildcard threat.enrichments.indicator.url.password: dashed_name: threat-enrichments-indicator-url-password description: Password of the request. flat_name: threat.enrichments.indicator.url.password ignore_above: 1024 level: extended name: password normalize: [] original_fieldset: url short: Password of the request. type: keyword threat.enrichments.indicator.url.path: dashed_name: threat-enrichments-indicator-url-path description: Path of the request, such as "/search". flat_name: threat.enrichments.indicator.url.path level: extended name: path normalize: [] original_fieldset: url short: Path of the request, such as "/search". type: wildcard threat.enrichments.indicator.url.port: dashed_name: threat-enrichments-indicator-url-port description: Port of the request, such as 443. example: 443 flat_name: threat.enrichments.indicator.url.port format: string level: extended name: port normalize: [] original_fieldset: url short: Port of the request, such as 443. type: long threat.enrichments.indicator.url.query: dashed_name: threat-enrichments-indicator-url-query description: 'The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' flat_name: threat.enrichments.indicator.url.query ignore_above: 1024 level: extended name: query normalize: [] original_fieldset: url short: Query string of the request. type: keyword threat.enrichments.indicator.url.registered_domain: dashed_name: threat-enrichments-indicator-url-registered-domain description: 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: threat.enrichments.indicator.url.registered_domain ignore_above: 1024 level: extended name: registered_domain normalize: [] original_fieldset: url short: The highest registered url domain, stripped of the subdomain. type: keyword threat.enrichments.indicator.url.scheme: dashed_name: threat-enrichments-indicator-url-scheme description: 'Scheme of the request, such as "https". Note: The `:` is not part of the scheme.' example: https flat_name: threat.enrichments.indicator.url.scheme ignore_above: 1024 level: extended name: scheme normalize: [] original_fieldset: url short: Scheme of the url. type: keyword threat.enrichments.indicator.url.subdomain: dashed_name: threat-enrichments-indicator-url-subdomain description: 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: east flat_name: threat.enrichments.indicator.url.subdomain ignore_above: 1024 level: extended name: subdomain normalize: [] original_fieldset: url short: The subdomain of the domain. type: keyword threat.enrichments.indicator.url.top_level_domain: dashed_name: threat-enrichments-indicator-url-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk flat_name: threat.enrichments.indicator.url.top_level_domain ignore_above: 1024 level: extended name: top_level_domain normalize: [] original_fieldset: url short: The effective top level domain (com, org, net, co.uk). type: keyword threat.enrichments.indicator.url.username: dashed_name: threat-enrichments-indicator-url-username description: Username of the request. flat_name: threat.enrichments.indicator.url.username ignore_above: 1024 level: extended name: username normalize: [] original_fieldset: url short: Username of the request. type: keyword threat.enrichments.indicator.x509.alternative_names: dashed_name: threat-enrichments-indicator-x509-alternative-names description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: '*.elastic.co' flat_name: threat.enrichments.indicator.x509.alternative_names ignore_above: 1024 level: extended name: alternative_names normalize: - array original_fieldset: x509 short: List of subject alternative names (SAN). type: keyword threat.enrichments.indicator.x509.issuer.common_name: dashed_name: threat-enrichments-indicator-x509-issuer-common-name description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA flat_name: threat.enrichments.indicator.x509.issuer.common_name ignore_above: 1024 level: extended name: issuer.common_name normalize: - array original_fieldset: x509 short: List of common name (CN) of issuing certificate authority. type: keyword threat.enrichments.indicator.x509.issuer.country: dashed_name: threat-enrichments-indicator-x509-issuer-country description: List of country \(C) codes example: US flat_name: threat.enrichments.indicator.x509.issuer.country ignore_above: 1024 level: extended name: issuer.country normalize: - array original_fieldset: x509 short: List of country \(C) codes type: keyword threat.enrichments.indicator.x509.issuer.distinguished_name: dashed_name: threat-enrichments-indicator-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA flat_name: threat.enrichments.indicator.x509.issuer.distinguished_name ignore_above: 1024 level: extended name: issuer.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. type: keyword threat.enrichments.indicator.x509.issuer.locality: dashed_name: threat-enrichments-indicator-x509-issuer-locality description: List of locality names (L) example: Mountain View flat_name: threat.enrichments.indicator.x509.issuer.locality ignore_above: 1024 level: extended name: issuer.locality normalize: - array original_fieldset: x509 short: List of locality names (L) type: keyword threat.enrichments.indicator.x509.issuer.organization: dashed_name: threat-enrichments-indicator-x509-issuer-organization description: List of organizations (O) of issuing certificate authority. example: Example Inc flat_name: threat.enrichments.indicator.x509.issuer.organization ignore_above: 1024 level: extended name: issuer.organization normalize: - array original_fieldset: x509 short: List of organizations (O) of issuing certificate authority. type: keyword threat.enrichments.indicator.x509.issuer.organizational_unit: dashed_name: threat-enrichments-indicator-x509-issuer-organizational-unit description: List of organizational units (OU) of issuing certificate authority. example: www.example.com flat_name: threat.enrichments.indicator.x509.issuer.organizational_unit ignore_above: 1024 level: extended name: issuer.organizational_unit normalize: - array original_fieldset: x509 short: List of organizational units (OU) of issuing certificate authority. type: keyword threat.enrichments.indicator.x509.issuer.state_or_province: dashed_name: threat-enrichments-indicator-x509-issuer-state-or-province description: List of state or province names (ST, S, or P) example: California flat_name: threat.enrichments.indicator.x509.issuer.state_or_province ignore_above: 1024 level: extended name: issuer.state_or_province normalize: - array original_fieldset: x509 short: List of state or province names (ST, S, or P) type: keyword threat.enrichments.indicator.x509.not_after: dashed_name: threat-enrichments-indicator-x509-not-after description: Time at which the certificate is no longer considered valid. example: '2020-07-16T03:15:39Z' flat_name: threat.enrichments.indicator.x509.not_after level: extended name: not_after normalize: [] original_fieldset: x509 short: Time at which the certificate is no longer considered valid. type: date threat.enrichments.indicator.x509.not_before: dashed_name: threat-enrichments-indicator-x509-not-before description: Time at which the certificate is first considered valid. example: '2019-08-16T01:40:25Z' flat_name: threat.enrichments.indicator.x509.not_before level: extended name: not_before normalize: [] original_fieldset: x509 short: Time at which the certificate is first considered valid. type: date threat.enrichments.indicator.x509.public_key_algorithm: dashed_name: threat-enrichments-indicator-x509-public-key-algorithm description: Algorithm used to generate the public key. example: RSA flat_name: threat.enrichments.indicator.x509.public_key_algorithm ignore_above: 1024 level: extended name: public_key_algorithm normalize: [] original_fieldset: x509 short: Algorithm used to generate the public key. type: keyword threat.enrichments.indicator.x509.public_key_curve: dashed_name: threat-enrichments-indicator-x509-public-key-curve description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 flat_name: threat.enrichments.indicator.x509.public_key_curve ignore_above: 1024 level: extended name: public_key_curve normalize: [] original_fieldset: x509 short: The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword threat.enrichments.indicator.x509.public_key_exponent: dashed_name: threat-enrichments-indicator-x509-public-key-exponent description: Exponent used to derive the public key. This is algorithm specific. doc_values: false example: 65537 flat_name: threat.enrichments.indicator.x509.public_key_exponent index: false level: extended name: public_key_exponent normalize: [] original_fieldset: x509 short: Exponent used to derive the public key. This is algorithm specific. type: long threat.enrichments.indicator.x509.public_key_size: dashed_name: threat-enrichments-indicator-x509-public-key-size description: The size of the public key space in bits. example: 2048 flat_name: threat.enrichments.indicator.x509.public_key_size level: extended name: public_key_size normalize: [] original_fieldset: x509 short: The size of the public key space in bits. type: long threat.enrichments.indicator.x509.serial_number: dashed_name: threat-enrichments-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.enrichments.indicator.x509.serial_number ignore_above: 1024 level: extended name: serial_number normalize: [] original_fieldset: x509 short: Unique serial number issued by the certificate authority. type: keyword threat.enrichments.indicator.x509.signature_algorithm: dashed_name: threat-enrichments-indicator-x509-signature-algorithm description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA flat_name: threat.enrichments.indicator.x509.signature_algorithm ignore_above: 1024 level: extended name: signature_algorithm normalize: [] original_fieldset: x509 short: Identifier for certificate signature algorithm. type: keyword threat.enrichments.indicator.x509.subject.common_name: dashed_name: threat-enrichments-indicator-x509-subject-common-name description: List of common names (CN) of subject. example: shared.global.example.net flat_name: threat.enrichments.indicator.x509.subject.common_name ignore_above: 1024 level: extended name: subject.common_name normalize: - array original_fieldset: x509 short: List of common names (CN) of subject. type: keyword threat.enrichments.indicator.x509.subject.country: dashed_name: threat-enrichments-indicator-x509-subject-country description: List of country \(C) code example: US flat_name: threat.enrichments.indicator.x509.subject.country ignore_above: 1024 level: extended name: subject.country normalize: - array original_fieldset: x509 short: List of country \(C) code type: keyword threat.enrichments.indicator.x509.subject.distinguished_name: dashed_name: threat-enrichments-indicator-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net flat_name: threat.enrichments.indicator.x509.subject.distinguished_name ignore_above: 1024 level: extended name: subject.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. type: keyword threat.enrichments.indicator.x509.subject.locality: dashed_name: threat-enrichments-indicator-x509-subject-locality description: List of locality names (L) example: San Francisco flat_name: threat.enrichments.indicator.x509.subject.locality ignore_above: 1024 level: extended name: subject.locality normalize: - array original_fieldset: x509 short: List of locality names (L) type: keyword threat.enrichments.indicator.x509.subject.organization: dashed_name: threat-enrichments-indicator-x509-subject-organization description: List of organizations (O) of subject. example: Example, Inc. flat_name: threat.enrichments.indicator.x509.subject.organization ignore_above: 1024 level: extended name: subject.organization normalize: - array original_fieldset: x509 short: List of organizations (O) of subject. type: keyword threat.enrichments.indicator.x509.subject.organizational_unit: dashed_name: threat-enrichments-indicator-x509-subject-organizational-unit description: List of organizational units (OU) of subject. flat_name: threat.enrichments.indicator.x509.subject.organizational_unit ignore_above: 1024 level: extended name: subject.organizational_unit normalize: - array original_fieldset: x509 short: List of organizational units (OU) of subject. type: keyword threat.enrichments.indicator.x509.subject.state_or_province: dashed_name: threat-enrichments-indicator-x509-subject-state-or-province description: List of state or province names (ST, S, or P) example: California flat_name: threat.enrichments.indicator.x509.subject.state_or_province ignore_above: 1024 level: extended name: subject.state_or_province normalize: - array original_fieldset: x509 short: List of state or province names (ST, S, or P) type: keyword threat.enrichments.indicator.x509.version_number: dashed_name: threat-enrichments-indicator-x509-version-number description: Version of x509 format. example: 3 flat_name: threat.enrichments.indicator.x509.version_number ignore_above: 1024 level: extended name: version_number normalize: [] original_fieldset: x509 short: Version of x509 format. type: keyword threat.enrichments.matched.atomic: dashed_name: threat-enrichments-matched-atomic description: Identifies the atomic indicator value that matched a local environment endpoint or network event. example: bad-domain.com flat_name: threat.enrichments.matched.atomic ignore_above: 1024 level: extended name: enrichments.matched.atomic normalize: [] short: Matched indicator value type: keyword threat.enrichments.matched.field: dashed_name: threat-enrichments-matched-field description: Identifies the field of the atomic indicator that matched a local environment endpoint or network event. example: file.hash.sha256 flat_name: threat.enrichments.matched.field ignore_above: 1024 level: extended name: enrichments.matched.field normalize: [] short: Matched indicator field type: keyword threat.enrichments.matched.id: dashed_name: threat-enrichments-matched-id description: Identifies the _id of the indicator document enriching the event. example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 flat_name: threat.enrichments.matched.id ignore_above: 1024 level: extended name: enrichments.matched.id normalize: [] short: Matched indicator identifier type: keyword threat.enrichments.matched.index: dashed_name: threat-enrichments-matched-index description: Identifies the _index of the indicator document enriching the event. example: filebeat-8.0.0-2021.05.23-000011 flat_name: threat.enrichments.matched.index ignore_above: 1024 level: extended name: enrichments.matched.index normalize: [] short: Matched indicator index type: keyword threat.enrichments.matched.type: dashed_name: threat-enrichments-matched-type description: Identifies the type of match that caused the event to be enriched with the given indicator example: indicator_match_rule flat_name: threat.enrichments.matched.type ignore_above: 1024 level: extended name: enrichments.matched.type normalize: [] short: Type of indicator match type: keyword threat.framework: dashed_name: threat-framework description: Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. example: MITRE ATT&CK flat_name: threat.framework ignore_above: 1024 level: extended name: framework normalize: [] short: Threat classification framework. type: keyword threat.group.alias: dashed_name: threat-group-alias description: "The alias(es) of the group for a set of related intrusion activity\ \ that are tracked by a common name in the security community.\nWhile not required,\ \ you can use a MITRE ATT&CK\xAE group alias(es)." example: '[ "Magecart Group 6" ]' flat_name: threat.group.alias ignore_above: 1024 level: extended name: group.alias normalize: - array short: Alias of the group. type: keyword threat.group.id: dashed_name: threat-group-id description: "The id of the group for a set of related intrusion activity that are\ \ tracked by a common name in the security community.\nWhile not required, you\ \ can use a MITRE ATT&CK\xAE group id." example: G0037 flat_name: threat.group.id ignore_above: 1024 level: extended name: group.id normalize: [] short: ID of the group. type: keyword threat.group.name: dashed_name: threat-group-name description: "The name of the group for a set of related intrusion activity that\ \ are tracked by a common name in the security community.\nWhile not required,\ \ you can use a MITRE ATT&CK\xAE group name." example: FIN6 flat_name: threat.group.name ignore_above: 1024 level: extended name: group.name normalize: [] short: Name of the group. type: keyword threat.group.reference: dashed_name: threat-group-reference description: "The reference URL of the group for a set of related intrusion activity\ \ that are tracked by a common name in the security community.\nWhile not required,\ \ you can use a MITRE ATT&CK\xAE group reference URL." example: https://attack.mitre.org/groups/G0037/ flat_name: threat.group.reference ignore_above: 1024 level: extended name: group.reference normalize: [] short: Reference URL of the group. type: keyword threat.indicator.as.number: dashed_name: threat-indicator-as-number description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. example: 15169 flat_name: threat.indicator.as.number level: extended name: number normalize: [] original_fieldset: as short: Unique number allocated to the autonomous system. type: long threat.indicator.as.organization.name: dashed_name: threat-indicator-as-organization-name description: Organization name. example: Google LLC flat_name: threat.indicator.as.organization.name ignore_above: 1024 level: extended multi_fields: - flat_name: threat.indicator.as.organization.name.text name: text type: match_only_text name: organization.name normalize: [] original_fieldset: as short: Organization name. type: keyword threat.indicator.confidence: dashed_name: threat-indicator-confidence description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. example: Medium expected_values: - Not Specified - None - Low - Medium - High flat_name: threat.indicator.confidence ignore_above: 1024 level: extended name: indicator.confidence normalize: [] short: Indicator confidence rating type: keyword threat.indicator.description: dashed_name: threat-indicator-description description: Describes the type of action conducted by the threat. example: IP x.x.x.x was observed delivering the Angler EK. flat_name: threat.indicator.description ignore_above: 1024 level: extended name: indicator.description normalize: [] short: Indicator description type: keyword threat.indicator.email.address: dashed_name: threat-indicator-email-address description: Identifies a threat indicator as an email address (irrespective of direction). example: phish@example.com flat_name: threat.indicator.email.address ignore_above: 1024 level: extended name: indicator.email.address normalize: [] short: Indicator email address type: keyword threat.indicator.file.Ext: dashed_name: threat-indicator-file-Ext description: Object for all custom defined fields to live in. flat_name: threat.indicator.file.Ext level: custom name: Ext normalize: [] original_fieldset: file short: Object for all custom defined fields to live in. type: object threat.indicator.file.Ext.code_signature: dashed_name: threat-indicator-file-Ext-code-signature description: Nested version of ECS code_signature fieldset. flat_name: threat.indicator.file.Ext.code_signature level: custom name: Ext.code_signature normalize: [] original_fieldset: file short: Nested version of ECS code_signature fieldset. type: nested threat.indicator.file.Ext.code_signature.exists: dashed_name: threat-indicator-file-Ext-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' flat_name: threat.indicator.file.Ext.code_signature.exists level: core name: Ext.code_signature.exists normalize: [] original_fieldset: file short: Boolean to capture if a signature is present. type: boolean threat.indicator.file.Ext.code_signature.status: dashed_name: threat-indicator-file-Ext-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: threat.indicator.file.Ext.code_signature.status ignore_above: 1024 level: custom name: Ext.code_signature.status normalize: [] original_fieldset: file short: Additional information about the certificate status. type: keyword threat.indicator.file.Ext.code_signature.subject_name: dashed_name: threat-indicator-file-Ext-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation flat_name: threat.indicator.file.Ext.code_signature.subject_name ignore_above: 1024 level: core name: Ext.code_signature.subject_name normalize: [] original_fieldset: file short: Subject name of the code signer type: keyword threat.indicator.file.Ext.code_signature.trusted: dashed_name: threat-indicator-file-Ext-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' flat_name: threat.indicator.file.Ext.code_signature.trusted level: custom name: Ext.code_signature.trusted normalize: [] original_fieldset: file short: Stores the trust status of the certificate chain. type: boolean threat.indicator.file.Ext.code_signature.valid: dashed_name: threat-indicator-file-Ext-code-signature-valid description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' flat_name: threat.indicator.file.Ext.code_signature.valid level: custom name: Ext.code_signature.valid normalize: [] original_fieldset: file short: Boolean to capture if the digital signature is verified against the binary content. type: boolean threat.indicator.file.Ext.device.bus_type: dashed_name: threat-indicator-file-Ext-device-bus-type description: Bus type of the device, such as Nvme, Usb, FileBackedVirtual,... etc. flat_name: threat.indicator.file.Ext.device.bus_type ignore_above: 1024 level: custom name: Ext.device.bus_type normalize: [] original_fieldset: file short: Bus type of the device. type: keyword threat.indicator.file.Ext.device.dos_name: dashed_name: threat-indicator-file-Ext-device-dos-name description: DOS name of the device. DOS device name is in the format of driver letters such as C:, D:,... flat_name: threat.indicator.file.Ext.device.dos_name ignore_above: 1024 level: custom name: Ext.device.dos_name normalize: [] original_fieldset: file short: DOS name of the device. type: keyword threat.indicator.file.Ext.device.nt_name: dashed_name: threat-indicator-file-Ext-device-nt-name description: 'NT name of the device. NT device name is in the format such as: \Device\HarddiskVolume2' flat_name: threat.indicator.file.Ext.device.nt_name ignore_above: 1024 level: custom name: Ext.device.nt_name normalize: [] original_fieldset: file short: NT name of the device. type: keyword threat.indicator.file.Ext.device.product_id: dashed_name: threat-indicator-file-Ext-device-product-id description: ProductID of the device. It is provided by the vendor of the device if any. flat_name: threat.indicator.file.Ext.device.product_id ignore_above: 1024 level: custom name: Ext.device.product_id normalize: [] original_fieldset: file short: ProductID of the device. type: keyword threat.indicator.file.Ext.device.serial_number: dashed_name: threat-indicator-file-Ext-device-serial-number description: Serial Number of the device. It is provided by the vendor of the device if any. flat_name: threat.indicator.file.Ext.device.serial_number ignore_above: 1024 level: custom name: Ext.device.serial_number normalize: [] original_fieldset: file short: Serial Number of the device. type: keyword threat.indicator.file.Ext.device.vendor_id: dashed_name: threat-indicator-file-Ext-device-vendor-id description: VendorID of the device. It is provided by the vendor of the device. flat_name: threat.indicator.file.Ext.device.vendor_id ignore_above: 1024 level: custom name: Ext.device.vendor_id normalize: [] original_fieldset: file short: VendorID of the device. type: keyword threat.indicator.file.Ext.entropy: dashed_name: threat-indicator-file-Ext-entropy description: Entropy calculation of file's header and footer used to check file integrity. flat_name: threat.indicator.file.Ext.entropy level: custom name: Ext.entropy normalize: [] original_fieldset: file short: File entropy value type: double threat.indicator.file.Ext.entry_modified: dashed_name: threat-indicator-file-Ext-entry-modified description: Time of last status change. See `st_ctim` member of `struct stat`. flat_name: threat.indicator.file.Ext.entry_modified level: custom name: Ext.entry_modified normalize: [] original_fieldset: file short: Time of last status change. See `st_ctim` member of `struct stat`. type: double threat.indicator.file.Ext.header_bytes: dashed_name: threat-indicator-file-Ext-header-bytes description: First 16 bytes of file used to check file integrity. flat_name: threat.indicator.file.Ext.header_bytes ignore_above: 1024 level: custom name: Ext.header_bytes normalize: [] original_fieldset: file short: Header bytes type: keyword threat.indicator.file.Ext.header_data: dashed_name: threat-indicator-file-Ext-header-data description: First 16 bytes of file used to check file integrity. flat_name: threat.indicator.file.Ext.header_data level: custom name: Ext.header_data normalize: [] norms: false original_fieldset: file short: Header data type: text threat.indicator.file.Ext.malware_classification.features.data.buffer: dashed_name: threat-indicator-file-Ext-malware-classification-features-data-buffer description: The features extracted from this file and evaluated by the model. Usually an array of floats. Likely zlib-encoded. flat_name: threat.indicator.file.Ext.malware_classification.features.data.buffer ignore_above: 1024 level: custom name: features.data.buffer normalize: [] original_fieldset: malware_classification short: The features extracted from this file and evaluated by the model. Usually an array of floats. Likely zlib-encoded. type: keyword threat.indicator.file.Ext.malware_classification.features.data.decompressed_size: dashed_name: threat-indicator-file-Ext-malware-classification-features-data-decompressed-size description: The decompressed size of buffer. flat_name: threat.indicator.file.Ext.malware_classification.features.data.decompressed_size level: custom name: features.data.decompressed_size normalize: [] original_fieldset: malware_classification short: The decompressed size of buffer. type: integer threat.indicator.file.Ext.malware_classification.features.data.encoding: dashed_name: threat-indicator-file-Ext-malware-classification-features-data-encoding description: The encoding of buffer (e.g. zlib). flat_name: threat.indicator.file.Ext.malware_classification.features.data.encoding ignore_above: 1024 level: custom name: features.data.encoding normalize: [] original_fieldset: malware_classification short: The encoding of buffer (e.g. zlib). type: keyword threat.indicator.file.Ext.malware_classification.identifier: dashed_name: threat-indicator-file-Ext-malware-classification-identifier description: The model's unique identifier. flat_name: threat.indicator.file.Ext.malware_classification.identifier ignore_above: 1024 level: custom name: identifier normalize: [] original_fieldset: malware_classification short: The model's unique identifier. type: keyword threat.indicator.file.Ext.malware_classification.score: dashed_name: threat-indicator-file-Ext-malware-classification-score description: The score produced by the classification model. flat_name: threat.indicator.file.Ext.malware_classification.score level: custom name: score normalize: [] original_fieldset: malware_classification short: The score produced by the classification model. type: double threat.indicator.file.Ext.malware_classification.threshold: dashed_name: threat-indicator-file-Ext-malware-classification-threshold description: The score threshold for the model. Files that score above this threshold are considered malicious. flat_name: threat.indicator.file.Ext.malware_classification.threshold level: custom name: threshold normalize: [] original_fieldset: malware_classification short: The score threshold for the model. Files that score above this threshold are considered malicious. type: double threat.indicator.file.Ext.malware_classification.upx_packed: dashed_name: threat-indicator-file-Ext-malware-classification-upx-packed description: Whether UPX packing was detected. flat_name: threat.indicator.file.Ext.malware_classification.upx_packed level: custom name: upx_packed normalize: [] original_fieldset: malware_classification short: Whether UPX packing was detected. type: boolean threat.indicator.file.Ext.malware_classification.version: dashed_name: threat-indicator-file-Ext-malware-classification-version description: The version of the model used. flat_name: threat.indicator.file.Ext.malware_classification.version ignore_above: 1024 level: custom name: version normalize: [] original_fieldset: malware_classification short: The version of the model used. type: keyword threat.indicator.file.Ext.malware_signature: dashed_name: threat-indicator-file-Ext-malware-signature description: Nested version of malware_signature fieldset. flat_name: threat.indicator.file.Ext.malware_signature level: custom name: Ext.malware_signature normalize: [] original_fieldset: file short: Nested version of malware_signature fieldset. type: nested threat.indicator.file.Ext.malware_signature.all_names: dashed_name: threat-indicator-file-Ext-malware-signature-all-names description: The concatenated names of all yara signatures flat_name: threat.indicator.file.Ext.malware_signature.all_names level: custom name: Ext.malware_signature.all_names normalize: [] norms: false original_fieldset: file short: Yara signature names type: text threat.indicator.file.Ext.malware_signature.identifier: dashed_name: threat-indicator-file-Ext-malware-signature-identifier description: Malware artifact identifier. flat_name: threat.indicator.file.Ext.malware_signature.identifier level: custom name: Ext.malware_signature.identifier normalize: [] norms: false original_fieldset: file short: Malware artifact identifier type: text threat.indicator.file.Ext.malware_signature.primary: dashed_name: threat-indicator-file-Ext-malware-signature-primary description: Primary malware signature match. flat_name: threat.indicator.file.Ext.malware_signature.primary level: custom name: Ext.malware_signature.primary normalize: [] original_fieldset: file short: Primary malware signature match type: nested threat.indicator.file.Ext.malware_signature.primary.matches: dashed_name: threat-indicator-file-Ext-malware-signature-primary-matches description: An array of bytes representing yara signature matches flat_name: threat.indicator.file.Ext.malware_signature.primary.matches level: custom name: Ext.malware_signature.primary.matches normalize: - array original_fieldset: file short: signature match bytes type: nested threat.indicator.file.Ext.malware_signature.primary.signature: dashed_name: threat-indicator-file-Ext-malware-signature-primary-signature description: Primary malware signature match. flat_name: threat.indicator.file.Ext.malware_signature.primary.signature level: custom name: Ext.malware_signature.primary.signature normalize: [] original_fieldset: file short: Primary malware signature match type: nested threat.indicator.file.Ext.malware_signature.primary.signature.hash: dashed_name: threat-indicator-file-Ext-malware-signature-primary-signature-hash description: Primary malware signature hash. flat_name: threat.indicator.file.Ext.malware_signature.primary.signature.hash level: custom name: Ext.malware_signature.primary.signature.hash normalize: [] original_fieldset: file short: Primary malware signature hash type: nested threat.indicator.file.Ext.malware_signature.primary.signature.hash.sha256: dashed_name: threat-indicator-file-Ext-malware-signature-primary-signature-hash-sha256 description: Primary malware signature sha256. flat_name: threat.indicator.file.Ext.malware_signature.primary.signature.hash.sha256 ignore_above: 1024 level: custom name: Ext.malware_signature.primary.signature.hash.sha256 normalize: [] original_fieldset: file short: Primary malware signature sha256 type: keyword threat.indicator.file.Ext.malware_signature.primary.signature.id: dashed_name: threat-indicator-file-Ext-malware-signature-primary-signature-id description: Primary malware signature id. flat_name: threat.indicator.file.Ext.malware_signature.primary.signature.id ignore_above: 1024 level: custom name: Ext.malware_signature.primary.signature.id normalize: [] original_fieldset: file short: Primary malware signature id type: keyword threat.indicator.file.Ext.malware_signature.primary.signature.name: dashed_name: threat-indicator-file-Ext-malware-signature-primary-signature-name description: Primary malware signature name. flat_name: threat.indicator.file.Ext.malware_signature.primary.signature.name ignore_above: 1024 level: custom name: Ext.malware_signature.primary.signature.name normalize: [] original_fieldset: file short: Primary malware signature name type: keyword threat.indicator.file.Ext.malware_signature.secondary: dashed_name: threat-indicator-file-Ext-malware-signature-secondary description: An array of malware signature matches flat_name: threat.indicator.file.Ext.malware_signature.secondary level: custom name: Ext.malware_signature.secondary normalize: - array original_fieldset: file short: secondary signature matches type: nested threat.indicator.file.Ext.malware_signature.version: dashed_name: threat-indicator-file-Ext-malware-signature-version description: Primary malware signature version. flat_name: threat.indicator.file.Ext.malware_signature.version ignore_above: 1024 level: custom name: Ext.malware_signature.version normalize: [] original_fieldset: file short: Primary malware signature version type: keyword threat.indicator.file.Ext.monotonic_id: dashed_name: threat-indicator-file-Ext-monotonic-id description: File event monotonic ID. flat_name: threat.indicator.file.Ext.monotonic_id level: custom name: Ext.monotonic_id normalize: [] original_fieldset: file short: File event monotonic ID type: unsigned_long threat.indicator.file.Ext.original: dashed_name: threat-indicator-file-Ext-original description: Original file information during a modification event. flat_name: threat.indicator.file.Ext.original level: custom name: Ext.original normalize: [] original_fieldset: file short: Original file information during a modification event. type: object threat.indicator.file.Ext.original.gid: dashed_name: threat-indicator-file-Ext-original-gid description: Primary group ID (GID) of the file. example: '1001' flat_name: threat.indicator.file.Ext.original.gid ignore_above: 1024 level: custom name: Ext.original.gid normalize: [] original_fieldset: file short: Primary group ID (GID) of the file. type: keyword threat.indicator.file.Ext.original.group: dashed_name: threat-indicator-file-Ext-original-group description: Primary group name of the file. example: alice flat_name: threat.indicator.file.Ext.original.group ignore_above: 1024 level: custom name: Ext.original.group normalize: [] original_fieldset: file short: Primary group name of the file. type: keyword threat.indicator.file.Ext.original.mode: dashed_name: threat-indicator-file-Ext-original-mode description: Original file mode prior to a modification event flat_name: threat.indicator.file.Ext.original.mode ignore_above: 1024 level: custom name: Ext.original.mode normalize: [] original_fieldset: file short: Original file mode prior to a modification event type: keyword threat.indicator.file.Ext.original.name: dashed_name: threat-indicator-file-Ext-original-name description: Original file name prior to a modification event flat_name: threat.indicator.file.Ext.original.name ignore_above: 1024 level: custom name: Ext.original.name normalize: [] original_fieldset: file short: Original file name prior to a modification event type: keyword threat.indicator.file.Ext.original.owner: dashed_name: threat-indicator-file-Ext-original-owner description: File owner's username. example: alice flat_name: threat.indicator.file.Ext.original.owner ignore_above: 1024 level: custom name: Ext.original.owner normalize: [] original_fieldset: file short: File owner's username. type: keyword threat.indicator.file.Ext.original.path: dashed_name: threat-indicator-file-Ext-original-path description: Original file path prior to a modification event flat_name: threat.indicator.file.Ext.original.path ignore_above: 1024 level: custom name: Ext.original.path normalize: [] original_fieldset: file short: Original file path prior to a modification event type: keyword threat.indicator.file.Ext.original.uid: dashed_name: threat-indicator-file-Ext-original-uid description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' flat_name: threat.indicator.file.Ext.original.uid ignore_above: 1024 level: custom name: Ext.original.uid normalize: [] original_fieldset: file short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword threat.indicator.file.Ext.quarantine_message: dashed_name: threat-indicator-file-Ext-quarantine-message description: Message describing quarantine results. flat_name: threat.indicator.file.Ext.quarantine_message ignore_above: 1024 level: custom name: Ext.quarantine_message normalize: [] original_fieldset: file short: Message describing quarantine results. type: keyword threat.indicator.file.Ext.quarantine_path: dashed_name: threat-indicator-file-Ext-quarantine-path description: Path on endpoint the quarantined file was originally. flat_name: threat.indicator.file.Ext.quarantine_path ignore_above: 1024 level: custom name: Ext.quarantine_path normalize: [] original_fieldset: file short: Path on endpoint the quarantined file was originally. type: keyword threat.indicator.file.Ext.quarantine_result: dashed_name: threat-indicator-file-Ext-quarantine-result description: Boolean representing whether or not file quarantine succeeded. flat_name: threat.indicator.file.Ext.quarantine_result level: custom name: Ext.quarantine_result normalize: [] original_fieldset: file short: Boolean representing whether or not file quarantine succeeded. type: boolean threat.indicator.file.Ext.temp_file_path: dashed_name: threat-indicator-file-Ext-temp-file-path description: Path on endpoint where a copy of the file is being stored. Used to make ephemeral files retrievable. flat_name: threat.indicator.file.Ext.temp_file_path ignore_above: 1024 level: custom name: Ext.temp_file_path normalize: [] original_fieldset: file short: Path on endpoint where a copy of the file is being stored. Used to make ephemeral files retrievable. type: keyword threat.indicator.file.Ext.windows: dashed_name: threat-indicator-file-Ext-windows description: Platform-specific Windows fields flat_name: threat.indicator.file.Ext.windows level: custom name: Ext.windows normalize: [] original_fieldset: file short: Platform-specific Windows fields type: object threat.indicator.file.Ext.windows.zone_identifier: dashed_name: threat-indicator-file-Ext-windows-zone-identifier description: Windows zone identifier for a file flat_name: threat.indicator.file.Ext.windows.zone_identifier ignore_above: 1024 level: custom name: Ext.windows.zone_identifier normalize: [] original_fieldset: file short: Windows zone identifier for a file type: keyword threat.indicator.file.accessed: dashed_name: threat-indicator-file-accessed description: 'Last time the file was accessed. Note that not all filesystems keep track of access time.' flat_name: threat.indicator.file.accessed level: extended name: accessed normalize: [] original_fieldset: file short: Last time the file was accessed. type: date threat.indicator.file.attributes: dashed_name: threat-indicator-file-attributes description: 'Array of file attributes. Attributes names will vary by platform. Here''s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.' example: '["readonly", "system"]' flat_name: threat.indicator.file.attributes ignore_above: 1024 level: extended name: attributes normalize: - array original_fieldset: file short: Array of file attributes. type: keyword threat.indicator.file.code_signature.exists: dashed_name: threat-indicator-file-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' flat_name: threat.indicator.file.code_signature.exists level: core name: exists normalize: [] original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean threat.indicator.file.code_signature.signing_id: dashed_name: threat-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy flat_name: threat.indicator.file.code_signature.signing_id ignore_above: 1024 level: extended name: signing_id normalize: [] original_fieldset: code_signature short: The identifier used to sign the process. type: keyword threat.indicator.file.code_signature.status: dashed_name: threat-indicator-file-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: threat.indicator.file.code_signature.status ignore_above: 1024 level: extended name: status normalize: [] original_fieldset: code_signature short: Additional information about the certificate status. type: keyword threat.indicator.file.code_signature.subject_name: dashed_name: threat-indicator-file-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation flat_name: threat.indicator.file.code_signature.subject_name ignore_above: 1024 level: core name: subject_name normalize: [] original_fieldset: code_signature short: Subject name of the code signer type: keyword threat.indicator.file.code_signature.team_id: dashed_name: threat-indicator-file-code-signature-team-id description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV flat_name: threat.indicator.file.code_signature.team_id ignore_above: 1024 level: extended name: team_id normalize: [] original_fieldset: code_signature short: The team identifier used to sign the process. type: keyword threat.indicator.file.code_signature.trusted: dashed_name: threat-indicator-file-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' flat_name: threat.indicator.file.code_signature.trusted level: extended name: trusted normalize: [] original_fieldset: code_signature short: Stores the trust status of the certificate chain. type: boolean threat.indicator.file.code_signature.valid: dashed_name: threat-indicator-file-code-signature-valid description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' flat_name: threat.indicator.file.code_signature.valid level: extended name: valid normalize: [] original_fieldset: code_signature short: Boolean to capture if the digital signature is verified against the binary content. type: boolean threat.indicator.file.created: dashed_name: threat-indicator-file-created description: 'File creation time. Note that not all filesystems store the creation time.' flat_name: threat.indicator.file.created level: extended name: created normalize: [] original_fieldset: file short: File creation time. type: date threat.indicator.file.ctime: dashed_name: threat-indicator-file-ctime description: 'Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.' flat_name: threat.indicator.file.ctime level: extended name: ctime normalize: [] original_fieldset: file short: Last time the file attributes or metadata changed. type: date threat.indicator.file.device: dashed_name: threat-indicator-file-device description: Device that is the source of the file. example: sda flat_name: threat.indicator.file.device ignore_above: 1024 level: extended name: device normalize: [] original_fieldset: file short: Device that is the source of the file. type: keyword threat.indicator.file.directory: dashed_name: threat-indicator-file-directory description: Directory where the file is located. It should include the drive letter, when appropriate. example: /home/alice flat_name: threat.indicator.file.directory ignore_above: 1024 level: extended name: directory normalize: [] original_fieldset: file short: Directory where the file is located. type: keyword threat.indicator.file.drive_letter: dashed_name: threat-indicator-file-drive-letter description: 'Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.' example: C flat_name: threat.indicator.file.drive_letter ignore_above: 1 level: extended name: drive_letter normalize: [] original_fieldset: file short: Drive letter where the file is located. type: keyword threat.indicator.file.elf.architecture: dashed_name: threat-indicator-file-elf-architecture description: Machine architecture of the ELF file. example: x86-64 flat_name: threat.indicator.file.elf.architecture ignore_above: 1024 level: extended name: architecture normalize: [] original_fieldset: elf short: Machine architecture of the ELF file. type: keyword threat.indicator.file.elf.byte_order: dashed_name: threat-indicator-file-elf-byte-order description: Byte sequence of ELF file. example: Little Endian flat_name: threat.indicator.file.elf.byte_order ignore_above: 1024 level: extended name: byte_order normalize: [] original_fieldset: elf short: Byte sequence of ELF file. type: keyword threat.indicator.file.elf.cpu_type: dashed_name: threat-indicator-file-elf-cpu-type description: CPU type of the ELF file. example: Intel flat_name: threat.indicator.file.elf.cpu_type ignore_above: 1024 level: extended name: cpu_type normalize: [] original_fieldset: elf short: CPU type of the ELF file. type: keyword threat.indicator.file.elf.creation_date: dashed_name: threat-indicator-file-elf-creation-date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. flat_name: threat.indicator.file.elf.creation_date level: extended name: creation_date normalize: [] original_fieldset: elf short: Build or compile date. type: date threat.indicator.file.elf.exports: dashed_name: threat-indicator-file-elf-exports description: List of exported element names and types. flat_name: threat.indicator.file.elf.exports level: extended name: exports normalize: - array original_fieldset: elf short: List of exported element names and types. type: flattened threat.indicator.file.elf.go_import_hash: dashed_name: threat-indicator-file-elf-go-import-hash description: 'A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).' example: 10bddcb4cee42080f76c88d9ff964491 flat_name: threat.indicator.file.elf.go_import_hash ignore_above: 1024 level: extended name: go_import_hash normalize: [] original_fieldset: elf short: A hash of the Go language imports in an ELF file. type: keyword threat.indicator.file.elf.go_imports: dashed_name: threat-indicator-file-elf-go-imports description: List of imported Go language element names and types. flat_name: threat.indicator.file.elf.go_imports level: extended name: go_imports normalize: [] original_fieldset: elf short: List of imported Go language element names and types. type: flattened threat.indicator.file.elf.go_imports_names_entropy: dashed_name: threat-indicator-file-elf-go-imports-names-entropy description: Shannon entropy calculation from the list of Go imports. flat_name: threat.indicator.file.elf.go_imports_names_entropy format: number level: extended name: go_imports_names_entropy normalize: [] original_fieldset: elf short: Shannon entropy calculation from the list of Go imports. type: long threat.indicator.file.elf.go_imports_names_var_entropy: dashed_name: threat-indicator-file-elf-go-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of Go imports. flat_name: threat.indicator.file.elf.go_imports_names_var_entropy format: number level: extended name: go_imports_names_var_entropy normalize: [] original_fieldset: elf short: Variance for Shannon entropy calculation from the list of Go imports. type: long threat.indicator.file.elf.go_stripped: dashed_name: threat-indicator-file-elf-go-stripped description: Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. flat_name: threat.indicator.file.elf.go_stripped level: extended name: go_stripped normalize: [] original_fieldset: elf short: Whether the file is a stripped or obfuscated Go executable. type: boolean threat.indicator.file.elf.header.abi_version: dashed_name: threat-indicator-file-elf-header-abi-version description: Version of the ELF Application Binary Interface (ABI). flat_name: threat.indicator.file.elf.header.abi_version ignore_above: 1024 level: extended name: header.abi_version normalize: [] original_fieldset: elf short: Version of the ELF Application Binary Interface (ABI). type: keyword threat.indicator.file.elf.header.class: dashed_name: threat-indicator-file-elf-header-class description: Header class of the ELF file. flat_name: threat.indicator.file.elf.header.class ignore_above: 1024 level: extended name: header.class normalize: [] original_fieldset: elf short: Header class of the ELF file. type: keyword threat.indicator.file.elf.header.data: dashed_name: threat-indicator-file-elf-header-data description: Data table of the ELF header. flat_name: threat.indicator.file.elf.header.data ignore_above: 1024 level: extended name: header.data normalize: [] original_fieldset: elf short: Data table of the ELF header. type: keyword threat.indicator.file.elf.header.entrypoint: dashed_name: threat-indicator-file-elf-header-entrypoint description: Header entrypoint of the ELF file. flat_name: threat.indicator.file.elf.header.entrypoint format: string level: extended name: header.entrypoint normalize: [] original_fieldset: elf short: Header entrypoint of the ELF file. type: long threat.indicator.file.elf.header.object_version: dashed_name: threat-indicator-file-elf-header-object-version description: '"0x1" for original ELF files.' flat_name: threat.indicator.file.elf.header.object_version ignore_above: 1024 level: extended name: header.object_version normalize: [] original_fieldset: elf short: '"0x1" for original ELF files.' type: keyword threat.indicator.file.elf.header.os_abi: dashed_name: threat-indicator-file-elf-header-os-abi description: Application Binary Interface (ABI) of the Linux OS. flat_name: threat.indicator.file.elf.header.os_abi ignore_above: 1024 level: extended name: header.os_abi normalize: [] original_fieldset: elf short: Application Binary Interface (ABI) of the Linux OS. type: keyword threat.indicator.file.elf.header.type: dashed_name: threat-indicator-file-elf-header-type description: Header type of the ELF file. flat_name: threat.indicator.file.elf.header.type ignore_above: 1024 level: extended name: header.type normalize: [] original_fieldset: elf short: Header type of the ELF file. type: keyword threat.indicator.file.elf.header.version: dashed_name: threat-indicator-file-elf-header-version description: Version of the ELF header. flat_name: threat.indicator.file.elf.header.version ignore_above: 1024 level: extended name: header.version normalize: [] original_fieldset: elf short: Version of the ELF header. type: keyword threat.indicator.file.elf.import_hash: dashed_name: threat-indicator-file-elf-import-hash description: 'A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is an ELF implementation of the Windows PE imphash.' example: d41d8cd98f00b204e9800998ecf8427e flat_name: threat.indicator.file.elf.import_hash ignore_above: 1024 level: extended name: import_hash normalize: [] original_fieldset: elf short: A hash of the imports in an ELF file. type: keyword threat.indicator.file.elf.imports: dashed_name: threat-indicator-file-elf-imports description: List of imported element names and types. flat_name: threat.indicator.file.elf.imports level: extended name: imports normalize: - array original_fieldset: elf short: List of imported element names and types. type: flattened threat.indicator.file.elf.imports_names_entropy: dashed_name: threat-indicator-file-elf-imports-names-entropy description: Shannon entropy calculation from the list of imported element names and types. flat_name: threat.indicator.file.elf.imports_names_entropy format: number level: extended name: imports_names_entropy normalize: [] original_fieldset: elf short: Shannon entropy calculation from the list of imported element names and types. type: long threat.indicator.file.elf.imports_names_var_entropy: dashed_name: threat-indicator-file-elf-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of imported element names and types. flat_name: threat.indicator.file.elf.imports_names_var_entropy format: number level: extended name: imports_names_var_entropy normalize: [] original_fieldset: elf short: Variance for Shannon entropy calculation from the list of imported element names and types. type: long threat.indicator.file.elf.sections: dashed_name: threat-indicator-file-elf-sections description: 'An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.' flat_name: threat.indicator.file.elf.sections level: extended name: sections normalize: - array original_fieldset: elf short: Section information of the ELF file. type: nested threat.indicator.file.elf.sections.chi2: dashed_name: threat-indicator-file-elf-sections-chi2 description: Chi-square probability distribution of the section. flat_name: threat.indicator.file.elf.sections.chi2 format: number level: extended name: sections.chi2 normalize: [] original_fieldset: elf short: Chi-square probability distribution of the section. type: long threat.indicator.file.elf.sections.entropy: dashed_name: threat-indicator-file-elf-sections-entropy description: Shannon entropy calculation from the section. flat_name: threat.indicator.file.elf.sections.entropy format: number level: extended name: sections.entropy normalize: [] original_fieldset: elf short: Shannon entropy calculation from the section. type: long threat.indicator.file.elf.sections.flags: dashed_name: threat-indicator-file-elf-sections-flags description: ELF Section List flags. flat_name: threat.indicator.file.elf.sections.flags ignore_above: 1024 level: extended name: sections.flags normalize: [] original_fieldset: elf short: ELF Section List flags. type: keyword threat.indicator.file.elf.sections.name: dashed_name: threat-indicator-file-elf-sections-name description: ELF Section List name. flat_name: threat.indicator.file.elf.sections.name ignore_above: 1024 level: extended name: sections.name normalize: [] original_fieldset: elf short: ELF Section List name. type: keyword threat.indicator.file.elf.sections.physical_offset: dashed_name: threat-indicator-file-elf-sections-physical-offset description: ELF Section List offset. flat_name: threat.indicator.file.elf.sections.physical_offset ignore_above: 1024 level: extended name: sections.physical_offset normalize: [] original_fieldset: elf short: ELF Section List offset. type: keyword threat.indicator.file.elf.sections.physical_size: dashed_name: threat-indicator-file-elf-sections-physical-size description: ELF Section List physical size. flat_name: threat.indicator.file.elf.sections.physical_size format: bytes level: extended name: sections.physical_size normalize: [] original_fieldset: elf short: ELF Section List physical size. type: long threat.indicator.file.elf.sections.type: dashed_name: threat-indicator-file-elf-sections-type description: ELF Section List type. flat_name: threat.indicator.file.elf.sections.type ignore_above: 1024 level: extended name: sections.type normalize: [] original_fieldset: elf short: ELF Section List type. type: keyword threat.indicator.file.elf.sections.var_entropy: dashed_name: threat-indicator-file-elf-sections-var-entropy description: Variance for Shannon entropy calculation from the section. flat_name: threat.indicator.file.elf.sections.var_entropy format: number level: extended name: sections.var_entropy normalize: [] original_fieldset: elf short: Variance for Shannon entropy calculation from the section. type: long threat.indicator.file.elf.sections.virtual_address: dashed_name: threat-indicator-file-elf-sections-virtual-address description: ELF Section List virtual address. flat_name: threat.indicator.file.elf.sections.virtual_address format: string level: extended name: sections.virtual_address normalize: [] original_fieldset: elf short: ELF Section List virtual address. type: long threat.indicator.file.elf.sections.virtual_size: dashed_name: threat-indicator-file-elf-sections-virtual-size description: ELF Section List virtual size. flat_name: threat.indicator.file.elf.sections.virtual_size format: string level: extended name: sections.virtual_size normalize: [] original_fieldset: elf short: ELF Section List virtual size. type: long threat.indicator.file.elf.segments: dashed_name: threat-indicator-file-elf-segments description: 'An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.' flat_name: threat.indicator.file.elf.segments level: extended name: segments normalize: - array original_fieldset: elf short: ELF object segment list. type: nested threat.indicator.file.elf.segments.sections: dashed_name: threat-indicator-file-elf-segments-sections description: ELF object segment sections. flat_name: threat.indicator.file.elf.segments.sections ignore_above: 1024 level: extended name: segments.sections normalize: [] original_fieldset: elf short: ELF object segment sections. type: keyword threat.indicator.file.elf.segments.type: dashed_name: threat-indicator-file-elf-segments-type description: ELF object segment type. flat_name: threat.indicator.file.elf.segments.type ignore_above: 1024 level: extended name: segments.type normalize: [] original_fieldset: elf short: ELF object segment type. type: keyword threat.indicator.file.elf.shared_libraries: dashed_name: threat-indicator-file-elf-shared-libraries description: List of shared libraries used by this ELF object. flat_name: threat.indicator.file.elf.shared_libraries ignore_above: 1024 level: extended name: shared_libraries normalize: - array original_fieldset: elf short: List of shared libraries used by this ELF object. type: keyword threat.indicator.file.elf.telfhash: dashed_name: threat-indicator-file-elf-telfhash description: telfhash symbol hash for ELF file. flat_name: threat.indicator.file.elf.telfhash ignore_above: 1024 level: extended name: telfhash normalize: [] original_fieldset: elf short: telfhash hash for ELF file. type: keyword threat.indicator.file.extension: dashed_name: threat-indicator-file-extension description: 'File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png flat_name: threat.indicator.file.extension ignore_above: 1024 level: extended name: extension normalize: [] original_fieldset: file short: File extension, excluding the leading dot. type: keyword threat.indicator.file.gid: dashed_name: threat-indicator-file-gid description: Primary group ID (GID) of the file. example: '1001' flat_name: threat.indicator.file.gid ignore_above: 1024 level: extended name: gid normalize: [] original_fieldset: file short: Primary group ID (GID) of the file. type: keyword threat.indicator.file.group: dashed_name: threat-indicator-file-group description: Primary group name of the file. example: alice flat_name: threat.indicator.file.group ignore_above: 1024 level: extended name: group normalize: [] original_fieldset: file short: Primary group name of the file. type: keyword threat.indicator.file.hash.md5: dashed_name: threat-indicator-file-hash-md5 description: MD5 hash. flat_name: threat.indicator.file.hash.md5 ignore_above: 1024 level: extended name: md5 normalize: [] original_fieldset: hash short: MD5 hash. type: keyword threat.indicator.file.hash.sha1: dashed_name: threat-indicator-file-hash-sha1 description: SHA1 hash. flat_name: threat.indicator.file.hash.sha1 ignore_above: 1024 level: extended name: sha1 normalize: [] original_fieldset: hash short: SHA1 hash. type: keyword threat.indicator.file.hash.sha256: dashed_name: threat-indicator-file-hash-sha256 description: SHA256 hash. flat_name: threat.indicator.file.hash.sha256 ignore_above: 1024 level: extended name: sha256 normalize: [] original_fieldset: hash short: SHA256 hash. type: keyword threat.indicator.file.hash.sha512: dashed_name: threat-indicator-file-hash-sha512 description: SHA512 hash. flat_name: threat.indicator.file.hash.sha512 ignore_above: 1024 level: extended name: sha512 normalize: [] original_fieldset: hash short: SHA512 hash. type: keyword threat.indicator.file.hash.ssdeep: dashed_name: threat-indicator-file-hash-ssdeep description: SSDEEP hash. flat_name: threat.indicator.file.hash.ssdeep ignore_above: 1024 level: extended name: ssdeep normalize: [] original_fieldset: hash short: SSDEEP hash. type: keyword threat.indicator.file.inode: dashed_name: threat-indicator-file-inode description: Inode representing the file in the filesystem. example: '256383' flat_name: threat.indicator.file.inode ignore_above: 1024 level: extended name: inode normalize: [] original_fieldset: file short: Inode representing the file in the filesystem. type: keyword threat.indicator.file.mime_type: dashed_name: threat-indicator-file-mime-type description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. flat_name: threat.indicator.file.mime_type ignore_above: 1024 level: extended name: mime_type normalize: [] original_fieldset: file short: Media type of file, document, or arrangement of bytes. type: keyword threat.indicator.file.mode: dashed_name: threat-indicator-file-mode description: Mode of the file in octal representation. example: '0640' flat_name: threat.indicator.file.mode ignore_above: 1024 level: extended name: mode normalize: [] original_fieldset: file short: Mode of the file in octal representation. type: keyword threat.indicator.file.mtime: dashed_name: threat-indicator-file-mtime description: Last time the file content was modified. flat_name: threat.indicator.file.mtime level: extended name: mtime normalize: [] original_fieldset: file short: Last time the file content was modified. type: date threat.indicator.file.name: dashed_name: threat-indicator-file-name description: Name of the file including the extension, without the directory. example: example.png flat_name: threat.indicator.file.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: file short: Name of the file including the extension, without the directory. type: keyword threat.indicator.file.owner: dashed_name: threat-indicator-file-owner description: File owner's username. example: alice flat_name: threat.indicator.file.owner ignore_above: 1024 level: extended name: owner normalize: [] original_fieldset: file short: File owner's username. type: keyword threat.indicator.file.path: dashed_name: threat-indicator-file-path description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png flat_name: threat.indicator.file.path ignore_above: 1024 level: extended multi_fields: - flat_name: threat.indicator.file.path.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: threat.indicator.file.path.text name: text norms: false type: text name: path normalize: [] original_fieldset: file short: Full path to the file, including the file name. type: keyword threat.indicator.file.pe.architecture: dashed_name: threat-indicator-file-pe-architecture description: CPU architecture target for the file. example: x64 flat_name: threat.indicator.file.pe.architecture ignore_above: 1024 level: extended name: architecture normalize: [] original_fieldset: pe short: CPU architecture target for the file. type: keyword threat.indicator.file.pe.company: dashed_name: threat-indicator-file-pe-company description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation flat_name: threat.indicator.file.pe.company ignore_above: 1024 level: extended name: company normalize: [] original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword threat.indicator.file.pe.description: dashed_name: threat-indicator-file-pe-description description: Internal description of the file, provided at compile-time. example: Paint flat_name: threat.indicator.file.pe.description ignore_above: 1024 level: extended name: description normalize: [] original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword threat.indicator.file.pe.file_version: dashed_name: threat-indicator-file-pe-file-version description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 flat_name: threat.indicator.file.pe.file_version ignore_above: 1024 level: extended name: file_version normalize: [] original_fieldset: pe short: Process name. type: keyword threat.indicator.file.pe.imphash: dashed_name: threat-indicator-file-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf flat_name: threat.indicator.file.pe.imphash ignore_above: 1024 level: extended name: imphash normalize: [] original_fieldset: pe short: A hash of the imports in a PE file. type: keyword threat.indicator.file.pe.original_file_name: dashed_name: threat-indicator-file-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: threat.indicator.file.pe.original_file_name ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. type: keyword threat.indicator.file.pe.product: dashed_name: threat-indicator-file-pe-product description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" flat_name: threat.indicator.file.pe.product ignore_above: 1024 level: extended name: product normalize: [] original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword threat.indicator.file.size: dashed_name: threat-indicator-file-size description: 'File size in bytes. Only relevant when `file.type` is "file".' example: 16384 flat_name: threat.indicator.file.size level: extended name: size normalize: [] original_fieldset: file short: File size in bytes. type: long threat.indicator.file.target_path: dashed_name: threat-indicator-file-target-path description: Target path for symlinks. flat_name: threat.indicator.file.target_path ignore_above: 1024 level: extended multi_fields: - flat_name: threat.indicator.file.target_path.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: threat.indicator.file.target_path.text name: text norms: false type: text name: target_path normalize: [] original_fieldset: file short: Target path for symlinks. type: keyword threat.indicator.file.type: dashed_name: threat-indicator-file-type description: File type (file, dir, or symlink). example: file flat_name: threat.indicator.file.type ignore_above: 1024 level: extended name: type normalize: [] original_fieldset: file short: File type (file, dir, or symlink). type: keyword threat.indicator.file.uid: dashed_name: threat-indicator-file-uid description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' flat_name: threat.indicator.file.uid ignore_above: 1024 level: extended name: uid normalize: [] original_fieldset: file short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword threat.indicator.first_seen: dashed_name: threat-indicator-first-seen description: The date and time when intelligence source first reported sighting this indicator. example: '2020-11-05T17:25:47.000Z' flat_name: threat.indicator.first_seen level: extended name: indicator.first_seen normalize: [] short: Date/time indicator was first reported. type: date threat.indicator.geo.city_name: dashed_name: threat-indicator-geo-city-name description: City name. example: Montreal flat_name: threat.indicator.geo.city_name ignore_above: 1024 level: core name: city_name normalize: [] original_fieldset: geo short: City name. type: keyword threat.indicator.geo.continent_code: dashed_name: threat-indicator-geo-continent-code description: Two-letter code representing continent's name. example: NA flat_name: threat.indicator.geo.continent_code ignore_above: 1024 level: core name: continent_code normalize: [] original_fieldset: geo short: Continent code. type: keyword threat.indicator.geo.continent_name: dashed_name: threat-indicator-geo-continent-name description: Name of the continent. example: North America flat_name: threat.indicator.geo.continent_name ignore_above: 1024 level: core name: continent_name normalize: [] original_fieldset: geo short: Name of the continent. type: keyword threat.indicator.geo.country_iso_code: dashed_name: threat-indicator-geo-country-iso-code description: Country ISO code. example: CA flat_name: threat.indicator.geo.country_iso_code ignore_above: 1024 level: core name: country_iso_code normalize: [] original_fieldset: geo short: Country ISO code. type: keyword threat.indicator.geo.country_name: dashed_name: threat-indicator-geo-country-name description: Country name. example: Canada flat_name: threat.indicator.geo.country_name ignore_above: 1024 level: core name: country_name normalize: [] original_fieldset: geo short: Country name. type: keyword threat.indicator.geo.location: dashed_name: threat-indicator-geo-location description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' flat_name: threat.indicator.geo.location level: core name: location normalize: [] original_fieldset: geo short: Longitude and latitude. type: geo_point threat.indicator.geo.name: dashed_name: threat-indicator-geo-name description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc flat_name: threat.indicator.geo.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. type: keyword threat.indicator.geo.postal_code: dashed_name: threat-indicator-geo-postal-code description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 flat_name: threat.indicator.geo.postal_code ignore_above: 1024 level: core name: postal_code normalize: [] original_fieldset: geo short: Postal code. type: keyword threat.indicator.geo.region_iso_code: dashed_name: threat-indicator-geo-region-iso-code description: Region ISO code. example: CA-QC flat_name: threat.indicator.geo.region_iso_code ignore_above: 1024 level: core name: region_iso_code normalize: [] original_fieldset: geo short: Region ISO code. type: keyword threat.indicator.geo.region_name: dashed_name: threat-indicator-geo-region-name description: Region name. example: Quebec flat_name: threat.indicator.geo.region_name ignore_above: 1024 level: core name: region_name normalize: [] original_fieldset: geo short: Region name. type: keyword threat.indicator.geo.timezone: dashed_name: threat-indicator-geo-timezone description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires flat_name: threat.indicator.geo.timezone ignore_above: 1024 level: core name: timezone normalize: [] original_fieldset: geo short: Time zone. type: keyword threat.indicator.ip: dashed_name: threat-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of direction). example: 1.2.3.4 flat_name: threat.indicator.ip level: extended name: indicator.ip normalize: [] short: Indicator IP address type: ip threat.indicator.last_seen: dashed_name: threat-indicator-last-seen description: The date and time when intelligence source last reported sighting this indicator. example: '2020-11-05T17:25:47.000Z' flat_name: threat.indicator.last_seen level: extended name: indicator.last_seen normalize: [] short: Date/time indicator was last reported. type: date threat.indicator.marking.tlp: dashed_name: threat-indicator-marking-tlp description: Traffic Light Protocol sharing markings. example: CLEAR expected_values: - WHITE - CLEAR - GREEN - AMBER - AMBER+STRICT - RED flat_name: threat.indicator.marking.tlp ignore_above: 1024 level: extended name: indicator.marking.tlp normalize: [] short: Indicator TLP marking type: keyword threat.indicator.modified_at: dashed_name: threat-indicator-modified-at description: The date and time when intelligence source last modified information for this indicator. example: '2020-11-05T17:25:47.000Z' flat_name: threat.indicator.modified_at level: extended name: indicator.modified_at normalize: [] short: Date/time indicator was last updated. type: date threat.indicator.port: dashed_name: threat-indicator-port description: Identifies a threat indicator as a port number (irrespective of direction). example: 443 flat_name: threat.indicator.port level: extended name: indicator.port normalize: [] short: Indicator port type: long threat.indicator.provider: dashed_name: threat-indicator-provider description: The name of the indicator's provider. example: lrz_urlhaus flat_name: threat.indicator.provider ignore_above: 1024 level: extended name: indicator.provider normalize: [] short: Indicator provider type: keyword threat.indicator.reference: dashed_name: threat-indicator-reference description: Reference URL linking to additional information about this indicator. example: https://system.example.com/indicator/0001234 flat_name: threat.indicator.reference ignore_above: 1024 level: extended name: indicator.reference normalize: [] short: Indicator reference URL type: keyword threat.indicator.registry.data.bytes: dashed_name: threat-indicator-registry-data-bytes description: 'Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.' example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= flat_name: threat.indicator.registry.data.bytes ignore_above: 1024 level: extended name: data.bytes normalize: [] original_fieldset: registry short: Original bytes written with base64 encoding. type: keyword threat.indicator.registry.data.strings: dashed_name: threat-indicator-registry-data-strings description: 'Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' flat_name: threat.indicator.registry.data.strings level: core name: data.strings normalize: - array original_fieldset: registry short: List of strings representing what was written to the registry. type: wildcard threat.indicator.registry.data.type: dashed_name: threat-indicator-registry-data-type description: Standard registry type for encoding contents example: REG_SZ flat_name: threat.indicator.registry.data.type ignore_above: 1024 level: core name: data.type normalize: [] original_fieldset: registry short: Standard registry type for encoding contents type: keyword threat.indicator.registry.hive: dashed_name: threat-indicator-registry-hive description: Abbreviated name for the hive. example: HKLM flat_name: threat.indicator.registry.hive ignore_above: 1024 level: core name: hive normalize: [] original_fieldset: registry short: Abbreviated name for the hive. type: keyword threat.indicator.registry.key: dashed_name: threat-indicator-registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe flat_name: threat.indicator.registry.key ignore_above: 1024 level: core name: key normalize: [] original_fieldset: registry short: Hive-relative path of keys. type: keyword threat.indicator.registry.path: dashed_name: threat-indicator-registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger flat_name: threat.indicator.registry.path ignore_above: 1024 level: core name: path normalize: [] original_fieldset: registry short: Full path, including hive, key and value type: keyword threat.indicator.registry.value: dashed_name: threat-indicator-registry-value description: Name of the value written. example: Debugger flat_name: threat.indicator.registry.value ignore_above: 1024 level: core name: value normalize: [] original_fieldset: registry short: Name of the value written. type: keyword threat.indicator.scanner_stats: dashed_name: threat-indicator-scanner-stats description: Count of AV/EDR vendors that successfully detected malicious file or URL. example: 4 flat_name: threat.indicator.scanner_stats level: extended name: indicator.scanner_stats normalize: [] short: Scanner statistics type: long threat.indicator.sightings: dashed_name: threat-indicator-sightings description: Number of times this indicator was observed conducting threat activity. example: 20 flat_name: threat.indicator.sightings level: extended name: indicator.sightings normalize: [] short: Number of times indicator observed type: long threat.indicator.type: dashed_name: threat-indicator-type description: Type of indicator as represented by Cyber Observable in STIX 2.0. example: ipv4-addr expected_values: - autonomous-system - artifact - directory - domain-name - email-addr - file - ipv4-addr - ipv6-addr - mac-addr - mutex - port - process - software - url - user-account - windows-registry-key - x509-certificate flat_name: threat.indicator.type ignore_above: 1024 level: extended name: indicator.type normalize: [] short: Type of indicator type: keyword threat.indicator.url.domain: dashed_name: threat-indicator-url-domain description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.' example: www.elastic.co flat_name: threat.indicator.url.domain ignore_above: 1024 level: extended name: domain normalize: [] original_fieldset: url short: Domain of the url. type: keyword threat.indicator.url.extension: dashed_name: threat-indicator-url-extension description: 'The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png flat_name: threat.indicator.url.extension ignore_above: 1024 level: extended name: extension normalize: [] original_fieldset: url short: File extension from the request url, excluding the leading dot. type: keyword threat.indicator.url.fragment: dashed_name: threat-indicator-url-fragment description: 'Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.' flat_name: threat.indicator.url.fragment ignore_above: 1024 level: extended name: fragment normalize: [] original_fieldset: url short: Portion of the url after the `#`. type: keyword threat.indicator.url.full: dashed_name: threat-indicator-url-full description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top flat_name: threat.indicator.url.full level: extended multi_fields: - flat_name: threat.indicator.url.full.text name: text type: match_only_text name: full normalize: [] original_fieldset: url short: Full unparsed URL. type: wildcard threat.indicator.url.original: dashed_name: threat-indicator-url-original description: 'Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch flat_name: threat.indicator.url.original level: extended multi_fields: - flat_name: threat.indicator.url.original.text name: text type: match_only_text name: original normalize: [] original_fieldset: url short: Unmodified original url as seen in the event source. type: wildcard threat.indicator.url.password: dashed_name: threat-indicator-url-password description: Password of the request. flat_name: threat.indicator.url.password ignore_above: 1024 level: extended name: password normalize: [] original_fieldset: url short: Password of the request. type: keyword threat.indicator.url.path: dashed_name: threat-indicator-url-path description: Path of the request, such as "/search". flat_name: threat.indicator.url.path level: extended name: path normalize: [] original_fieldset: url short: Path of the request, such as "/search". type: wildcard threat.indicator.url.port: dashed_name: threat-indicator-url-port description: Port of the request, such as 443. example: 443 flat_name: threat.indicator.url.port format: string level: extended name: port normalize: [] original_fieldset: url short: Port of the request, such as 443. type: long threat.indicator.url.query: dashed_name: threat-indicator-url-query description: 'The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' flat_name: threat.indicator.url.query ignore_above: 1024 level: extended name: query normalize: [] original_fieldset: url short: Query string of the request. type: keyword threat.indicator.url.registered_domain: dashed_name: threat-indicator-url-registered-domain description: 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: threat.indicator.url.registered_domain ignore_above: 1024 level: extended name: registered_domain normalize: [] original_fieldset: url short: The highest registered url domain, stripped of the subdomain. type: keyword threat.indicator.url.scheme: dashed_name: threat-indicator-url-scheme description: 'Scheme of the request, such as "https". Note: The `:` is not part of the scheme.' example: https flat_name: threat.indicator.url.scheme ignore_above: 1024 level: extended name: scheme normalize: [] original_fieldset: url short: Scheme of the url. type: keyword threat.indicator.url.subdomain: dashed_name: threat-indicator-url-subdomain description: 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: east flat_name: threat.indicator.url.subdomain ignore_above: 1024 level: extended name: subdomain normalize: [] original_fieldset: url short: The subdomain of the domain. type: keyword threat.indicator.url.top_level_domain: dashed_name: threat-indicator-url-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk flat_name: threat.indicator.url.top_level_domain ignore_above: 1024 level: extended name: top_level_domain normalize: [] original_fieldset: url short: The effective top level domain (com, org, net, co.uk). type: keyword threat.indicator.url.username: dashed_name: threat-indicator-url-username description: Username of the request. flat_name: threat.indicator.url.username ignore_above: 1024 level: extended name: username normalize: [] original_fieldset: url short: Username of the request. type: keyword threat.indicator.x509.alternative_names: dashed_name: threat-indicator-x509-alternative-names description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: '*.elastic.co' flat_name: threat.indicator.x509.alternative_names ignore_above: 1024 level: extended name: alternative_names normalize: - array original_fieldset: x509 short: List of subject alternative names (SAN). type: keyword threat.indicator.x509.issuer.common_name: dashed_name: threat-indicator-x509-issuer-common-name description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA flat_name: threat.indicator.x509.issuer.common_name ignore_above: 1024 level: extended name: issuer.common_name normalize: - array original_fieldset: x509 short: List of common name (CN) of issuing certificate authority. type: keyword threat.indicator.x509.issuer.country: dashed_name: threat-indicator-x509-issuer-country description: List of country \(C) codes example: US flat_name: threat.indicator.x509.issuer.country ignore_above: 1024 level: extended name: issuer.country normalize: - array original_fieldset: x509 short: List of country \(C) codes type: keyword threat.indicator.x509.issuer.distinguished_name: dashed_name: threat-indicator-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA flat_name: threat.indicator.x509.issuer.distinguished_name ignore_above: 1024 level: extended name: issuer.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. type: keyword threat.indicator.x509.issuer.locality: dashed_name: threat-indicator-x509-issuer-locality description: List of locality names (L) example: Mountain View flat_name: threat.indicator.x509.issuer.locality ignore_above: 1024 level: extended name: issuer.locality normalize: - array original_fieldset: x509 short: List of locality names (L) type: keyword threat.indicator.x509.issuer.organization: dashed_name: threat-indicator-x509-issuer-organization description: List of organizations (O) of issuing certificate authority. example: Example Inc flat_name: threat.indicator.x509.issuer.organization ignore_above: 1024 level: extended name: issuer.organization normalize: - array original_fieldset: x509 short: List of organizations (O) of issuing certificate authority. type: keyword threat.indicator.x509.issuer.organizational_unit: dashed_name: threat-indicator-x509-issuer-organizational-unit description: List of organizational units (OU) of issuing certificate authority. example: www.example.com flat_name: threat.indicator.x509.issuer.organizational_unit ignore_above: 1024 level: extended name: issuer.organizational_unit normalize: - array original_fieldset: x509 short: List of organizational units (OU) of issuing certificate authority. type: keyword threat.indicator.x509.issuer.state_or_province: dashed_name: threat-indicator-x509-issuer-state-or-province description: List of state or province names (ST, S, or P) example: California flat_name: threat.indicator.x509.issuer.state_or_province ignore_above: 1024 level: extended name: issuer.state_or_province normalize: - array original_fieldset: x509 short: List of state or province names (ST, S, or P) type: keyword threat.indicator.x509.not_after: dashed_name: threat-indicator-x509-not-after description: Time at which the certificate is no longer considered valid. example: '2020-07-16T03:15:39Z' flat_name: threat.indicator.x509.not_after level: extended name: not_after normalize: [] original_fieldset: x509 short: Time at which the certificate is no longer considered valid. type: date threat.indicator.x509.not_before: dashed_name: threat-indicator-x509-not-before description: Time at which the certificate is first considered valid. example: '2019-08-16T01:40:25Z' flat_name: threat.indicator.x509.not_before level: extended name: not_before normalize: [] original_fieldset: x509 short: Time at which the certificate is first considered valid. type: date threat.indicator.x509.public_key_algorithm: dashed_name: threat-indicator-x509-public-key-algorithm description: Algorithm used to generate the public key. example: RSA flat_name: threat.indicator.x509.public_key_algorithm ignore_above: 1024 level: extended name: public_key_algorithm normalize: [] original_fieldset: x509 short: Algorithm used to generate the public key. type: keyword threat.indicator.x509.public_key_curve: dashed_name: threat-indicator-x509-public-key-curve description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 flat_name: threat.indicator.x509.public_key_curve ignore_above: 1024 level: extended name: public_key_curve normalize: [] original_fieldset: x509 short: The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword threat.indicator.x509.public_key_exponent: dashed_name: threat-indicator-x509-public-key-exponent description: Exponent used to derive the public key. This is algorithm specific. doc_values: false example: 65537 flat_name: threat.indicator.x509.public_key_exponent index: false level: extended name: public_key_exponent normalize: [] original_fieldset: x509 short: Exponent used to derive the public key. This is algorithm specific. type: long threat.indicator.x509.public_key_size: dashed_name: threat-indicator-x509-public-key-size description: The size of the public key space in bits. example: 2048 flat_name: threat.indicator.x509.public_key_size level: extended name: public_key_size normalize: [] original_fieldset: x509 short: The size of the public key space in bits. type: long threat.indicator.x509.serial_number: dashed_name: threat-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.indicator.x509.serial_number ignore_above: 1024 level: extended name: serial_number normalize: [] original_fieldset: x509 short: Unique serial number issued by the certificate authority. type: keyword threat.indicator.x509.signature_algorithm: dashed_name: threat-indicator-x509-signature-algorithm description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA flat_name: threat.indicator.x509.signature_algorithm ignore_above: 1024 level: extended name: signature_algorithm normalize: [] original_fieldset: x509 short: Identifier for certificate signature algorithm. type: keyword threat.indicator.x509.subject.common_name: dashed_name: threat-indicator-x509-subject-common-name description: List of common names (CN) of subject. example: shared.global.example.net flat_name: threat.indicator.x509.subject.common_name ignore_above: 1024 level: extended name: subject.common_name normalize: - array original_fieldset: x509 short: List of common names (CN) of subject. type: keyword threat.indicator.x509.subject.country: dashed_name: threat-indicator-x509-subject-country description: List of country \(C) code example: US flat_name: threat.indicator.x509.subject.country ignore_above: 1024 level: extended name: subject.country normalize: - array original_fieldset: x509 short: List of country \(C) code type: keyword threat.indicator.x509.subject.distinguished_name: dashed_name: threat-indicator-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net flat_name: threat.indicator.x509.subject.distinguished_name ignore_above: 1024 level: extended name: subject.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. type: keyword threat.indicator.x509.subject.locality: dashed_name: threat-indicator-x509-subject-locality description: List of locality names (L) example: San Francisco flat_name: threat.indicator.x509.subject.locality ignore_above: 1024 level: extended name: subject.locality normalize: - array original_fieldset: x509 short: List of locality names (L) type: keyword threat.indicator.x509.subject.organization: dashed_name: threat-indicator-x509-subject-organization description: List of organizations (O) of subject. example: Example, Inc. flat_name: threat.indicator.x509.subject.organization ignore_above: 1024 level: extended name: subject.organization normalize: - array original_fieldset: x509 short: List of organizations (O) of subject. type: keyword threat.indicator.x509.subject.organizational_unit: dashed_name: threat-indicator-x509-subject-organizational-unit description: List of organizational units (OU) of subject. flat_name: threat.indicator.x509.subject.organizational_unit ignore_above: 1024 level: extended name: subject.organizational_unit normalize: - array original_fieldset: x509 short: List of organizational units (OU) of subject. type: keyword threat.indicator.x509.subject.state_or_province: dashed_name: threat-indicator-x509-subject-state-or-province description: List of state or province names (ST, S, or P) example: California flat_name: threat.indicator.x509.subject.state_or_province ignore_above: 1024 level: extended name: subject.state_or_province normalize: - array original_fieldset: x509 short: List of state or province names (ST, S, or P) type: keyword threat.indicator.x509.version_number: dashed_name: threat-indicator-x509-version-number description: Version of x509 format. example: 3 flat_name: threat.indicator.x509.version_number ignore_above: 1024 level: extended name: version_number normalize: [] original_fieldset: x509 short: Version of x509 format. type: keyword threat.software.id: dashed_name: threat-software-id description: "The id of the software used by this threat to conduct behavior commonly\ \ modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use a MITRE ATT&CK\xAE\ \ software id." example: S0552 flat_name: threat.software.id ignore_above: 1024 level: extended name: software.id normalize: [] short: ID of the software type: keyword threat.software.name: dashed_name: threat-software-name description: "The name of the software used by this threat to conduct behavior commonly\ \ modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use a MITRE ATT&CK\xAE\ \ software name." example: AdFind flat_name: threat.software.name ignore_above: 1024 level: extended name: software.name normalize: [] short: Name of the software. type: keyword threat.software.platforms: dashed_name: threat-software-platforms description: "The platforms of the software used by this threat to conduct behavior\ \ commonly modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use MITRE\ \ ATT&CK\xAE software platform values." example: '[ "Windows" ]' expected_values: - AWS - Azure - Azure AD - GCP - Linux - macOS - Network - Office 365 - SaaS - Windows flat_name: threat.software.platforms ignore_above: 1024 level: extended name: software.platforms normalize: - array short: Platforms of the software. type: keyword threat.software.reference: dashed_name: threat-software-reference description: "The reference URL of the software used by this threat to conduct behavior\ \ commonly modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use a\ \ MITRE ATT&CK\xAE software reference URL." example: https://attack.mitre.org/software/S0552/ flat_name: threat.software.reference ignore_above: 1024 level: extended name: software.reference normalize: [] short: Software reference URL. type: keyword threat.software.type: dashed_name: threat-software-type description: "The type of software used by this threat to conduct behavior commonly\ \ modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use a MITRE ATT&CK\xAE\ \ software type." example: Tool expected_values: - Malware - Tool flat_name: threat.software.type ignore_above: 1024 level: extended name: software.type normalize: [] short: Software type. type: keyword threat.tactic.id: dashed_name: threat-tactic-id description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\ \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )" example: TA0002 flat_name: threat.tactic.id ignore_above: 1024 level: extended name: tactic.id normalize: - array short: Threat tactic id. type: keyword threat.tactic.name: dashed_name: threat-tactic-name description: "Name of the type of tactic used by this threat. You can use a MITRE\ \ ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)" example: Execution flat_name: threat.tactic.name ignore_above: 1024 level: extended name: tactic.name normalize: - array short: Threat tactic. type: keyword threat.tactic.reference: dashed_name: threat-tactic-reference description: "The reference url of tactic used by this threat. You can use a MITRE\ \ ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\ \ )" example: https://attack.mitre.org/tactics/TA0002/ flat_name: threat.tactic.reference ignore_above: 1024 level: extended name: tactic.reference normalize: - array short: Threat tactic URL reference. type: keyword threat.technique.id: dashed_name: threat-technique-id description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\ \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" example: T1059 flat_name: threat.technique.id ignore_above: 1024 level: extended name: technique.id normalize: - array short: Threat technique id. type: keyword threat.technique.name: dashed_name: threat-technique-name description: "The name of technique used by this threat. You can use a MITRE ATT&CK\xAE\ \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" example: Command and Scripting Interpreter flat_name: threat.technique.name ignore_above: 1024 level: extended multi_fields: - flat_name: threat.technique.name.text name: text type: match_only_text name: technique.name normalize: - array short: Threat technique name. type: keyword threat.technique.reference: dashed_name: threat-technique-reference description: "The reference url of technique used by this threat. You can use a\ \ MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" example: https://attack.mitre.org/techniques/T1059/ flat_name: threat.technique.reference ignore_above: 1024 level: extended name: technique.reference normalize: - array short: Threat technique URL reference. type: keyword threat.technique.subtechnique.id: dashed_name: threat-technique-subtechnique-id description: "The full id of subtechnique used by this threat. You can use a MITRE\ \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" example: T1059.001 flat_name: threat.technique.subtechnique.id ignore_above: 1024 level: extended name: technique.subtechnique.id normalize: - array short: Threat subtechnique id. type: keyword threat.technique.subtechnique.name: dashed_name: threat-technique-subtechnique-name description: "The name of subtechnique used by this threat. You can use a MITRE\ \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" example: PowerShell flat_name: threat.technique.subtechnique.name ignore_above: 1024 level: extended multi_fields: - flat_name: threat.technique.subtechnique.name.text name: text type: match_only_text name: technique.subtechnique.name normalize: - array short: Threat subtechnique name. type: keyword threat.technique.subtechnique.reference: dashed_name: threat-technique-subtechnique-reference description: "The reference url of subtechnique used by this threat. You can use\ \ a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" example: https://attack.mitre.org/techniques/T1059/001/ flat_name: threat.technique.subtechnique.reference ignore_above: 1024 level: extended name: technique.subtechnique.reference normalize: - array short: Threat subtechnique URL reference. type: keyword user.Ext: dashed_name: user-Ext description: Object for all custom defined fields to live in. flat_name: user.Ext level: custom name: Ext normalize: [] short: Object for all custom defined fields to live in. type: object user.Ext.real: dashed_name: user-Ext-real description: User info prior to any setuid operations. flat_name: user.Ext.real level: custom name: Ext.real normalize: [] short: User info prior to any setuid operations. type: object user.Ext.real.id: dashed_name: user-Ext-real-id description: One or multiple unique identifiers of the user. flat_name: user.Ext.real.id ignore_above: 1024 level: custom name: Ext.real.id normalize: [] short: One or multiple unique identifiers of the user. type: keyword user.Ext.real.name: dashed_name: user-Ext-real-name description: Short name or login of the user. flat_name: user.Ext.real.name ignore_above: 1024 level: custom name: Ext.real.name normalize: [] short: Short name or login of the user. type: keyword user.domain: dashed_name: user-domain description: 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.' flat_name: user.domain ignore_above: 1024 level: extended name: domain normalize: [] short: Name of the directory the user is a member of. type: keyword user.email: dashed_name: user-email description: User email address. flat_name: user.email ignore_above: 1024 level: extended name: email normalize: [] short: User email address. type: keyword user.full_name: dashed_name: user-full-name description: User's full name, if available. example: Albert Einstein flat_name: user.full_name ignore_above: 1024 level: extended multi_fields: - flat_name: user.full_name.text name: text type: match_only_text name: full_name normalize: [] short: User's full name, if available. type: keyword user.group.Ext: dashed_name: user-group-Ext description: Object for all custom defined fields to live in. flat_name: user.group.Ext level: custom name: Ext normalize: [] original_fieldset: group short: Object for all custom defined fields to live in. type: object user.group.Ext.real: dashed_name: user-group-Ext-real description: Group info prior to any setgid operations. flat_name: user.group.Ext.real level: custom name: Ext.real normalize: [] original_fieldset: group short: Group info prior to any setgid operations. type: object user.group.Ext.real.id: dashed_name: user-group-Ext-real-id description: Unique identifier for the group on the system/platform. flat_name: user.group.Ext.real.id ignore_above: 1024 level: custom name: Ext.real.id normalize: [] original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword user.group.Ext.real.name: dashed_name: user-group-Ext-real-name description: Name of the group. flat_name: user.group.Ext.real.name ignore_above: 1024 level: custom name: Ext.real.name normalize: [] original_fieldset: group short: Name of the group. type: keyword user.group.domain: dashed_name: user-group-domain description: Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. flat_name: user.group.domain ignore_above: 1024 level: extended name: domain normalize: [] original_fieldset: group short: Name of the directory the group is a member of. type: keyword user.group.id: dashed_name: user-group-id description: Unique identifier for the group on the system/platform. flat_name: user.group.id ignore_above: 1024 level: extended name: id normalize: [] original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword user.group.name: dashed_name: user-group-name description: Name of the group. flat_name: user.group.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: group short: Name of the group. type: keyword user.hash: dashed_name: user-hash description: 'Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.' flat_name: user.hash ignore_above: 1024 level: extended name: hash normalize: [] short: Unique user hash to correlate information for a user in anonymized form. type: keyword user.id: dashed_name: user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: user.id ignore_above: 1024 level: core name: id normalize: [] short: Unique identifier of the user. type: keyword user.name: dashed_name: user-name description: Short name or login of the user. example: a.einstein flat_name: user.name ignore_above: 1024 level: core multi_fields: - flat_name: user.name.text name: text type: match_only_text name: name normalize: [] short: Short name or login of the user. type: keyword