'@timestamp': dashed_name: timestamp description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.' example: '2016-05-23T08:05:34.853Z' flat_name: '@timestamp' level: core name: '@timestamp' normalize: [] required: true short: Date/time when the event originated. type: date Events: dashed_name: Events description: events array flat_name: Events level: custom name: Events normalize: [] short: events array type: object Responses.@timestamp: dashed_name: Responses-timestamp description: Timestamp in which action was taken flat_name: Responses.@timestamp format: string level: custom name: '@timestamp' normalize: [] short: Timestamp in which action was taken type: date Responses.action: dashed_name: Responses-action description: Dictionary representing requested response action flat_name: Responses.action level: custom name: action normalize: [] short: Dictionary representing requested response action type: nested Responses.action.action: dashed_name: Responses-action-action description: Response action name flat_name: Responses.action.action ignore_above: 1024 level: custom name: action.action normalize: [] short: Response action name type: keyword Responses.action.field: dashed_name: Responses-action-field description: Field in the triggering event to use as input for action flat_name: Responses.action.field level: custom name: action.field normalize: [] norms: false short: Field in the triggering event to use as input for action type: text Responses.action.file.attributes: dashed_name: Responses-action-file-attributes description: Destination file attributes flat_name: Responses.action.file.attributes ignore_above: 1024 level: custom name: action.file.attributes normalize: [] short: Destination file attributes type: keyword Responses.action.file.path: dashed_name: Responses-action-file-path description: Destination file path flat_name: Responses.action.file.path ignore_above: 1024 level: custom name: action.file.path normalize: [] short: Destination file path type: keyword Responses.action.file.reason: dashed_name: Responses-action-file-reason description: Combined USN file modification reason flat_name: Responses.action.file.reason level: custom name: action.file.reason normalize: [] short: Combined USN file modification reason type: long Responses.action.key.actions: dashed_name: Responses-action-key-actions description: Actions taken by Registry Rollback for key flat_name: Responses.action.key.actions ignore_above: 1024 level: custom name: action.key.actions normalize: [] short: Actions taken by Registry Rollback for key type: keyword Responses.action.key.path: dashed_name: Responses-action-key-path description: NT path of registry key recovered by Rollback flat_name: Responses.action.key.path ignore_above: 1024 level: custom name: action.key.path normalize: [] short: NT path of registry key recovered by Rollback type: keyword Responses.action.key.values: dashed_name: Responses-action-key-values description: Values modified flat_name: Responses.action.key.values level: custom name: action.key.values normalize: [] short: Values modified type: object Responses.action.key.values.actions: dashed_name: Responses-action-key-values-actions description: Actions taken by Registry Rollback for value flat_name: Responses.action.key.values.actions ignore_above: 1024 level: custom name: action.key.values.actions normalize: [] short: Actions taken by Registry Rollback for value type: keyword Responses.action.key.values.name: dashed_name: Responses-action-key-values-name description: Value name recovered by Rollback flat_name: Responses.action.key.values.name ignore_above: 1024 level: custom name: action.key.values.name normalize: [] short: Value name recovered by Rollback type: keyword Responses.action.process.message: dashed_name: Responses-action-process-message description: Status message for Process Rollback flat_name: Responses.action.process.message ignore_above: 1024 level: custom name: action.process.message normalize: [] short: Status message for Process Rollback type: keyword Responses.action.process.path: dashed_name: Responses-action-process-path description: Path of process killed by Process Rollback flat_name: Responses.action.process.path ignore_above: 1024 level: custom name: action.process.path normalize: [] short: Path of process killed by Process Rollback type: keyword Responses.action.process.result: dashed_name: Responses-action-process-result description: Result code for Process Rollback flat_name: Responses.action.process.result level: custom name: action.process.result normalize: [] short: Result code for Process Rollback type: long Responses.action.source.attributes: dashed_name: Responses-action-source-attributes description: Source file attributes flat_name: Responses.action.source.attributes ignore_above: 1024 level: custom name: action.source.attributes normalize: [] short: Source file attributes type: keyword Responses.action.source.path: dashed_name: Responses-action-source-path description: Source file path flat_name: Responses.action.source.path ignore_above: 1024 level: custom name: action.source.path normalize: [] short: Source file path type: keyword Responses.action.state: dashed_name: Responses-action-state description: Index of event in events array to use for field lookup flat_name: Responses.action.state level: custom name: action.state normalize: [] short: Index of event in events array to use for field lookup type: long Responses.action.tree: dashed_name: Responses-action-tree description: Indicates whether or not an action was taken against an entire process tree flat_name: Responses.action.tree level: custom name: action.tree normalize: [] short: Indicates whether or not an action was taken against an entire process tree type: boolean Responses.message: dashed_name: Responses-message description: Result message flat_name: Responses.message level: custom name: message normalize: [] norms: false short: Result message type: text Responses.process: dashed_name: Responses-process description: Dictionary representing process information flat_name: Responses.process level: custom name: process normalize: [] short: Dictionary representing process information type: nested Responses.process.entity_id: dashed_name: Responses-process-entity-id description: Entity id of actionable process flat_name: Responses.process.entity_id level: custom name: process.entity_id normalize: [] norms: false short: Entity id of actionable process type: text Responses.process.name: dashed_name: Responses-process-name description: Name of actionable process flat_name: Responses.process.name ignore_above: 1024 level: custom name: process.name normalize: [] short: Name of actionable process type: keyword Responses.process.pid: dashed_name: Responses-process-pid description: pid of actionable process flat_name: Responses.process.pid level: custom name: process.pid normalize: [] short: pid of actionable process type: long Responses.result: dashed_name: Responses-result description: Response action result code flat_name: Responses.result level: custom name: result normalize: [] short: Response action result code type: long destination.geo.city_name: dashed_name: destination-geo-city-name description: City name. example: Montreal flat_name: destination.geo.city_name ignore_above: 1024 level: core name: city_name normalize: [] original_fieldset: geo short: City name. type: keyword destination.geo.continent_code: dashed_name: destination-geo-continent-code description: Two-letter code representing continent's name. example: NA flat_name: destination.geo.continent_code ignore_above: 1024 level: core name: continent_code normalize: [] original_fieldset: geo short: Continent code. type: keyword destination.geo.continent_name: dashed_name: destination-geo-continent-name description: Name of the continent. example: North America flat_name: destination.geo.continent_name ignore_above: 1024 level: core name: continent_name normalize: [] original_fieldset: geo short: Name of the continent. type: keyword destination.geo.country_iso_code: dashed_name: destination-geo-country-iso-code description: Country ISO code. example: CA flat_name: destination.geo.country_iso_code ignore_above: 1024 level: core name: country_iso_code normalize: [] original_fieldset: geo short: Country ISO code. type: keyword destination.geo.country_name: dashed_name: destination-geo-country-name description: Country name. example: Canada flat_name: destination.geo.country_name ignore_above: 1024 level: core name: country_name normalize: [] original_fieldset: geo short: Country name. type: keyword destination.geo.location: dashed_name: destination-geo-location description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' flat_name: destination.geo.location level: core name: location normalize: [] original_fieldset: geo short: Longitude and latitude. type: geo_point destination.geo.name: dashed_name: destination-geo-name description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc flat_name: destination.geo.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. type: keyword destination.geo.postal_code: dashed_name: destination-geo-postal-code description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 flat_name: destination.geo.postal_code ignore_above: 1024 level: core name: postal_code normalize: [] original_fieldset: geo short: Postal code. type: keyword destination.geo.region_iso_code: dashed_name: destination-geo-region-iso-code description: Region ISO code. example: CA-QC flat_name: destination.geo.region_iso_code ignore_above: 1024 level: core name: region_iso_code normalize: [] original_fieldset: geo short: Region ISO code. type: keyword destination.geo.region_name: dashed_name: destination-geo-region-name description: Region name. example: Quebec flat_name: destination.geo.region_name ignore_above: 1024 level: core name: region_name normalize: [] original_fieldset: geo short: Region name. type: keyword destination.geo.timezone: dashed_name: destination-geo-timezone description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires flat_name: destination.geo.timezone ignore_above: 1024 level: core name: timezone normalize: [] original_fieldset: geo short: Time zone. type: keyword message: dashed_name: message description: 'For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.' example: Hello World flat_name: message level: core name: message normalize: [] short: Log message optimized for viewing in a log viewer. type: match_only_text process.Ext: dashed_name: process-Ext description: Object for all custom defined fields to live in. flat_name: process.Ext level: custom name: Ext normalize: [] short: Object for all custom defined fields to live in. type: object process.Ext.ancestry: dashed_name: process-Ext-ancestry description: An array of entity_ids indicating the ancestors for this event flat_name: process.Ext.ancestry ignore_above: 1024 level: custom name: Ext.ancestry normalize: [] short: An array of entity_ids indicating the ancestors for this event type: keyword process.Ext.api.behaviors: dashed_name: process-Ext-api-behaviors description: "A list of observed behaviors.\n \"cross-process\" - the observed\ \ activity was between two processes\n \"parent-child\" - the observed activity\ \ was between a parent process and its child\n \"native_api\" - a call was made\ \ directly to the Native API rather than the Win32 API\n \"direct_syscall\" -\ \ a syscall instruction originated outside of the Native API layer\n \"proxy_call\"\ \ - the call stack may indicate of a proxied API call to mask the true source\n\ \ \"sensitive_api\" - executable non-image memory is unexpectedly calling a sensitive\ \ API\n \"shellcode\" - suspicious executable non-image memory is calling a sensitive\ \ API\n \"image_hooked\" - an entry in the callstack appears to have been hooked\n\ \ \"image_indirect_call\" - an entry in the callstack was preceded by a call\ \ to a dynamically resolved function\n \"image_rop\" - no call instruction preceded\ \ an entry in the call stack\n \"image_rwx\" - an entry in the callstack is writable\n\ \ \"unbacked_rwx\" - an entry in the callstack is non-image and writable\n \"\ truncated_stack\" - call stack is unexpected truncated due to malicious tampering\ \ or system load\n \"allocate_shellcode\" - a region of non-image executable\ \ memory allocated more executable memory\n \"execute_fluctuation\" - the PAGE_EXECUTE\ \ protection is unexpectedly fluctuating\n \"write_fluctuation\" - the PAGE_WRITE\ \ protection of executable memory is unexpectedly fluctuating\n \"hook_api\"\ \ - a change to the memory protection of a small executable image memory region\ \ was made\n \"hollow_image\" - a change to the memory protection of a large\ \ executable image memory region was made\n \"hook_unbacked\" - a change to the\ \ memory protection of a small executable non-image memory was made\n \"hollow_unbacked\"\ \ - a change to the memory protection of a large executable non-image memory was\ \ made\n \"guarded_code\" - executable memory was unexpectedly marked as PAGE_GUARD\n\ \ \"hidden_code\" - executable memory was unexpectedly marked as PAGE_NOACCESS\n\ \ \"execute_shellcode\" - a region of non-image executable memory was unexpectedly\ \ transferred control\n \"hardware_breakpoint_set\" - a hardware breakpoint was\ \ set\n \"rapid_background_polling\" - a suspicious process which does rapid\ \ input polling via GetAsyncKeyState API was observed\n \"multiple_polling_processes\"\ \ - multiple suspicious processes which do rapid input polling via the GetAsyncKeyState\ \ API were observed\n \"pid_spoofing\" - The acting process details may have\ \ been spoofed to hide the true origin\n \"legacy_api\" - a deprecated or superseded\ \ API was called" example: '[ "cross-process", "rapid_background_polling", "multiple_polling_processes", "native_api", "shellcode" ]' flat_name: process.Ext.api.behaviors ignore_above: 1024 level: custom name: behaviors normalize: [] original_fieldset: api short: A list of observed behaviors. type: keyword process.Ext.api.name: dashed_name: process-Ext-api-name description: The name of the API, usually the name of the function or system call. example: VirtualAlloc flat_name: process.Ext.api.name ignore_above: 1024 level: custom name: name normalize: [] original_fieldset: api short: The name of the API, usually the name of the function or system call. type: keyword process.Ext.api.parameters: dashed_name: process-Ext-api-parameters description: Parameter values passed to the API call. flat_name: process.Ext.api.parameters level: custom name: parameters normalize: [] original_fieldset: api short: Parameter values passed to the API call. type: object process.Ext.api.parameters.app_name: dashed_name: process-Ext-api-parameters-app-name description: The application name requesting the AMSI scan. example: PowerShell flat_name: process.Ext.api.parameters.app_name ignore_above: 1024 level: custom name: parameters.app_name normalize: [] original_fieldset: api short: The application name requesting the AMSI scan. type: keyword process.Ext.api.parameters.content_name: dashed_name: process-Ext-api-parameters-content-name description: The content name, typically a filename, associated with an AMSI scan. example: C:\script.ps1 flat_name: process.Ext.api.parameters.content_name ignore_above: 1024 level: custom name: parameters.content_name normalize: [] original_fieldset: api short: The content name, typically a filename, associated with an AMSI scan. type: keyword process.Ext.api.summary: dashed_name: process-Ext-api-summary description: The summary of the API call and its parameters. example: VirtualAllocEx( file.exe, NULL, 0x42000, COMMIT|RESERVE, RWX ) flat_name: process.Ext.api.summary ignore_above: 1024 level: custom name: summary normalize: [] original_fieldset: api short: The summary of the API call and its parameters. type: keyword process.Ext.code_signature: dashed_name: process-Ext-code-signature description: Nested version of ECS code_signature fieldset. flat_name: process.Ext.code_signature level: custom name: Ext.code_signature normalize: [] short: Nested version of ECS code_signature fieldset. type: nested process.Ext.code_signature.exists: dashed_name: process-Ext-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' flat_name: process.Ext.code_signature.exists level: custom name: Ext.code_signature.exists normalize: [] short: Boolean to capture if a signature is present. type: boolean process.Ext.code_signature.status: dashed_name: process-Ext-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: process.Ext.code_signature.status ignore_above: 1024 level: custom name: Ext.code_signature.status normalize: [] short: Additional information about the certificate status. type: keyword process.Ext.code_signature.subject_name: dashed_name: process-Ext-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation flat_name: process.Ext.code_signature.subject_name ignore_above: 1024 level: custom name: Ext.code_signature.subject_name normalize: [] short: Subject name of the code signer type: keyword process.Ext.code_signature.trusted: dashed_name: process-Ext-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' flat_name: process.Ext.code_signature.trusted level: custom name: Ext.code_signature.trusted normalize: [] short: Stores the trust status of the certificate chain. type: boolean process.Ext.created_suspended: dashed_name: process-Ext-created-suspended description: A heuristic indicating if the CREATE_SUSPENDED flag was passed to the Win32 CreateProcess API. Not valid for direct syscalls. example: 'true' flat_name: process.Ext.created_suspended level: custom name: Ext.created_suspended normalize: [] short: A heuristic indicating if the CREATE_SUSPENDED flag was passed to the Win32 CreateProcess API. type: boolean process.Ext.protection: dashed_name: process-Ext-protection description: Indicates the protection level of this process. Uses the same syntax as Process Explorer. Examples include PsProtectedSignerWinTcb, PsProtectedSignerWinTcb-Light, and PsProtectedSignerWindows-Light. flat_name: process.Ext.protection ignore_above: 1024 level: custom name: Ext.protection normalize: [] short: OS-level protections granted to this process type: keyword process.Ext.token.integrity_level_name: dashed_name: process-Ext-token-integrity-level-name description: Human readable integrity level. example: one of "system", "high", "medium", "low", "untrusted" flat_name: process.Ext.token.integrity_level_name ignore_above: 1024 level: custom name: integrity_level_name normalize: [] original_fieldset: token short: Human readable integrity level. type: keyword process.code_signature.exists: dashed_name: process-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' flat_name: process.code_signature.exists level: core name: exists normalize: [] original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean process.code_signature.status: dashed_name: process-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: process.code_signature.status ignore_above: 1024 level: extended name: status normalize: [] original_fieldset: code_signature short: Additional information about the certificate status. type: keyword process.code_signature.subject_name: dashed_name: process-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation flat_name: process.code_signature.subject_name ignore_above: 1024 level: core name: subject_name normalize: [] original_fieldset: code_signature short: Subject name of the code signer type: keyword process.code_signature.trusted: dashed_name: process-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' flat_name: process.code_signature.trusted level: extended name: trusted normalize: [] original_fieldset: code_signature short: Stores the trust status of the certificate chain. type: boolean process.command_line: dashed_name: process-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 flat_name: process.command_line level: extended multi_fields: - flat_name: process.command_line.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.command_line.text name: text norms: false type: text name: command_line normalize: [] short: Full command line that started the process. type: wildcard process.entity_id: dashed_name: process-entity-id description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d flat_name: process.entity_id ignore_above: 1024 level: extended name: entity_id normalize: [] short: Unique identifier for the process. type: keyword process.executable: dashed_name: process-executable description: Absolute path to the process executable. example: /usr/bin/ssh flat_name: process.executable ignore_above: 1024 level: extended multi_fields: - flat_name: process.executable.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.executable.text name: text norms: false type: text name: executable normalize: [] short: Absolute path to the process executable. type: keyword process.name: dashed_name: process-name description: 'Process name. Sometimes called program name or similar.' example: ssh flat_name: process.name ignore_above: 1024 level: extended multi_fields: - flat_name: process.name.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.name.text name: text norms: false type: text name: name normalize: [] short: Process name. type: keyword process.pid: dashed_name: process-pid description: Process id. example: 4242 flat_name: process.pid format: string level: core name: pid normalize: [] short: Process id. type: long process.thread.Ext: dashed_name: process-thread-Ext description: Object for all custom defined fields to live in. flat_name: process.thread.Ext level: custom name: thread.Ext normalize: [] short: Object for all custom defined fields to live in. type: object process.thread.Ext.call_stack_final_hook_module: dashed_name: process-thread-Ext-call-stack-final-hook-module description: The module that installed the final API hook in the call stack. flat_name: process.thread.Ext.call_stack_final_hook_module level: custom name: thread.Ext.call_stack_final_hook_module normalize: [] short: The module that installed the final API hook in the call stack. type: nested process.thread.Ext.call_stack_final_hook_module.code_signature: dashed_name: process-thread-Ext-call-stack-final-hook-module-code-signature description: Code signature of the call_stack_final_hook_module. flat_name: process.thread.Ext.call_stack_final_hook_module.code_signature level: custom name: thread.Ext.call_stack_final_hook_module.code_signature normalize: [] short: Code signature of the call_stack_final_hook_module. type: nested process.thread.Ext.call_stack_final_hook_module.code_signature.exists: dashed_name: process-thread-Ext-call-stack-final-hook-module-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' flat_name: process.thread.Ext.call_stack_final_hook_module.code_signature.exists level: custom name: thread.Ext.call_stack_final_hook_module.code_signature.exists normalize: [] short: Boolean to capture if a signature is present. type: boolean process.thread.Ext.call_stack_final_hook_module.code_signature.status: dashed_name: process-thread-Ext-call-stack-final-hook-module-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: process.thread.Ext.call_stack_final_hook_module.code_signature.status ignore_above: 1024 level: custom name: thread.Ext.call_stack_final_hook_module.code_signature.status normalize: [] short: Additional information about the certificate status. type: keyword process.thread.Ext.call_stack_final_hook_module.code_signature.subject_name: dashed_name: process-thread-Ext-call-stack-final-hook-module-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation flat_name: process.thread.Ext.call_stack_final_hook_module.code_signature.subject_name ignore_above: 1024 level: custom name: thread.Ext.call_stack_final_hook_module.code_signature.subject_name normalize: [] short: Subject name of the code signer type: keyword process.thread.Ext.call_stack_final_hook_module.code_signature.trusted: dashed_name: process-thread-Ext-call-stack-final-hook-module-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' flat_name: process.thread.Ext.call_stack_final_hook_module.code_signature.trusted level: custom name: thread.Ext.call_stack_final_hook_module.code_signature.trusted normalize: [] short: Stores the trust status of the certificate chain. type: boolean process.thread.Ext.call_stack_final_hook_module.hash: dashed_name: process-thread-Ext-call-stack-final-hook-module-hash description: Hashes of the call_stack_final_hook_module. flat_name: process.thread.Ext.call_stack_final_hook_module.hash level: custom name: thread.Ext.call_stack_final_hook_module.hash normalize: [] short: Hashes of the call_stack_final_hook_module. type: object process.thread.Ext.call_stack_final_hook_module.hash.sha256: dashed_name: process-thread-Ext-call-stack-final-hook-module-hash-sha256 description: The sha256 of the call_stack_final_hook_module. example: d25ff1e6c6460a7f9de39198d182058c1712726008d187e1953b83abe977e4a0 flat_name: process.thread.Ext.call_stack_final_hook_module.hash.sha256 ignore_above: 1024 level: custom name: thread.Ext.call_stack_final_hook_module.hash.sha256 normalize: [] short: The sha256 of the call_stack_final_hook_module. type: keyword process.thread.Ext.call_stack_final_hook_module.path: dashed_name: process-thread-Ext-call-stack-final-hook-module-path description: The file path of the call_stack_final_hook_module. example: C:\Program Files\Example\example.dll flat_name: process.thread.Ext.call_stack_final_hook_module.path ignore_above: 1024 level: custom name: thread.Ext.call_stack_final_hook_module.path normalize: [] short: The file path of the call_stack_final_hook_module. type: keyword process.thread.Ext.call_stack_final_user_module: dashed_name: process-thread-Ext-call-stack-final-user-module description: The final non-win32 module in the call stack. flat_name: process.thread.Ext.call_stack_final_user_module level: custom name: thread.Ext.call_stack_final_user_module normalize: [] short: The final non-win32 module in the call stack. type: nested process.thread.Ext.call_stack_final_user_module.code_signature: dashed_name: process-thread-Ext-call-stack-final-user-module-code-signature description: Code signature of the call_stack_final_user_module. flat_name: process.thread.Ext.call_stack_final_user_module.code_signature level: custom name: thread.Ext.call_stack_final_user_module.code_signature normalize: [] short: Code signature of the call_stack_final_user_module. type: nested process.thread.Ext.call_stack_final_user_module.code_signature.exists: dashed_name: process-thread-Ext-call-stack-final-user-module-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' flat_name: process.thread.Ext.call_stack_final_user_module.code_signature.exists level: custom name: thread.Ext.call_stack_final_user_module.code_signature.exists normalize: [] short: Boolean to capture if a signature is present. type: boolean process.thread.Ext.call_stack_final_user_module.code_signature.status: dashed_name: process-thread-Ext-call-stack-final-user-module-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: process.thread.Ext.call_stack_final_user_module.code_signature.status ignore_above: 1024 level: custom name: thread.Ext.call_stack_final_user_module.code_signature.status normalize: [] short: Additional information about the certificate status. type: keyword process.thread.Ext.call_stack_final_user_module.code_signature.subject_name: dashed_name: process-thread-Ext-call-stack-final-user-module-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation flat_name: process.thread.Ext.call_stack_final_user_module.code_signature.subject_name ignore_above: 1024 level: custom name: thread.Ext.call_stack_final_user_module.code_signature.subject_name normalize: [] short: Subject name of the code signer type: keyword process.thread.Ext.call_stack_final_user_module.code_signature.trusted: dashed_name: process-thread-Ext-call-stack-final-user-module-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' flat_name: process.thread.Ext.call_stack_final_user_module.code_signature.trusted level: custom name: thread.Ext.call_stack_final_user_module.code_signature.trusted normalize: [] short: Stores the trust status of the certificate chain. type: boolean process.thread.Ext.call_stack_final_user_module.hash: dashed_name: process-thread-Ext-call-stack-final-user-module-hash description: Hashes of the call_stack_final_user_module. flat_name: process.thread.Ext.call_stack_final_user_module.hash level: custom name: thread.Ext.call_stack_final_user_module.hash normalize: [] short: Hashes of the call_stack_final_user_module. type: object process.thread.Ext.call_stack_final_user_module.hash.sha256: dashed_name: process-thread-Ext-call-stack-final-user-module-hash-sha256 description: The sha256 of the call_stack_final_user_module. example: d25ff1e6c6460a7f9de39198d182058c1712726008d187e1953b83abe977e4a0 flat_name: process.thread.Ext.call_stack_final_user_module.hash.sha256 ignore_above: 1024 level: custom name: thread.Ext.call_stack_final_user_module.hash.sha256 normalize: [] short: The sha256 of the call_stack_final_user_module. type: keyword process.thread.Ext.call_stack_final_user_module.name: dashed_name: process-thread-Ext-call-stack-final-user-module-name description: The file name of the call_stack_final_user_module. example: example.dll flat_name: process.thread.Ext.call_stack_final_user_module.name ignore_above: 1024 level: custom name: thread.Ext.call_stack_final_user_module.name normalize: [] short: The file name of the call_stack_final_user_module. type: keyword process.thread.Ext.call_stack_final_user_module.path: dashed_name: process-thread-Ext-call-stack-final-user-module-path description: The file path of the call_stack_final_user_module. example: C:\Program Files\Example\example.dll flat_name: process.thread.Ext.call_stack_final_user_module.path ignore_above: 1024 level: custom name: thread.Ext.call_stack_final_user_module.path normalize: [] short: The file path of the call_stack_final_user_module. type: keyword process.thread.Ext.call_stack_summary: dashed_name: process-thread-Ext-call-stack-summary description: Concatentation of the non-repeated modules in the call stack. example: ntdll.dll|example.exe|kernel32.dll|ntdll.dll flat_name: process.thread.Ext.call_stack_summary ignore_above: 1024 level: custom name: thread.Ext.call_stack_summary normalize: [] short: Concatentation of the non-repeated modules in the call stack. type: keyword process.thread.id: dashed_name: process-thread-id description: Thread ID. example: 4242 flat_name: process.thread.id format: string level: extended name: thread.id normalize: [] short: Thread ID. type: long source.geo.city_name: dashed_name: source-geo-city-name description: City name. example: Montreal flat_name: source.geo.city_name ignore_above: 1024 level: core name: city_name normalize: [] original_fieldset: geo short: City name. type: keyword source.geo.continent_code: dashed_name: source-geo-continent-code description: Two-letter code representing continent's name. example: NA flat_name: source.geo.continent_code ignore_above: 1024 level: core name: continent_code normalize: [] original_fieldset: geo short: Continent code. type: keyword source.geo.continent_name: dashed_name: source-geo-continent-name description: Name of the continent. example: North America flat_name: source.geo.continent_name ignore_above: 1024 level: core name: continent_name normalize: [] original_fieldset: geo short: Name of the continent. type: keyword source.geo.country_iso_code: dashed_name: source-geo-country-iso-code description: Country ISO code. example: CA flat_name: source.geo.country_iso_code ignore_above: 1024 level: core name: country_iso_code normalize: [] original_fieldset: geo short: Country ISO code. type: keyword source.geo.country_name: dashed_name: source-geo-country-name description: Country name. example: Canada flat_name: source.geo.country_name ignore_above: 1024 level: core name: country_name normalize: [] original_fieldset: geo short: Country name. type: keyword source.geo.location: dashed_name: source-geo-location description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' flat_name: source.geo.location level: core name: location normalize: [] original_fieldset: geo short: Longitude and latitude. type: geo_point source.geo.name: dashed_name: source-geo-name description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc flat_name: source.geo.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. type: keyword source.geo.postal_code: dashed_name: source-geo-postal-code description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 flat_name: source.geo.postal_code ignore_above: 1024 level: core name: postal_code normalize: [] original_fieldset: geo short: Postal code. type: keyword source.geo.region_iso_code: dashed_name: source-geo-region-iso-code description: Region ISO code. example: CA-QC flat_name: source.geo.region_iso_code ignore_above: 1024 level: core name: region_iso_code normalize: [] original_fieldset: geo short: Region ISO code. type: keyword source.geo.region_name: dashed_name: source-geo-region-name description: Region name. example: Quebec flat_name: source.geo.region_name ignore_above: 1024 level: core name: region_name normalize: [] original_fieldset: geo short: Region name. type: keyword source.geo.timezone: dashed_name: source-geo-timezone description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires flat_name: source.geo.timezone ignore_above: 1024 level: core name: timezone normalize: [] original_fieldset: geo short: Time zone. type: keyword threat.enrichments: dashed_name: threat-enrichments description: A list of associated indicators objects enriching the event, and the context of that association/enrichment. flat_name: threat.enrichments level: extended name: enrichments normalize: - array short: List of objects containing indicators enriching the event. type: nested threat.enrichments.indicator: dashed_name: threat-enrichments-indicator description: Object containing associated indicators enriching the event. flat_name: threat.enrichments.indicator level: extended name: enrichments.indicator normalize: [] short: Object containing indicators enriching the event. type: object threat.enrichments.indicator.file.Ext: dashed_name: threat-enrichments-indicator-file-Ext description: Object for all custom defined fields to live in. flat_name: threat.enrichments.indicator.file.Ext level: custom name: Ext normalize: [] original_fieldset: file short: Object for all custom defined fields to live in. type: object threat.enrichments.indicator.file.Ext.code_signature: dashed_name: threat-enrichments-indicator-file-Ext-code-signature description: Nested version of ECS code_signature fieldset. flat_name: threat.enrichments.indicator.file.Ext.code_signature level: custom name: Ext.code_signature normalize: [] original_fieldset: file short: Nested version of ECS code_signature fieldset. type: nested threat.enrichments.indicator.file.Ext.code_signature.exists: dashed_name: threat-enrichments-indicator-file-Ext-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' flat_name: threat.enrichments.indicator.file.Ext.code_signature.exists level: core name: Ext.code_signature.exists normalize: [] original_fieldset: file short: Boolean to capture if a signature is present. type: boolean threat.enrichments.indicator.file.Ext.code_signature.status: dashed_name: threat-enrichments-indicator-file-Ext-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: threat.enrichments.indicator.file.Ext.code_signature.status ignore_above: 1024 level: custom name: Ext.code_signature.status normalize: [] original_fieldset: file short: Additional information about the certificate status. type: keyword threat.enrichments.indicator.file.Ext.code_signature.subject_name: dashed_name: threat-enrichments-indicator-file-Ext-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation flat_name: threat.enrichments.indicator.file.Ext.code_signature.subject_name ignore_above: 1024 level: core name: Ext.code_signature.subject_name normalize: [] original_fieldset: file short: Subject name of the code signer type: keyword threat.enrichments.indicator.file.Ext.code_signature.trusted: dashed_name: threat-enrichments-indicator-file-Ext-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' flat_name: threat.enrichments.indicator.file.Ext.code_signature.trusted level: custom name: Ext.code_signature.trusted normalize: [] original_fieldset: file short: Stores the trust status of the certificate chain. type: boolean threat.enrichments.indicator.file.Ext.code_signature.valid: dashed_name: threat-enrichments-indicator-file-Ext-code-signature-valid description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' flat_name: threat.enrichments.indicator.file.Ext.code_signature.valid level: custom name: Ext.code_signature.valid normalize: [] original_fieldset: file short: Boolean to capture if the digital signature is verified against the binary content. type: boolean threat.enrichments.indicator.file.Ext.device.bus_type: dashed_name: threat-enrichments-indicator-file-Ext-device-bus-type description: Bus type of the device, such as Nvme, Usb, FileBackedVirtual,... etc. flat_name: threat.enrichments.indicator.file.Ext.device.bus_type ignore_above: 1024 level: custom name: Ext.device.bus_type normalize: [] original_fieldset: file short: Bus type of the device. type: keyword threat.enrichments.indicator.file.Ext.device.dos_name: dashed_name: threat-enrichments-indicator-file-Ext-device-dos-name description: DOS name of the device. DOS device name is in the format of driver letters such as C:, D:,... flat_name: threat.enrichments.indicator.file.Ext.device.dos_name ignore_above: 1024 level: custom name: Ext.device.dos_name normalize: [] original_fieldset: file short: DOS name of the device. type: keyword threat.enrichments.indicator.file.Ext.device.nt_name: dashed_name: threat-enrichments-indicator-file-Ext-device-nt-name description: 'NT name of the device. NT device name is in the format such as: \Device\HarddiskVolume2' flat_name: threat.enrichments.indicator.file.Ext.device.nt_name ignore_above: 1024 level: custom name: Ext.device.nt_name normalize: [] original_fieldset: file short: NT name of the device. type: keyword threat.enrichments.indicator.file.Ext.device.product_id: dashed_name: threat-enrichments-indicator-file-Ext-device-product-id description: ProductID of the device. It is provided by the vendor of the device if any. flat_name: threat.enrichments.indicator.file.Ext.device.product_id ignore_above: 1024 level: custom name: Ext.device.product_id normalize: [] original_fieldset: file short: ProductID of the device. type: keyword threat.enrichments.indicator.file.Ext.device.serial_number: dashed_name: threat-enrichments-indicator-file-Ext-device-serial-number description: Serial Number of the device. It is provided by the vendor of the device if any. flat_name: threat.enrichments.indicator.file.Ext.device.serial_number ignore_above: 1024 level: custom name: Ext.device.serial_number normalize: [] original_fieldset: file short: Serial Number of the device. type: keyword threat.enrichments.indicator.file.Ext.device.vendor_id: dashed_name: threat-enrichments-indicator-file-Ext-device-vendor-id description: VendorID of the device. It is provided by the vendor of the device. flat_name: threat.enrichments.indicator.file.Ext.device.vendor_id ignore_above: 1024 level: custom name: Ext.device.vendor_id normalize: [] original_fieldset: file short: VendorID of the device. type: keyword threat.enrichments.indicator.file.Ext.entropy: dashed_name: threat-enrichments-indicator-file-Ext-entropy description: Entropy calculation of file's header and footer used to check file integrity. flat_name: threat.enrichments.indicator.file.Ext.entropy level: custom name: Ext.entropy normalize: [] original_fieldset: file short: File entropy value type: double threat.enrichments.indicator.file.Ext.entry_modified: dashed_name: threat-enrichments-indicator-file-Ext-entry-modified description: Time of last status change. See `st_ctim` member of `struct stat`. flat_name: threat.enrichments.indicator.file.Ext.entry_modified level: custom name: Ext.entry_modified normalize: [] original_fieldset: file short: Time of last status change. See `st_ctim` member of `struct stat`. type: double threat.enrichments.indicator.file.Ext.header_bytes: dashed_name: threat-enrichments-indicator-file-Ext-header-bytes description: First 16 bytes of file used to check file integrity. flat_name: threat.enrichments.indicator.file.Ext.header_bytes ignore_above: 1024 level: custom name: Ext.header_bytes normalize: [] original_fieldset: file short: Header bytes type: keyword threat.enrichments.indicator.file.Ext.header_data: dashed_name: threat-enrichments-indicator-file-Ext-header-data description: First 16 bytes of file used to check file integrity. flat_name: threat.enrichments.indicator.file.Ext.header_data level: custom name: Ext.header_data normalize: [] norms: false original_fieldset: file short: Header data type: text threat.enrichments.indicator.file.Ext.malware_classification.features.data.buffer: dashed_name: threat-enrichments-indicator-file-Ext-malware-classification-features-data-buffer description: The features extracted from this file and evaluated by the model. Usually an array of floats. Likely zlib-encoded. flat_name: threat.enrichments.indicator.file.Ext.malware_classification.features.data.buffer ignore_above: 1024 level: custom name: features.data.buffer normalize: [] original_fieldset: malware_classification short: The features extracted from this file and evaluated by the model. Usually an array of floats. Likely zlib-encoded. type: keyword threat.enrichments.indicator.file.Ext.malware_classification.features.data.decompressed_size: dashed_name: threat-enrichments-indicator-file-Ext-malware-classification-features-data-decompressed-size description: The decompressed size of buffer. flat_name: threat.enrichments.indicator.file.Ext.malware_classification.features.data.decompressed_size level: custom name: features.data.decompressed_size normalize: [] original_fieldset: malware_classification short: The decompressed size of buffer. type: integer threat.enrichments.indicator.file.Ext.malware_classification.features.data.encoding: dashed_name: threat-enrichments-indicator-file-Ext-malware-classification-features-data-encoding description: The encoding of buffer (e.g. zlib). flat_name: threat.enrichments.indicator.file.Ext.malware_classification.features.data.encoding ignore_above: 1024 level: custom name: features.data.encoding normalize: [] original_fieldset: malware_classification short: The encoding of buffer (e.g. zlib). type: keyword threat.enrichments.indicator.file.Ext.malware_classification.identifier: dashed_name: threat-enrichments-indicator-file-Ext-malware-classification-identifier description: The model's unique identifier. flat_name: threat.enrichments.indicator.file.Ext.malware_classification.identifier ignore_above: 1024 level: custom name: identifier normalize: [] original_fieldset: malware_classification short: The model's unique identifier. type: keyword threat.enrichments.indicator.file.Ext.malware_classification.score: dashed_name: threat-enrichments-indicator-file-Ext-malware-classification-score description: The score produced by the classification model. flat_name: threat.enrichments.indicator.file.Ext.malware_classification.score level: custom name: score normalize: [] original_fieldset: malware_classification short: The score produced by the classification model. type: double threat.enrichments.indicator.file.Ext.malware_classification.threshold: dashed_name: threat-enrichments-indicator-file-Ext-malware-classification-threshold description: The score threshold for the model. Files that score above this threshold are considered malicious. flat_name: threat.enrichments.indicator.file.Ext.malware_classification.threshold level: custom name: threshold normalize: [] original_fieldset: malware_classification short: The score threshold for the model. Files that score above this threshold are considered malicious. type: double threat.enrichments.indicator.file.Ext.malware_classification.upx_packed: dashed_name: threat-enrichments-indicator-file-Ext-malware-classification-upx-packed description: Whether UPX packing was detected. flat_name: threat.enrichments.indicator.file.Ext.malware_classification.upx_packed level: custom name: upx_packed normalize: [] original_fieldset: malware_classification short: Whether UPX packing was detected. type: boolean threat.enrichments.indicator.file.Ext.malware_classification.version: dashed_name: threat-enrichments-indicator-file-Ext-malware-classification-version description: The version of the model used. flat_name: threat.enrichments.indicator.file.Ext.malware_classification.version ignore_above: 1024 level: custom name: version normalize: [] original_fieldset: malware_classification short: The version of the model used. type: keyword threat.enrichments.indicator.file.Ext.malware_signature: dashed_name: threat-enrichments-indicator-file-Ext-malware-signature description: Nested version of malware_signature fieldset. flat_name: threat.enrichments.indicator.file.Ext.malware_signature level: custom name: Ext.malware_signature normalize: [] original_fieldset: file short: Nested version of malware_signature fieldset. type: nested threat.enrichments.indicator.file.Ext.malware_signature.all_names: dashed_name: threat-enrichments-indicator-file-Ext-malware-signature-all-names description: The concatenated names of all yara signatures flat_name: threat.enrichments.indicator.file.Ext.malware_signature.all_names level: custom name: Ext.malware_signature.all_names normalize: [] norms: false original_fieldset: file short: Yara signature names type: text threat.enrichments.indicator.file.Ext.malware_signature.identifier: dashed_name: threat-enrichments-indicator-file-Ext-malware-signature-identifier description: Malware artifact identifier. flat_name: threat.enrichments.indicator.file.Ext.malware_signature.identifier level: custom name: Ext.malware_signature.identifier normalize: [] norms: false original_fieldset: file short: Malware artifact identifier type: text threat.enrichments.indicator.file.Ext.malware_signature.primary: dashed_name: threat-enrichments-indicator-file-Ext-malware-signature-primary description: Primary malware signature match. flat_name: threat.enrichments.indicator.file.Ext.malware_signature.primary level: custom name: Ext.malware_signature.primary normalize: [] original_fieldset: file short: Primary malware signature match type: nested threat.enrichments.indicator.file.Ext.malware_signature.primary.matches: dashed_name: threat-enrichments-indicator-file-Ext-malware-signature-primary-matches description: An array of bytes representing yara signature matches flat_name: threat.enrichments.indicator.file.Ext.malware_signature.primary.matches level: custom name: Ext.malware_signature.primary.matches normalize: - array original_fieldset: file short: signature match bytes type: nested threat.enrichments.indicator.file.Ext.malware_signature.primary.signature: dashed_name: threat-enrichments-indicator-file-Ext-malware-signature-primary-signature description: Primary malware signature match. flat_name: threat.enrichments.indicator.file.Ext.malware_signature.primary.signature level: custom name: Ext.malware_signature.primary.signature normalize: [] original_fieldset: file short: Primary malware signature match type: nested threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.hash: dashed_name: threat-enrichments-indicator-file-Ext-malware-signature-primary-signature-hash description: Primary malware signature hash. flat_name: threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.hash level: custom name: Ext.malware_signature.primary.signature.hash normalize: [] original_fieldset: file short: Primary malware signature hash type: nested threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.hash.sha256: dashed_name: threat-enrichments-indicator-file-Ext-malware-signature-primary-signature-hash-sha256 description: Primary malware signature sha256. flat_name: threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.hash.sha256 ignore_above: 1024 level: custom name: Ext.malware_signature.primary.signature.hash.sha256 normalize: [] original_fieldset: file short: Primary malware signature sha256 type: keyword threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.id: dashed_name: threat-enrichments-indicator-file-Ext-malware-signature-primary-signature-id description: Primary malware signature id. flat_name: threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.id ignore_above: 1024 level: custom name: Ext.malware_signature.primary.signature.id normalize: [] original_fieldset: file short: Primary malware signature id type: keyword threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.name: dashed_name: threat-enrichments-indicator-file-Ext-malware-signature-primary-signature-name description: Primary malware signature name. flat_name: threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.name ignore_above: 1024 level: custom name: Ext.malware_signature.primary.signature.name normalize: [] original_fieldset: file short: Primary malware signature name type: keyword threat.enrichments.indicator.file.Ext.malware_signature.secondary: dashed_name: threat-enrichments-indicator-file-Ext-malware-signature-secondary description: An array of malware signature matches flat_name: threat.enrichments.indicator.file.Ext.malware_signature.secondary level: custom name: Ext.malware_signature.secondary normalize: - array original_fieldset: file short: secondary signature matches type: nested threat.enrichments.indicator.file.Ext.malware_signature.version: dashed_name: threat-enrichments-indicator-file-Ext-malware-signature-version description: Primary malware signature version. flat_name: threat.enrichments.indicator.file.Ext.malware_signature.version ignore_above: 1024 level: custom name: Ext.malware_signature.version normalize: [] original_fieldset: file short: Primary malware signature version type: keyword threat.enrichments.indicator.file.Ext.monotonic_id: dashed_name: threat-enrichments-indicator-file-Ext-monotonic-id description: File event monotonic ID. flat_name: threat.enrichments.indicator.file.Ext.monotonic_id level: custom name: Ext.monotonic_id normalize: [] original_fieldset: file short: File event monotonic ID type: unsigned_long threat.enrichments.indicator.file.Ext.original: dashed_name: threat-enrichments-indicator-file-Ext-original description: Original file information during a modification event. flat_name: threat.enrichments.indicator.file.Ext.original level: custom name: Ext.original normalize: [] original_fieldset: file short: Original file information during a modification event. type: object threat.enrichments.indicator.file.Ext.original.gid: dashed_name: threat-enrichments-indicator-file-Ext-original-gid description: Primary group ID (GID) of the file. example: '1001' flat_name: threat.enrichments.indicator.file.Ext.original.gid ignore_above: 1024 level: custom name: Ext.original.gid normalize: [] original_fieldset: file short: Primary group ID (GID) of the file. type: keyword threat.enrichments.indicator.file.Ext.original.group: dashed_name: threat-enrichments-indicator-file-Ext-original-group description: Primary group name of the file. example: alice flat_name: threat.enrichments.indicator.file.Ext.original.group ignore_above: 1024 level: custom name: Ext.original.group normalize: [] original_fieldset: file short: Primary group name of the file. type: keyword threat.enrichments.indicator.file.Ext.original.mode: dashed_name: threat-enrichments-indicator-file-Ext-original-mode description: Original file mode prior to a modification event flat_name: threat.enrichments.indicator.file.Ext.original.mode ignore_above: 1024 level: custom name: Ext.original.mode normalize: [] original_fieldset: file short: Original file mode prior to a modification event type: keyword threat.enrichments.indicator.file.Ext.original.name: dashed_name: threat-enrichments-indicator-file-Ext-original-name description: Original file name prior to a modification event flat_name: threat.enrichments.indicator.file.Ext.original.name ignore_above: 1024 level: custom name: Ext.original.name normalize: [] original_fieldset: file short: Original file name prior to a modification event type: keyword threat.enrichments.indicator.file.Ext.original.owner: dashed_name: threat-enrichments-indicator-file-Ext-original-owner description: File owner's username. example: alice flat_name: threat.enrichments.indicator.file.Ext.original.owner ignore_above: 1024 level: custom name: Ext.original.owner normalize: [] original_fieldset: file short: File owner's username. type: keyword threat.enrichments.indicator.file.Ext.original.path: dashed_name: threat-enrichments-indicator-file-Ext-original-path description: Original file path prior to a modification event flat_name: threat.enrichments.indicator.file.Ext.original.path ignore_above: 1024 level: custom name: Ext.original.path normalize: [] original_fieldset: file short: Original file path prior to a modification event type: keyword threat.enrichments.indicator.file.Ext.original.uid: dashed_name: threat-enrichments-indicator-file-Ext-original-uid description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' flat_name: threat.enrichments.indicator.file.Ext.original.uid ignore_above: 1024 level: custom name: Ext.original.uid normalize: [] original_fieldset: file short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword threat.enrichments.indicator.file.Ext.quarantine_message: dashed_name: threat-enrichments-indicator-file-Ext-quarantine-message description: Message describing quarantine results. flat_name: threat.enrichments.indicator.file.Ext.quarantine_message ignore_above: 1024 level: custom name: Ext.quarantine_message normalize: [] original_fieldset: file short: Message describing quarantine results. type: keyword threat.enrichments.indicator.file.Ext.quarantine_path: dashed_name: threat-enrichments-indicator-file-Ext-quarantine-path description: Path on endpoint the quarantined file was originally. flat_name: threat.enrichments.indicator.file.Ext.quarantine_path ignore_above: 1024 level: custom name: Ext.quarantine_path normalize: [] original_fieldset: file short: Path on endpoint the quarantined file was originally. type: keyword threat.enrichments.indicator.file.Ext.quarantine_result: dashed_name: threat-enrichments-indicator-file-Ext-quarantine-result description: Boolean representing whether or not file quarantine succeeded. flat_name: threat.enrichments.indicator.file.Ext.quarantine_result level: custom name: Ext.quarantine_result normalize: [] original_fieldset: file short: Boolean representing whether or not file quarantine succeeded. type: boolean threat.enrichments.indicator.file.Ext.temp_file_path: dashed_name: threat-enrichments-indicator-file-Ext-temp-file-path description: Path on endpoint where a copy of the file is being stored. Used to make ephemeral files retrievable. flat_name: threat.enrichments.indicator.file.Ext.temp_file_path ignore_above: 1024 level: custom name: Ext.temp_file_path normalize: [] original_fieldset: file short: Path on endpoint where a copy of the file is being stored. Used to make ephemeral files retrievable. type: keyword threat.enrichments.indicator.file.Ext.windows: dashed_name: threat-enrichments-indicator-file-Ext-windows description: Platform-specific Windows fields flat_name: threat.enrichments.indicator.file.Ext.windows level: custom name: Ext.windows normalize: [] original_fieldset: file short: Platform-specific Windows fields type: object threat.enrichments.indicator.file.Ext.windows.zone_identifier: dashed_name: threat-enrichments-indicator-file-Ext-windows-zone-identifier description: Windows zone identifier for a file flat_name: threat.enrichments.indicator.file.Ext.windows.zone_identifier ignore_above: 1024 level: custom name: Ext.windows.zone_identifier normalize: [] original_fieldset: file short: Windows zone identifier for a file type: keyword threat.enrichments.indicator.file.accessed: dashed_name: threat-enrichments-indicator-file-accessed description: 'Last time the file was accessed. Note that not all filesystems keep track of access time.' flat_name: threat.enrichments.indicator.file.accessed level: extended name: accessed normalize: [] original_fieldset: file short: Last time the file was accessed. type: date threat.enrichments.indicator.file.attributes: dashed_name: threat-enrichments-indicator-file-attributes description: 'Array of file attributes. Attributes names will vary by platform. Here''s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.' example: '["readonly", "system"]' flat_name: threat.enrichments.indicator.file.attributes ignore_above: 1024 level: extended name: attributes normalize: - array original_fieldset: file short: Array of file attributes. type: keyword threat.enrichments.indicator.file.code_signature.exists: dashed_name: threat-enrichments-indicator-file-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' flat_name: threat.enrichments.indicator.file.code_signature.exists level: core name: exists normalize: [] original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean threat.enrichments.indicator.file.code_signature.signing_id: dashed_name: threat-enrichments-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy flat_name: threat.enrichments.indicator.file.code_signature.signing_id ignore_above: 1024 level: extended name: signing_id normalize: [] original_fieldset: code_signature short: The identifier used to sign the process. type: keyword threat.enrichments.indicator.file.code_signature.status: dashed_name: threat-enrichments-indicator-file-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: threat.enrichments.indicator.file.code_signature.status ignore_above: 1024 level: extended name: status normalize: [] original_fieldset: code_signature short: Additional information about the certificate status. type: keyword threat.enrichments.indicator.file.code_signature.subject_name: dashed_name: threat-enrichments-indicator-file-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation flat_name: threat.enrichments.indicator.file.code_signature.subject_name ignore_above: 1024 level: core name: subject_name normalize: [] original_fieldset: code_signature short: Subject name of the code signer type: keyword threat.enrichments.indicator.file.code_signature.team_id: dashed_name: threat-enrichments-indicator-file-code-signature-team-id description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV flat_name: threat.enrichments.indicator.file.code_signature.team_id ignore_above: 1024 level: extended name: team_id normalize: [] original_fieldset: code_signature short: The team identifier used to sign the process. type: keyword threat.enrichments.indicator.file.code_signature.trusted: dashed_name: threat-enrichments-indicator-file-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' flat_name: threat.enrichments.indicator.file.code_signature.trusted level: extended name: trusted normalize: [] original_fieldset: code_signature short: Stores the trust status of the certificate chain. type: boolean threat.enrichments.indicator.file.code_signature.valid: dashed_name: threat-enrichments-indicator-file-code-signature-valid description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' flat_name: threat.enrichments.indicator.file.code_signature.valid level: extended name: valid normalize: [] original_fieldset: code_signature short: Boolean to capture if the digital signature is verified against the binary content. type: boolean threat.enrichments.indicator.file.created: dashed_name: threat-enrichments-indicator-file-created description: 'File creation time. Note that not all filesystems store the creation time.' flat_name: threat.enrichments.indicator.file.created level: extended name: created normalize: [] original_fieldset: file short: File creation time. type: date threat.enrichments.indicator.file.ctime: dashed_name: threat-enrichments-indicator-file-ctime description: 'Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.' flat_name: threat.enrichments.indicator.file.ctime level: extended name: ctime normalize: [] original_fieldset: file short: Last time the file attributes or metadata changed. type: date threat.enrichments.indicator.file.device: dashed_name: threat-enrichments-indicator-file-device description: Device that is the source of the file. example: sda flat_name: threat.enrichments.indicator.file.device ignore_above: 1024 level: extended name: device normalize: [] original_fieldset: file short: Device that is the source of the file. type: keyword threat.enrichments.indicator.file.directory: dashed_name: threat-enrichments-indicator-file-directory description: Directory where the file is located. It should include the drive letter, when appropriate. example: /home/alice flat_name: threat.enrichments.indicator.file.directory ignore_above: 1024 level: extended name: directory normalize: [] original_fieldset: file short: Directory where the file is located. type: keyword threat.enrichments.indicator.file.drive_letter: dashed_name: threat-enrichments-indicator-file-drive-letter description: 'Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.' example: C flat_name: threat.enrichments.indicator.file.drive_letter ignore_above: 1 level: extended name: drive_letter normalize: [] original_fieldset: file short: Drive letter where the file is located. type: keyword threat.enrichments.indicator.file.elf.architecture: dashed_name: threat-enrichments-indicator-file-elf-architecture description: Machine architecture of the ELF file. example: x86-64 flat_name: threat.enrichments.indicator.file.elf.architecture ignore_above: 1024 level: extended name: architecture normalize: [] original_fieldset: elf short: Machine architecture of the ELF file. type: keyword threat.enrichments.indicator.file.elf.byte_order: dashed_name: threat-enrichments-indicator-file-elf-byte-order description: Byte sequence of ELF file. example: Little Endian flat_name: threat.enrichments.indicator.file.elf.byte_order ignore_above: 1024 level: extended name: byte_order normalize: [] original_fieldset: elf short: Byte sequence of ELF file. type: keyword threat.enrichments.indicator.file.elf.cpu_type: dashed_name: threat-enrichments-indicator-file-elf-cpu-type description: CPU type of the ELF file. example: Intel flat_name: threat.enrichments.indicator.file.elf.cpu_type ignore_above: 1024 level: extended name: cpu_type normalize: [] original_fieldset: elf short: CPU type of the ELF file. type: keyword threat.enrichments.indicator.file.elf.creation_date: dashed_name: threat-enrichments-indicator-file-elf-creation-date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. flat_name: threat.enrichments.indicator.file.elf.creation_date level: extended name: creation_date normalize: [] original_fieldset: elf short: Build or compile date. type: date threat.enrichments.indicator.file.elf.exports: dashed_name: threat-enrichments-indicator-file-elf-exports description: List of exported element names and types. flat_name: threat.enrichments.indicator.file.elf.exports level: extended name: exports normalize: - array original_fieldset: elf short: List of exported element names and types. type: flattened threat.enrichments.indicator.file.elf.go_import_hash: dashed_name: threat-enrichments-indicator-file-elf-go-import-hash description: 'A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).' example: 10bddcb4cee42080f76c88d9ff964491 flat_name: threat.enrichments.indicator.file.elf.go_import_hash ignore_above: 1024 level: extended name: go_import_hash normalize: [] original_fieldset: elf short: A hash of the Go language imports in an ELF file. type: keyword threat.enrichments.indicator.file.elf.go_imports: dashed_name: threat-enrichments-indicator-file-elf-go-imports description: List of imported Go language element names and types. flat_name: threat.enrichments.indicator.file.elf.go_imports level: extended name: go_imports normalize: [] original_fieldset: elf short: List of imported Go language element names and types. type: flattened threat.enrichments.indicator.file.elf.go_imports_names_entropy: dashed_name: threat-enrichments-indicator-file-elf-go-imports-names-entropy description: Shannon entropy calculation from the list of Go imports. flat_name: threat.enrichments.indicator.file.elf.go_imports_names_entropy format: number level: extended name: go_imports_names_entropy normalize: [] original_fieldset: elf short: Shannon entropy calculation from the list of Go imports. type: long threat.enrichments.indicator.file.elf.go_imports_names_var_entropy: dashed_name: threat-enrichments-indicator-file-elf-go-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of Go imports. flat_name: threat.enrichments.indicator.file.elf.go_imports_names_var_entropy format: number level: extended name: go_imports_names_var_entropy normalize: [] original_fieldset: elf short: Variance for Shannon entropy calculation from the list of Go imports. type: long threat.enrichments.indicator.file.elf.go_stripped: dashed_name: threat-enrichments-indicator-file-elf-go-stripped description: Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. flat_name: threat.enrichments.indicator.file.elf.go_stripped level: extended name: go_stripped normalize: [] original_fieldset: elf short: Whether the file is a stripped or obfuscated Go executable. type: boolean threat.enrichments.indicator.file.elf.header.abi_version: dashed_name: threat-enrichments-indicator-file-elf-header-abi-version description: Version of the ELF Application Binary Interface (ABI). flat_name: threat.enrichments.indicator.file.elf.header.abi_version ignore_above: 1024 level: extended name: header.abi_version normalize: [] original_fieldset: elf short: Version of the ELF Application Binary Interface (ABI). type: keyword threat.enrichments.indicator.file.elf.header.class: dashed_name: threat-enrichments-indicator-file-elf-header-class description: Header class of the ELF file. flat_name: threat.enrichments.indicator.file.elf.header.class ignore_above: 1024 level: extended name: header.class normalize: [] original_fieldset: elf short: Header class of the ELF file. type: keyword threat.enrichments.indicator.file.elf.header.data: dashed_name: threat-enrichments-indicator-file-elf-header-data description: Data table of the ELF header. flat_name: threat.enrichments.indicator.file.elf.header.data ignore_above: 1024 level: extended name: header.data normalize: [] original_fieldset: elf short: Data table of the ELF header. type: keyword threat.enrichments.indicator.file.elf.header.entrypoint: dashed_name: threat-enrichments-indicator-file-elf-header-entrypoint description: Header entrypoint of the ELF file. flat_name: threat.enrichments.indicator.file.elf.header.entrypoint format: string level: extended name: header.entrypoint normalize: [] original_fieldset: elf short: Header entrypoint of the ELF file. type: long threat.enrichments.indicator.file.elf.header.object_version: dashed_name: threat-enrichments-indicator-file-elf-header-object-version description: '"0x1" for original ELF files.' flat_name: threat.enrichments.indicator.file.elf.header.object_version ignore_above: 1024 level: extended name: header.object_version normalize: [] original_fieldset: elf short: '"0x1" for original ELF files.' type: keyword threat.enrichments.indicator.file.elf.header.os_abi: dashed_name: threat-enrichments-indicator-file-elf-header-os-abi description: Application Binary Interface (ABI) of the Linux OS. flat_name: threat.enrichments.indicator.file.elf.header.os_abi ignore_above: 1024 level: extended name: header.os_abi normalize: [] original_fieldset: elf short: Application Binary Interface (ABI) of the Linux OS. type: keyword threat.enrichments.indicator.file.elf.header.type: dashed_name: threat-enrichments-indicator-file-elf-header-type description: Header type of the ELF file. flat_name: threat.enrichments.indicator.file.elf.header.type ignore_above: 1024 level: extended name: header.type normalize: [] original_fieldset: elf short: Header type of the ELF file. type: keyword threat.enrichments.indicator.file.elf.header.version: dashed_name: threat-enrichments-indicator-file-elf-header-version description: Version of the ELF header. flat_name: threat.enrichments.indicator.file.elf.header.version ignore_above: 1024 level: extended name: header.version normalize: [] original_fieldset: elf short: Version of the ELF header. type: keyword threat.enrichments.indicator.file.elf.import_hash: dashed_name: threat-enrichments-indicator-file-elf-import-hash description: 'A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is an ELF implementation of the Windows PE imphash.' example: d41d8cd98f00b204e9800998ecf8427e flat_name: threat.enrichments.indicator.file.elf.import_hash ignore_above: 1024 level: extended name: import_hash normalize: [] original_fieldset: elf short: A hash of the imports in an ELF file. type: keyword threat.enrichments.indicator.file.elf.imports: dashed_name: threat-enrichments-indicator-file-elf-imports description: List of imported element names and types. flat_name: threat.enrichments.indicator.file.elf.imports level: extended name: imports normalize: - array original_fieldset: elf short: List of imported element names and types. type: flattened threat.enrichments.indicator.file.elf.imports_names_entropy: dashed_name: threat-enrichments-indicator-file-elf-imports-names-entropy description: Shannon entropy calculation from the list of imported element names and types. flat_name: threat.enrichments.indicator.file.elf.imports_names_entropy format: number level: extended name: imports_names_entropy normalize: [] original_fieldset: elf short: Shannon entropy calculation from the list of imported element names and types. type: long threat.enrichments.indicator.file.elf.imports_names_var_entropy: dashed_name: threat-enrichments-indicator-file-elf-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of imported element names and types. flat_name: threat.enrichments.indicator.file.elf.imports_names_var_entropy format: number level: extended name: imports_names_var_entropy normalize: [] original_fieldset: elf short: Variance for Shannon entropy calculation from the list of imported element names and types. type: long threat.enrichments.indicator.file.elf.sections: dashed_name: threat-enrichments-indicator-file-elf-sections description: 'An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.' flat_name: threat.enrichments.indicator.file.elf.sections level: extended name: sections normalize: - array original_fieldset: elf short: Section information of the ELF file. type: nested threat.enrichments.indicator.file.elf.sections.chi2: dashed_name: threat-enrichments-indicator-file-elf-sections-chi2 description: Chi-square probability distribution of the section. flat_name: threat.enrichments.indicator.file.elf.sections.chi2 format: number level: extended name: sections.chi2 normalize: [] original_fieldset: elf short: Chi-square probability distribution of the section. type: long threat.enrichments.indicator.file.elf.sections.entropy: dashed_name: threat-enrichments-indicator-file-elf-sections-entropy description: Shannon entropy calculation from the section. flat_name: threat.enrichments.indicator.file.elf.sections.entropy format: number level: extended name: sections.entropy normalize: [] original_fieldset: elf short: Shannon entropy calculation from the section. type: long threat.enrichments.indicator.file.elf.sections.flags: dashed_name: threat-enrichments-indicator-file-elf-sections-flags description: ELF Section List flags. flat_name: threat.enrichments.indicator.file.elf.sections.flags ignore_above: 1024 level: extended name: sections.flags normalize: [] original_fieldset: elf short: ELF Section List flags. type: keyword threat.enrichments.indicator.file.elf.sections.name: dashed_name: threat-enrichments-indicator-file-elf-sections-name description: ELF Section List name. flat_name: threat.enrichments.indicator.file.elf.sections.name ignore_above: 1024 level: extended name: sections.name normalize: [] original_fieldset: elf short: ELF Section List name. type: keyword threat.enrichments.indicator.file.elf.sections.physical_offset: dashed_name: threat-enrichments-indicator-file-elf-sections-physical-offset description: ELF Section List offset. flat_name: threat.enrichments.indicator.file.elf.sections.physical_offset ignore_above: 1024 level: extended name: sections.physical_offset normalize: [] original_fieldset: elf short: ELF Section List offset. type: keyword threat.enrichments.indicator.file.elf.sections.physical_size: dashed_name: threat-enrichments-indicator-file-elf-sections-physical-size description: ELF Section List physical size. flat_name: threat.enrichments.indicator.file.elf.sections.physical_size format: bytes level: extended name: sections.physical_size normalize: [] original_fieldset: elf short: ELF Section List physical size. type: long threat.enrichments.indicator.file.elf.sections.type: dashed_name: threat-enrichments-indicator-file-elf-sections-type description: ELF Section List type. flat_name: threat.enrichments.indicator.file.elf.sections.type ignore_above: 1024 level: extended name: sections.type normalize: [] original_fieldset: elf short: ELF Section List type. type: keyword threat.enrichments.indicator.file.elf.sections.var_entropy: dashed_name: threat-enrichments-indicator-file-elf-sections-var-entropy description: Variance for Shannon entropy calculation from the section. flat_name: threat.enrichments.indicator.file.elf.sections.var_entropy format: number level: extended name: sections.var_entropy normalize: [] original_fieldset: elf short: Variance for Shannon entropy calculation from the section. type: long threat.enrichments.indicator.file.elf.sections.virtual_address: dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-address description: ELF Section List virtual address. flat_name: threat.enrichments.indicator.file.elf.sections.virtual_address format: string level: extended name: sections.virtual_address normalize: [] original_fieldset: elf short: ELF Section List virtual address. type: long threat.enrichments.indicator.file.elf.sections.virtual_size: dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-size description: ELF Section List virtual size. flat_name: threat.enrichments.indicator.file.elf.sections.virtual_size format: string level: extended name: sections.virtual_size normalize: [] original_fieldset: elf short: ELF Section List virtual size. type: long threat.enrichments.indicator.file.elf.segments: dashed_name: threat-enrichments-indicator-file-elf-segments description: 'An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.' flat_name: threat.enrichments.indicator.file.elf.segments level: extended name: segments normalize: - array original_fieldset: elf short: ELF object segment list. type: nested threat.enrichments.indicator.file.elf.segments.sections: dashed_name: threat-enrichments-indicator-file-elf-segments-sections description: ELF object segment sections. flat_name: threat.enrichments.indicator.file.elf.segments.sections ignore_above: 1024 level: extended name: segments.sections normalize: [] original_fieldset: elf short: ELF object segment sections. type: keyword threat.enrichments.indicator.file.elf.segments.type: dashed_name: threat-enrichments-indicator-file-elf-segments-type description: ELF object segment type. flat_name: threat.enrichments.indicator.file.elf.segments.type ignore_above: 1024 level: extended name: segments.type normalize: [] original_fieldset: elf short: ELF object segment type. type: keyword threat.enrichments.indicator.file.elf.shared_libraries: dashed_name: threat-enrichments-indicator-file-elf-shared-libraries description: List of shared libraries used by this ELF object. flat_name: threat.enrichments.indicator.file.elf.shared_libraries ignore_above: 1024 level: extended name: shared_libraries normalize: - array original_fieldset: elf short: List of shared libraries used by this ELF object. type: keyword threat.enrichments.indicator.file.elf.telfhash: dashed_name: threat-enrichments-indicator-file-elf-telfhash description: telfhash symbol hash for ELF file. flat_name: threat.enrichments.indicator.file.elf.telfhash ignore_above: 1024 level: extended name: telfhash normalize: [] original_fieldset: elf short: telfhash hash for ELF file. type: keyword threat.enrichments.indicator.file.extension: dashed_name: threat-enrichments-indicator-file-extension description: 'File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png flat_name: threat.enrichments.indicator.file.extension ignore_above: 1024 level: extended name: extension normalize: [] original_fieldset: file short: File extension, excluding the leading dot. type: keyword threat.enrichments.indicator.file.gid: dashed_name: threat-enrichments-indicator-file-gid description: Primary group ID (GID) of the file. example: '1001' flat_name: threat.enrichments.indicator.file.gid ignore_above: 1024 level: extended name: gid normalize: [] original_fieldset: file short: Primary group ID (GID) of the file. type: keyword threat.enrichments.indicator.file.group: dashed_name: threat-enrichments-indicator-file-group description: Primary group name of the file. example: alice flat_name: threat.enrichments.indicator.file.group ignore_above: 1024 level: extended name: group normalize: [] original_fieldset: file short: Primary group name of the file. type: keyword threat.enrichments.indicator.file.hash.md5: dashed_name: threat-enrichments-indicator-file-hash-md5 description: MD5 hash. flat_name: threat.enrichments.indicator.file.hash.md5 ignore_above: 1024 level: extended name: md5 normalize: [] original_fieldset: hash short: MD5 hash. type: keyword threat.enrichments.indicator.file.hash.sha1: dashed_name: threat-enrichments-indicator-file-hash-sha1 description: SHA1 hash. flat_name: threat.enrichments.indicator.file.hash.sha1 ignore_above: 1024 level: extended name: sha1 normalize: [] original_fieldset: hash short: SHA1 hash. type: keyword threat.enrichments.indicator.file.hash.sha256: dashed_name: threat-enrichments-indicator-file-hash-sha256 description: SHA256 hash. flat_name: threat.enrichments.indicator.file.hash.sha256 ignore_above: 1024 level: extended name: sha256 normalize: [] original_fieldset: hash short: SHA256 hash. type: keyword threat.enrichments.indicator.file.hash.sha512: dashed_name: threat-enrichments-indicator-file-hash-sha512 description: SHA512 hash. flat_name: threat.enrichments.indicator.file.hash.sha512 ignore_above: 1024 level: extended name: sha512 normalize: [] original_fieldset: hash short: SHA512 hash. type: keyword threat.enrichments.indicator.file.hash.ssdeep: dashed_name: threat-enrichments-indicator-file-hash-ssdeep description: SSDEEP hash. flat_name: threat.enrichments.indicator.file.hash.ssdeep ignore_above: 1024 level: extended name: ssdeep normalize: [] original_fieldset: hash short: SSDEEP hash. type: keyword threat.enrichments.indicator.file.inode: dashed_name: threat-enrichments-indicator-file-inode description: Inode representing the file in the filesystem. example: '256383' flat_name: threat.enrichments.indicator.file.inode ignore_above: 1024 level: extended name: inode normalize: [] original_fieldset: file short: Inode representing the file in the filesystem. type: keyword threat.enrichments.indicator.file.mime_type: dashed_name: threat-enrichments-indicator-file-mime-type description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. flat_name: threat.enrichments.indicator.file.mime_type ignore_above: 1024 level: extended name: mime_type normalize: [] original_fieldset: file short: Media type of file, document, or arrangement of bytes. type: keyword threat.enrichments.indicator.file.mode: dashed_name: threat-enrichments-indicator-file-mode description: Mode of the file in octal representation. example: '0640' flat_name: threat.enrichments.indicator.file.mode ignore_above: 1024 level: extended name: mode normalize: [] original_fieldset: file short: Mode of the file in octal representation. type: keyword threat.enrichments.indicator.file.mtime: dashed_name: threat-enrichments-indicator-file-mtime description: Last time the file content was modified. flat_name: threat.enrichments.indicator.file.mtime level: extended name: mtime normalize: [] original_fieldset: file short: Last time the file content was modified. type: date threat.enrichments.indicator.file.name: dashed_name: threat-enrichments-indicator-file-name description: Name of the file including the extension, without the directory. example: example.png flat_name: threat.enrichments.indicator.file.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: file short: Name of the file including the extension, without the directory. type: keyword threat.enrichments.indicator.file.owner: dashed_name: threat-enrichments-indicator-file-owner description: File owner's username. example: alice flat_name: threat.enrichments.indicator.file.owner ignore_above: 1024 level: extended name: owner normalize: [] original_fieldset: file short: File owner's username. type: keyword threat.enrichments.indicator.file.path: dashed_name: threat-enrichments-indicator-file-path description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png flat_name: threat.enrichments.indicator.file.path ignore_above: 1024 level: extended multi_fields: - flat_name: threat.enrichments.indicator.file.path.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: threat.enrichments.indicator.file.path.text name: text norms: false type: text name: path normalize: [] original_fieldset: file short: Full path to the file, including the file name. type: keyword threat.enrichments.indicator.file.pe.architecture: dashed_name: threat-enrichments-indicator-file-pe-architecture description: CPU architecture target for the file. example: x64 flat_name: threat.enrichments.indicator.file.pe.architecture ignore_above: 1024 level: extended name: architecture normalize: [] original_fieldset: pe short: CPU architecture target for the file. type: keyword threat.enrichments.indicator.file.pe.company: dashed_name: threat-enrichments-indicator-file-pe-company description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation flat_name: threat.enrichments.indicator.file.pe.company ignore_above: 1024 level: extended name: company normalize: [] original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword threat.enrichments.indicator.file.pe.description: dashed_name: threat-enrichments-indicator-file-pe-description description: Internal description of the file, provided at compile-time. example: Paint flat_name: threat.enrichments.indicator.file.pe.description ignore_above: 1024 level: extended name: description normalize: [] original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword threat.enrichments.indicator.file.pe.file_version: dashed_name: threat-enrichments-indicator-file-pe-file-version description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 flat_name: threat.enrichments.indicator.file.pe.file_version ignore_above: 1024 level: extended name: file_version normalize: [] original_fieldset: pe short: Process name. type: keyword threat.enrichments.indicator.file.pe.imphash: dashed_name: threat-enrichments-indicator-file-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf flat_name: threat.enrichments.indicator.file.pe.imphash ignore_above: 1024 level: extended name: imphash normalize: [] original_fieldset: pe short: A hash of the imports in a PE file. type: keyword threat.enrichments.indicator.file.pe.original_file_name: dashed_name: threat-enrichments-indicator-file-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: threat.enrichments.indicator.file.pe.original_file_name ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. type: keyword threat.enrichments.indicator.file.pe.product: dashed_name: threat-enrichments-indicator-file-pe-product description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" flat_name: threat.enrichments.indicator.file.pe.product ignore_above: 1024 level: extended name: product normalize: [] original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword threat.enrichments.indicator.file.size: dashed_name: threat-enrichments-indicator-file-size description: 'File size in bytes. Only relevant when `file.type` is "file".' example: 16384 flat_name: threat.enrichments.indicator.file.size level: extended name: size normalize: [] original_fieldset: file short: File size in bytes. type: long threat.enrichments.indicator.file.target_path: dashed_name: threat-enrichments-indicator-file-target-path description: Target path for symlinks. flat_name: threat.enrichments.indicator.file.target_path ignore_above: 1024 level: extended multi_fields: - flat_name: threat.enrichments.indicator.file.target_path.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: threat.enrichments.indicator.file.target_path.text name: text norms: false type: text name: target_path normalize: [] original_fieldset: file short: Target path for symlinks. type: keyword threat.enrichments.indicator.file.type: dashed_name: threat-enrichments-indicator-file-type description: File type (file, dir, or symlink). example: file flat_name: threat.enrichments.indicator.file.type ignore_above: 1024 level: extended name: type normalize: [] original_fieldset: file short: File type (file, dir, or symlink). type: keyword threat.enrichments.indicator.file.uid: dashed_name: threat-enrichments-indicator-file-uid description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' flat_name: threat.enrichments.indicator.file.uid ignore_above: 1024 level: extended name: uid normalize: [] original_fieldset: file short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword threat.enrichments.indicator.first_seen: dashed_name: threat-enrichments-indicator-first-seen description: The date and time when intelligence source first reported sighting this indicator. example: '2020-11-05T17:25:47.000Z' flat_name: threat.enrichments.indicator.first_seen level: extended name: enrichments.indicator.first_seen normalize: [] short: Date/time indicator was first reported. type: date threat.enrichments.indicator.geo.city_name: dashed_name: threat-enrichments-indicator-geo-city-name description: City name. example: Montreal flat_name: threat.enrichments.indicator.geo.city_name ignore_above: 1024 level: core name: city_name normalize: [] original_fieldset: geo short: City name. type: keyword threat.enrichments.indicator.geo.continent_code: dashed_name: threat-enrichments-indicator-geo-continent-code description: Two-letter code representing continent's name. example: NA flat_name: threat.enrichments.indicator.geo.continent_code ignore_above: 1024 level: core name: continent_code normalize: [] original_fieldset: geo short: Continent code. type: keyword threat.enrichments.indicator.geo.continent_name: dashed_name: threat-enrichments-indicator-geo-continent-name description: Name of the continent. example: North America flat_name: threat.enrichments.indicator.geo.continent_name ignore_above: 1024 level: core name: continent_name normalize: [] original_fieldset: geo short: Name of the continent. type: keyword threat.enrichments.indicator.geo.country_iso_code: dashed_name: threat-enrichments-indicator-geo-country-iso-code description: Country ISO code. example: CA flat_name: threat.enrichments.indicator.geo.country_iso_code ignore_above: 1024 level: core name: country_iso_code normalize: [] original_fieldset: geo short: Country ISO code. type: keyword threat.enrichments.indicator.geo.country_name: dashed_name: threat-enrichments-indicator-geo-country-name description: Country name. example: Canada flat_name: threat.enrichments.indicator.geo.country_name ignore_above: 1024 level: core name: country_name normalize: [] original_fieldset: geo short: Country name. type: keyword threat.enrichments.indicator.geo.location: dashed_name: threat-enrichments-indicator-geo-location description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' flat_name: threat.enrichments.indicator.geo.location level: core name: location normalize: [] original_fieldset: geo short: Longitude and latitude. type: geo_point threat.enrichments.indicator.geo.name: dashed_name: threat-enrichments-indicator-geo-name description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc flat_name: threat.enrichments.indicator.geo.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. type: keyword threat.enrichments.indicator.geo.postal_code: dashed_name: threat-enrichments-indicator-geo-postal-code description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 flat_name: threat.enrichments.indicator.geo.postal_code ignore_above: 1024 level: core name: postal_code normalize: [] original_fieldset: geo short: Postal code. type: keyword threat.enrichments.indicator.geo.region_iso_code: dashed_name: threat-enrichments-indicator-geo-region-iso-code description: Region ISO code. example: CA-QC flat_name: threat.enrichments.indicator.geo.region_iso_code ignore_above: 1024 level: core name: region_iso_code normalize: [] original_fieldset: geo short: Region ISO code. type: keyword threat.enrichments.indicator.geo.region_name: dashed_name: threat-enrichments-indicator-geo-region-name description: Region name. example: Quebec flat_name: threat.enrichments.indicator.geo.region_name ignore_above: 1024 level: core name: region_name normalize: [] original_fieldset: geo short: Region name. type: keyword threat.enrichments.indicator.geo.timezone: dashed_name: threat-enrichments-indicator-geo-timezone description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires flat_name: threat.enrichments.indicator.geo.timezone ignore_above: 1024 level: core name: timezone normalize: [] original_fieldset: geo short: Time zone. type: keyword threat.enrichments.indicator.ip: dashed_name: threat-enrichments-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of direction). example: 1.2.3.4 flat_name: threat.enrichments.indicator.ip level: extended name: enrichments.indicator.ip normalize: [] short: Indicator IP address type: ip threat.enrichments.indicator.last_seen: dashed_name: threat-enrichments-indicator-last-seen description: The date and time when intelligence source last reported sighting this indicator. example: '2020-11-05T17:25:47.000Z' flat_name: threat.enrichments.indicator.last_seen level: extended name: enrichments.indicator.last_seen normalize: [] short: Date/time indicator was last reported. type: date threat.enrichments.indicator.marking.tlp: dashed_name: threat-enrichments-indicator-marking-tlp description: Traffic Light Protocol sharing markings. example: CLEAR expected_values: - WHITE - CLEAR - GREEN - AMBER - AMBER+STRICT - RED flat_name: threat.enrichments.indicator.marking.tlp ignore_above: 1024 level: extended name: enrichments.indicator.marking.tlp normalize: [] short: Indicator TLP marking type: keyword threat.enrichments.indicator.modified_at: dashed_name: threat-enrichments-indicator-modified-at description: The date and time when intelligence source last modified information for this indicator. example: '2020-11-05T17:25:47.000Z' flat_name: threat.enrichments.indicator.modified_at level: extended name: enrichments.indicator.modified_at normalize: [] short: Date/time indicator was last updated. type: date threat.enrichments.indicator.port: dashed_name: threat-enrichments-indicator-port description: Identifies a threat indicator as a port number (irrespective of direction). example: 443 flat_name: threat.enrichments.indicator.port level: extended name: enrichments.indicator.port normalize: [] short: Indicator port type: long threat.enrichments.indicator.provider: dashed_name: threat-enrichments-indicator-provider description: The name of the indicator's provider. example: lrz_urlhaus flat_name: threat.enrichments.indicator.provider ignore_above: 1024 level: extended name: enrichments.indicator.provider normalize: [] short: Indicator provider type: keyword threat.enrichments.indicator.reference: dashed_name: threat-enrichments-indicator-reference description: Reference URL linking to additional information about this indicator. example: https://system.example.com/indicator/0001234 flat_name: threat.enrichments.indicator.reference ignore_above: 1024 level: extended name: enrichments.indicator.reference normalize: [] short: Indicator reference URL type: keyword threat.enrichments.indicator.registry.data.bytes: dashed_name: threat-enrichments-indicator-registry-data-bytes description: 'Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.' example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= flat_name: threat.enrichments.indicator.registry.data.bytes ignore_above: 1024 level: extended name: data.bytes normalize: [] original_fieldset: registry short: Original bytes written with base64 encoding. type: keyword threat.enrichments.indicator.registry.data.strings: dashed_name: threat-enrichments-indicator-registry-data-strings description: 'Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' flat_name: threat.enrichments.indicator.registry.data.strings level: core name: data.strings normalize: - array original_fieldset: registry short: List of strings representing what was written to the registry. type: wildcard threat.enrichments.indicator.registry.data.type: dashed_name: threat-enrichments-indicator-registry-data-type description: Standard registry type for encoding contents example: REG_SZ flat_name: threat.enrichments.indicator.registry.data.type ignore_above: 1024 level: core name: data.type normalize: [] original_fieldset: registry short: Standard registry type for encoding contents type: keyword threat.enrichments.indicator.registry.hive: dashed_name: threat-enrichments-indicator-registry-hive description: Abbreviated name for the hive. example: HKLM flat_name: threat.enrichments.indicator.registry.hive ignore_above: 1024 level: core name: hive normalize: [] original_fieldset: registry short: Abbreviated name for the hive. type: keyword threat.enrichments.indicator.registry.key: dashed_name: threat-enrichments-indicator-registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe flat_name: threat.enrichments.indicator.registry.key ignore_above: 1024 level: core name: key normalize: [] original_fieldset: registry short: Hive-relative path of keys. type: keyword threat.enrichments.indicator.registry.path: dashed_name: threat-enrichments-indicator-registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger flat_name: threat.enrichments.indicator.registry.path ignore_above: 1024 level: core name: path normalize: [] original_fieldset: registry short: Full path, including hive, key and value type: keyword threat.enrichments.indicator.registry.value: dashed_name: threat-enrichments-indicator-registry-value description: Name of the value written. example: Debugger flat_name: threat.enrichments.indicator.registry.value ignore_above: 1024 level: core name: value normalize: [] original_fieldset: registry short: Name of the value written. type: keyword threat.enrichments.indicator.scanner_stats: dashed_name: threat-enrichments-indicator-scanner-stats description: Count of AV/EDR vendors that successfully detected malicious file or URL. example: 4 flat_name: threat.enrichments.indicator.scanner_stats level: extended name: enrichments.indicator.scanner_stats normalize: [] short: Scanner statistics type: long threat.enrichments.indicator.sightings: dashed_name: threat-enrichments-indicator-sightings description: Number of times this indicator was observed conducting threat activity. example: 20 flat_name: threat.enrichments.indicator.sightings level: extended name: enrichments.indicator.sightings normalize: [] short: Number of times indicator observed type: long threat.enrichments.indicator.type: dashed_name: threat-enrichments-indicator-type description: Type of indicator as represented by Cyber Observable in STIX 2.0. example: ipv4-addr expected_values: - autonomous-system - artifact - directory - domain-name - email-addr - file - ipv4-addr - ipv6-addr - mac-addr - mutex - port - process - software - url - user-account - windows-registry-key - x509-certificate flat_name: threat.enrichments.indicator.type ignore_above: 1024 level: extended name: enrichments.indicator.type normalize: [] short: Type of indicator type: keyword threat.enrichments.indicator.url.domain: dashed_name: threat-enrichments-indicator-url-domain description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.' example: www.elastic.co flat_name: threat.enrichments.indicator.url.domain ignore_above: 1024 level: extended name: domain normalize: [] original_fieldset: url short: Domain of the url. type: keyword threat.enrichments.indicator.url.extension: dashed_name: threat-enrichments-indicator-url-extension description: 'The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png flat_name: threat.enrichments.indicator.url.extension ignore_above: 1024 level: extended name: extension normalize: [] original_fieldset: url short: File extension from the request url, excluding the leading dot. type: keyword threat.enrichments.indicator.url.fragment: dashed_name: threat-enrichments-indicator-url-fragment description: 'Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.' flat_name: threat.enrichments.indicator.url.fragment ignore_above: 1024 level: extended name: fragment normalize: [] original_fieldset: url short: Portion of the url after the `#`. type: keyword threat.enrichments.indicator.url.full: dashed_name: threat-enrichments-indicator-url-full description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top flat_name: threat.enrichments.indicator.url.full level: extended multi_fields: - flat_name: threat.enrichments.indicator.url.full.text name: text type: match_only_text name: full normalize: [] original_fieldset: url short: Full unparsed URL. type: wildcard threat.enrichments.indicator.url.original: dashed_name: threat-enrichments-indicator-url-original description: 'Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch flat_name: threat.enrichments.indicator.url.original level: extended multi_fields: - flat_name: threat.enrichments.indicator.url.original.text name: text type: match_only_text name: original normalize: [] original_fieldset: url short: Unmodified original url as seen in the event source. type: wildcard threat.enrichments.indicator.url.password: dashed_name: threat-enrichments-indicator-url-password description: Password of the request. flat_name: threat.enrichments.indicator.url.password ignore_above: 1024 level: extended name: password normalize: [] original_fieldset: url short: Password of the request. type: keyword threat.enrichments.indicator.url.path: dashed_name: threat-enrichments-indicator-url-path description: Path of the request, such as "/search". flat_name: threat.enrichments.indicator.url.path level: extended name: path normalize: [] original_fieldset: url short: Path of the request, such as "/search". type: wildcard threat.enrichments.indicator.url.port: dashed_name: threat-enrichments-indicator-url-port description: Port of the request, such as 443. example: 443 flat_name: threat.enrichments.indicator.url.port format: string level: extended name: port normalize: [] original_fieldset: url short: Port of the request, such as 443. type: long threat.enrichments.indicator.url.query: dashed_name: threat-enrichments-indicator-url-query description: 'The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' flat_name: threat.enrichments.indicator.url.query ignore_above: 1024 level: extended name: query normalize: [] original_fieldset: url short: Query string of the request. type: keyword threat.enrichments.indicator.url.registered_domain: dashed_name: threat-enrichments-indicator-url-registered-domain description: 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: threat.enrichments.indicator.url.registered_domain ignore_above: 1024 level: extended name: registered_domain normalize: [] original_fieldset: url short: The highest registered url domain, stripped of the subdomain. type: keyword threat.enrichments.indicator.url.scheme: dashed_name: threat-enrichments-indicator-url-scheme description: 'Scheme of the request, such as "https". Note: The `:` is not part of the scheme.' example: https flat_name: threat.enrichments.indicator.url.scheme ignore_above: 1024 level: extended name: scheme normalize: [] original_fieldset: url short: Scheme of the url. type: keyword threat.enrichments.indicator.url.subdomain: dashed_name: threat-enrichments-indicator-url-subdomain description: 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: east flat_name: threat.enrichments.indicator.url.subdomain ignore_above: 1024 level: extended name: subdomain normalize: [] original_fieldset: url short: The subdomain of the domain. type: keyword threat.enrichments.indicator.url.top_level_domain: dashed_name: threat-enrichments-indicator-url-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk flat_name: threat.enrichments.indicator.url.top_level_domain ignore_above: 1024 level: extended name: top_level_domain normalize: [] original_fieldset: url short: The effective top level domain (com, org, net, co.uk). type: keyword threat.enrichments.indicator.url.username: dashed_name: threat-enrichments-indicator-url-username description: Username of the request. flat_name: threat.enrichments.indicator.url.username ignore_above: 1024 level: extended name: username normalize: [] original_fieldset: url short: Username of the request. type: keyword threat.enrichments.indicator.x509.alternative_names: dashed_name: threat-enrichments-indicator-x509-alternative-names description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: '*.elastic.co' flat_name: threat.enrichments.indicator.x509.alternative_names ignore_above: 1024 level: extended name: alternative_names normalize: - array original_fieldset: x509 short: List of subject alternative names (SAN). type: keyword threat.enrichments.indicator.x509.issuer.common_name: dashed_name: threat-enrichments-indicator-x509-issuer-common-name description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA flat_name: threat.enrichments.indicator.x509.issuer.common_name ignore_above: 1024 level: extended name: issuer.common_name normalize: - array original_fieldset: x509 short: List of common name (CN) of issuing certificate authority. type: keyword threat.enrichments.indicator.x509.issuer.country: dashed_name: threat-enrichments-indicator-x509-issuer-country description: List of country \(C) codes example: US flat_name: threat.enrichments.indicator.x509.issuer.country ignore_above: 1024 level: extended name: issuer.country normalize: - array original_fieldset: x509 short: List of country \(C) codes type: keyword threat.enrichments.indicator.x509.issuer.distinguished_name: dashed_name: threat-enrichments-indicator-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA flat_name: threat.enrichments.indicator.x509.issuer.distinguished_name ignore_above: 1024 level: extended name: issuer.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. type: keyword threat.enrichments.indicator.x509.issuer.locality: dashed_name: threat-enrichments-indicator-x509-issuer-locality description: List of locality names (L) example: Mountain View flat_name: threat.enrichments.indicator.x509.issuer.locality ignore_above: 1024 level: extended name: issuer.locality normalize: - array original_fieldset: x509 short: List of locality names (L) type: keyword threat.enrichments.indicator.x509.issuer.organization: dashed_name: threat-enrichments-indicator-x509-issuer-organization description: List of organizations (O) of issuing certificate authority. example: Example Inc flat_name: threat.enrichments.indicator.x509.issuer.organization ignore_above: 1024 level: extended name: issuer.organization normalize: - array original_fieldset: x509 short: List of organizations (O) of issuing certificate authority. type: keyword threat.enrichments.indicator.x509.issuer.organizational_unit: dashed_name: threat-enrichments-indicator-x509-issuer-organizational-unit description: List of organizational units (OU) of issuing certificate authority. example: www.example.com flat_name: threat.enrichments.indicator.x509.issuer.organizational_unit ignore_above: 1024 level: extended name: issuer.organizational_unit normalize: - array original_fieldset: x509 short: List of organizational units (OU) of issuing certificate authority. type: keyword threat.enrichments.indicator.x509.issuer.state_or_province: dashed_name: threat-enrichments-indicator-x509-issuer-state-or-province description: List of state or province names (ST, S, or P) example: California flat_name: threat.enrichments.indicator.x509.issuer.state_or_province ignore_above: 1024 level: extended name: issuer.state_or_province normalize: - array original_fieldset: x509 short: List of state or province names (ST, S, or P) type: keyword threat.enrichments.indicator.x509.not_after: dashed_name: threat-enrichments-indicator-x509-not-after description: Time at which the certificate is no longer considered valid. example: '2020-07-16T03:15:39Z' flat_name: threat.enrichments.indicator.x509.not_after level: extended name: not_after normalize: [] original_fieldset: x509 short: Time at which the certificate is no longer considered valid. type: date threat.enrichments.indicator.x509.not_before: dashed_name: threat-enrichments-indicator-x509-not-before description: Time at which the certificate is first considered valid. example: '2019-08-16T01:40:25Z' flat_name: threat.enrichments.indicator.x509.not_before level: extended name: not_before normalize: [] original_fieldset: x509 short: Time at which the certificate is first considered valid. type: date threat.enrichments.indicator.x509.public_key_algorithm: dashed_name: threat-enrichments-indicator-x509-public-key-algorithm description: Algorithm used to generate the public key. example: RSA flat_name: threat.enrichments.indicator.x509.public_key_algorithm ignore_above: 1024 level: extended name: public_key_algorithm normalize: [] original_fieldset: x509 short: Algorithm used to generate the public key. type: keyword threat.enrichments.indicator.x509.public_key_curve: dashed_name: threat-enrichments-indicator-x509-public-key-curve description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 flat_name: threat.enrichments.indicator.x509.public_key_curve ignore_above: 1024 level: extended name: public_key_curve normalize: [] original_fieldset: x509 short: The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword threat.enrichments.indicator.x509.public_key_exponent: dashed_name: threat-enrichments-indicator-x509-public-key-exponent description: Exponent used to derive the public key. This is algorithm specific. doc_values: false example: 65537 flat_name: threat.enrichments.indicator.x509.public_key_exponent index: false level: extended name: public_key_exponent normalize: [] original_fieldset: x509 short: Exponent used to derive the public key. This is algorithm specific. type: long threat.enrichments.indicator.x509.public_key_size: dashed_name: threat-enrichments-indicator-x509-public-key-size description: The size of the public key space in bits. example: 2048 flat_name: threat.enrichments.indicator.x509.public_key_size level: extended name: public_key_size normalize: [] original_fieldset: x509 short: The size of the public key space in bits. type: long threat.enrichments.indicator.x509.serial_number: dashed_name: threat-enrichments-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.enrichments.indicator.x509.serial_number ignore_above: 1024 level: extended name: serial_number normalize: [] original_fieldset: x509 short: Unique serial number issued by the certificate authority. type: keyword threat.enrichments.indicator.x509.signature_algorithm: dashed_name: threat-enrichments-indicator-x509-signature-algorithm description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA flat_name: threat.enrichments.indicator.x509.signature_algorithm ignore_above: 1024 level: extended name: signature_algorithm normalize: [] original_fieldset: x509 short: Identifier for certificate signature algorithm. type: keyword threat.enrichments.indicator.x509.subject.common_name: dashed_name: threat-enrichments-indicator-x509-subject-common-name description: List of common names (CN) of subject. example: shared.global.example.net flat_name: threat.enrichments.indicator.x509.subject.common_name ignore_above: 1024 level: extended name: subject.common_name normalize: - array original_fieldset: x509 short: List of common names (CN) of subject. type: keyword threat.enrichments.indicator.x509.subject.country: dashed_name: threat-enrichments-indicator-x509-subject-country description: List of country \(C) code example: US flat_name: threat.enrichments.indicator.x509.subject.country ignore_above: 1024 level: extended name: subject.country normalize: - array original_fieldset: x509 short: List of country \(C) code type: keyword threat.enrichments.indicator.x509.subject.distinguished_name: dashed_name: threat-enrichments-indicator-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net flat_name: threat.enrichments.indicator.x509.subject.distinguished_name ignore_above: 1024 level: extended name: subject.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. type: keyword threat.enrichments.indicator.x509.subject.locality: dashed_name: threat-enrichments-indicator-x509-subject-locality description: List of locality names (L) example: San Francisco flat_name: threat.enrichments.indicator.x509.subject.locality ignore_above: 1024 level: extended name: subject.locality normalize: - array original_fieldset: x509 short: List of locality names (L) type: keyword threat.enrichments.indicator.x509.subject.organization: dashed_name: threat-enrichments-indicator-x509-subject-organization description: List of organizations (O) of subject. example: Example, Inc. flat_name: threat.enrichments.indicator.x509.subject.organization ignore_above: 1024 level: extended name: subject.organization normalize: - array original_fieldset: x509 short: List of organizations (O) of subject. type: keyword threat.enrichments.indicator.x509.subject.organizational_unit: dashed_name: threat-enrichments-indicator-x509-subject-organizational-unit description: List of organizational units (OU) of subject. flat_name: threat.enrichments.indicator.x509.subject.organizational_unit ignore_above: 1024 level: extended name: subject.organizational_unit normalize: - array original_fieldset: x509 short: List of organizational units (OU) of subject. type: keyword threat.enrichments.indicator.x509.subject.state_or_province: dashed_name: threat-enrichments-indicator-x509-subject-state-or-province description: List of state or province names (ST, S, or P) example: California flat_name: threat.enrichments.indicator.x509.subject.state_or_province ignore_above: 1024 level: extended name: subject.state_or_province normalize: - array original_fieldset: x509 short: List of state or province names (ST, S, or P) type: keyword threat.enrichments.indicator.x509.version_number: dashed_name: threat-enrichments-indicator-x509-version-number description: Version of x509 format. example: 3 flat_name: threat.enrichments.indicator.x509.version_number ignore_above: 1024 level: extended name: version_number normalize: [] original_fieldset: x509 short: Version of x509 format. type: keyword threat.enrichments.matched.atomic: dashed_name: threat-enrichments-matched-atomic description: Identifies the atomic indicator value that matched a local environment endpoint or network event. example: bad-domain.com flat_name: threat.enrichments.matched.atomic ignore_above: 1024 level: extended name: enrichments.matched.atomic normalize: [] short: Matched indicator value type: keyword threat.enrichments.matched.field: dashed_name: threat-enrichments-matched-field description: Identifies the field of the atomic indicator that matched a local environment endpoint or network event. example: file.hash.sha256 flat_name: threat.enrichments.matched.field ignore_above: 1024 level: extended name: enrichments.matched.field normalize: [] short: Matched indicator field type: keyword threat.enrichments.matched.id: dashed_name: threat-enrichments-matched-id description: Identifies the _id of the indicator document enriching the event. example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 flat_name: threat.enrichments.matched.id ignore_above: 1024 level: extended name: enrichments.matched.id normalize: [] short: Matched indicator identifier type: keyword threat.enrichments.matched.index: dashed_name: threat-enrichments-matched-index description: Identifies the _index of the indicator document enriching the event. example: filebeat-8.0.0-2021.05.23-000011 flat_name: threat.enrichments.matched.index ignore_above: 1024 level: extended name: enrichments.matched.index normalize: [] short: Matched indicator index type: keyword threat.enrichments.matched.type: dashed_name: threat-enrichments-matched-type description: Identifies the type of match that caused the event to be enriched with the given indicator example: indicator_match_rule flat_name: threat.enrichments.matched.type ignore_above: 1024 level: extended name: enrichments.matched.type normalize: [] short: Type of indicator match type: keyword threat.framework: dashed_name: threat-framework description: Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. example: MITRE ATT&CK flat_name: threat.framework ignore_above: 1024 level: extended name: framework normalize: [] short: Threat classification framework. type: keyword threat.group.alias: dashed_name: threat-group-alias description: "The alias(es) of the group for a set of related intrusion activity\ \ that are tracked by a common name in the security community.\nWhile not required,\ \ you can use a MITRE ATT&CK\xAE group alias(es)." example: '[ "Magecart Group 6" ]' flat_name: threat.group.alias ignore_above: 1024 level: extended name: group.alias normalize: - array short: Alias of the group. type: keyword threat.group.id: dashed_name: threat-group-id description: "The id of the group for a set of related intrusion activity that are\ \ tracked by a common name in the security community.\nWhile not required, you\ \ can use a MITRE ATT&CK\xAE group id." example: G0037 flat_name: threat.group.id ignore_above: 1024 level: extended name: group.id normalize: [] short: ID of the group. type: keyword threat.group.name: dashed_name: threat-group-name description: "The name of the group for a set of related intrusion activity that\ \ are tracked by a common name in the security community.\nWhile not required,\ \ you can use a MITRE ATT&CK\xAE group name." example: FIN6 flat_name: threat.group.name ignore_above: 1024 level: extended name: group.name normalize: [] short: Name of the group. type: keyword threat.group.reference: dashed_name: threat-group-reference description: "The reference URL of the group for a set of related intrusion activity\ \ that are tracked by a common name in the security community.\nWhile not required,\ \ you can use a MITRE ATT&CK\xAE group reference URL." example: https://attack.mitre.org/groups/G0037/ flat_name: threat.group.reference ignore_above: 1024 level: extended name: group.reference normalize: [] short: Reference URL of the group. type: keyword threat.indicator.as.number: dashed_name: threat-indicator-as-number description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. example: 15169 flat_name: threat.indicator.as.number level: extended name: number normalize: [] original_fieldset: as short: Unique number allocated to the autonomous system. type: long threat.indicator.as.organization.name: dashed_name: threat-indicator-as-organization-name description: Organization name. example: Google LLC flat_name: threat.indicator.as.organization.name ignore_above: 1024 level: extended multi_fields: - flat_name: threat.indicator.as.organization.name.text name: text type: match_only_text name: organization.name normalize: [] original_fieldset: as short: Organization name. type: keyword threat.indicator.confidence: dashed_name: threat-indicator-confidence description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. example: Medium expected_values: - Not Specified - None - Low - Medium - High flat_name: threat.indicator.confidence ignore_above: 1024 level: extended name: indicator.confidence normalize: [] short: Indicator confidence rating type: keyword threat.indicator.description: dashed_name: threat-indicator-description description: Describes the type of action conducted by the threat. example: IP x.x.x.x was observed delivering the Angler EK. flat_name: threat.indicator.description ignore_above: 1024 level: extended name: indicator.description normalize: [] short: Indicator description type: keyword threat.indicator.email.address: dashed_name: threat-indicator-email-address description: Identifies a threat indicator as an email address (irrespective of direction). example: phish@example.com flat_name: threat.indicator.email.address ignore_above: 1024 level: extended name: indicator.email.address normalize: [] short: Indicator email address type: keyword threat.indicator.file.Ext: dashed_name: threat-indicator-file-Ext description: Object for all custom defined fields to live in. flat_name: threat.indicator.file.Ext level: custom name: Ext normalize: [] original_fieldset: file short: Object for all custom defined fields to live in. type: object threat.indicator.file.Ext.code_signature: dashed_name: threat-indicator-file-Ext-code-signature description: Nested version of ECS code_signature fieldset. flat_name: threat.indicator.file.Ext.code_signature level: custom name: Ext.code_signature normalize: [] original_fieldset: file short: Nested version of ECS code_signature fieldset. type: nested threat.indicator.file.Ext.code_signature.exists: dashed_name: threat-indicator-file-Ext-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' flat_name: threat.indicator.file.Ext.code_signature.exists level: core name: Ext.code_signature.exists normalize: [] original_fieldset: file short: Boolean to capture if a signature is present. type: boolean threat.indicator.file.Ext.code_signature.status: dashed_name: threat-indicator-file-Ext-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: threat.indicator.file.Ext.code_signature.status ignore_above: 1024 level: custom name: Ext.code_signature.status normalize: [] original_fieldset: file short: Additional information about the certificate status. type: keyword threat.indicator.file.Ext.code_signature.subject_name: dashed_name: threat-indicator-file-Ext-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation flat_name: threat.indicator.file.Ext.code_signature.subject_name ignore_above: 1024 level: core name: Ext.code_signature.subject_name normalize: [] original_fieldset: file short: Subject name of the code signer type: keyword threat.indicator.file.Ext.code_signature.trusted: dashed_name: threat-indicator-file-Ext-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' flat_name: threat.indicator.file.Ext.code_signature.trusted level: custom name: Ext.code_signature.trusted normalize: [] original_fieldset: file short: Stores the trust status of the certificate chain. type: boolean threat.indicator.file.Ext.code_signature.valid: dashed_name: threat-indicator-file-Ext-code-signature-valid description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' flat_name: threat.indicator.file.Ext.code_signature.valid level: custom name: Ext.code_signature.valid normalize: [] original_fieldset: file short: Boolean to capture if the digital signature is verified against the binary content. type: boolean threat.indicator.file.Ext.device.bus_type: dashed_name: threat-indicator-file-Ext-device-bus-type description: Bus type of the device, such as Nvme, Usb, FileBackedVirtual,... etc. flat_name: threat.indicator.file.Ext.device.bus_type ignore_above: 1024 level: custom name: Ext.device.bus_type normalize: [] original_fieldset: file short: Bus type of the device. type: keyword threat.indicator.file.Ext.device.dos_name: dashed_name: threat-indicator-file-Ext-device-dos-name description: DOS name of the device. DOS device name is in the format of driver letters such as C:, D:,... flat_name: threat.indicator.file.Ext.device.dos_name ignore_above: 1024 level: custom name: Ext.device.dos_name normalize: [] original_fieldset: file short: DOS name of the device. type: keyword threat.indicator.file.Ext.device.nt_name: dashed_name: threat-indicator-file-Ext-device-nt-name description: 'NT name of the device. NT device name is in the format such as: \Device\HarddiskVolume2' flat_name: threat.indicator.file.Ext.device.nt_name ignore_above: 1024 level: custom name: Ext.device.nt_name normalize: [] original_fieldset: file short: NT name of the device. type: keyword threat.indicator.file.Ext.device.product_id: dashed_name: threat-indicator-file-Ext-device-product-id description: ProductID of the device. It is provided by the vendor of the device if any. flat_name: threat.indicator.file.Ext.device.product_id ignore_above: 1024 level: custom name: Ext.device.product_id normalize: [] original_fieldset: file short: ProductID of the device. type: keyword threat.indicator.file.Ext.device.serial_number: dashed_name: threat-indicator-file-Ext-device-serial-number description: Serial Number of the device. It is provided by the vendor of the device if any. flat_name: threat.indicator.file.Ext.device.serial_number ignore_above: 1024 level: custom name: Ext.device.serial_number normalize: [] original_fieldset: file short: Serial Number of the device. type: keyword threat.indicator.file.Ext.device.vendor_id: dashed_name: threat-indicator-file-Ext-device-vendor-id description: VendorID of the device. It is provided by the vendor of the device. flat_name: threat.indicator.file.Ext.device.vendor_id ignore_above: 1024 level: custom name: Ext.device.vendor_id normalize: [] original_fieldset: file short: VendorID of the device. type: keyword threat.indicator.file.Ext.entropy: dashed_name: threat-indicator-file-Ext-entropy description: Entropy calculation of file's header and footer used to check file integrity. flat_name: threat.indicator.file.Ext.entropy level: custom name: Ext.entropy normalize: [] original_fieldset: file short: File entropy value type: double threat.indicator.file.Ext.entry_modified: dashed_name: threat-indicator-file-Ext-entry-modified description: Time of last status change. See `st_ctim` member of `struct stat`. flat_name: threat.indicator.file.Ext.entry_modified level: custom name: Ext.entry_modified normalize: [] original_fieldset: file short: Time of last status change. See `st_ctim` member of `struct stat`. type: double threat.indicator.file.Ext.header_bytes: dashed_name: threat-indicator-file-Ext-header-bytes description: First 16 bytes of file used to check file integrity. flat_name: threat.indicator.file.Ext.header_bytes ignore_above: 1024 level: custom name: Ext.header_bytes normalize: [] original_fieldset: file short: Header bytes type: keyword threat.indicator.file.Ext.header_data: dashed_name: threat-indicator-file-Ext-header-data description: First 16 bytes of file used to check file integrity. flat_name: threat.indicator.file.Ext.header_data level: custom name: Ext.header_data normalize: [] norms: false original_fieldset: file short: Header data type: text threat.indicator.file.Ext.malware_classification.features.data.buffer: dashed_name: threat-indicator-file-Ext-malware-classification-features-data-buffer description: The features extracted from this file and evaluated by the model. Usually an array of floats. Likely zlib-encoded. flat_name: threat.indicator.file.Ext.malware_classification.features.data.buffer ignore_above: 1024 level: custom name: features.data.buffer normalize: [] original_fieldset: malware_classification short: The features extracted from this file and evaluated by the model. Usually an array of floats. Likely zlib-encoded. type: keyword threat.indicator.file.Ext.malware_classification.features.data.decompressed_size: dashed_name: threat-indicator-file-Ext-malware-classification-features-data-decompressed-size description: The decompressed size of buffer. flat_name: threat.indicator.file.Ext.malware_classification.features.data.decompressed_size level: custom name: features.data.decompressed_size normalize: [] original_fieldset: malware_classification short: The decompressed size of buffer. type: integer threat.indicator.file.Ext.malware_classification.features.data.encoding: dashed_name: threat-indicator-file-Ext-malware-classification-features-data-encoding description: The encoding of buffer (e.g. zlib). flat_name: threat.indicator.file.Ext.malware_classification.features.data.encoding ignore_above: 1024 level: custom name: features.data.encoding normalize: [] original_fieldset: malware_classification short: The encoding of buffer (e.g. zlib). type: keyword threat.indicator.file.Ext.malware_classification.identifier: dashed_name: threat-indicator-file-Ext-malware-classification-identifier description: The model's unique identifier. flat_name: threat.indicator.file.Ext.malware_classification.identifier ignore_above: 1024 level: custom name: identifier normalize: [] original_fieldset: malware_classification short: The model's unique identifier. type: keyword threat.indicator.file.Ext.malware_classification.score: dashed_name: threat-indicator-file-Ext-malware-classification-score description: The score produced by the classification model. flat_name: threat.indicator.file.Ext.malware_classification.score level: custom name: score normalize: [] original_fieldset: malware_classification short: The score produced by the classification model. type: double threat.indicator.file.Ext.malware_classification.threshold: dashed_name: threat-indicator-file-Ext-malware-classification-threshold description: The score threshold for the model. Files that score above this threshold are considered malicious. flat_name: threat.indicator.file.Ext.malware_classification.threshold level: custom name: threshold normalize: [] original_fieldset: malware_classification short: The score threshold for the model. Files that score above this threshold are considered malicious. type: double threat.indicator.file.Ext.malware_classification.upx_packed: dashed_name: threat-indicator-file-Ext-malware-classification-upx-packed description: Whether UPX packing was detected. flat_name: threat.indicator.file.Ext.malware_classification.upx_packed level: custom name: upx_packed normalize: [] original_fieldset: malware_classification short: Whether UPX packing was detected. type: boolean threat.indicator.file.Ext.malware_classification.version: dashed_name: threat-indicator-file-Ext-malware-classification-version description: The version of the model used. flat_name: threat.indicator.file.Ext.malware_classification.version ignore_above: 1024 level: custom name: version normalize: [] original_fieldset: malware_classification short: The version of the model used. type: keyword threat.indicator.file.Ext.malware_signature: dashed_name: threat-indicator-file-Ext-malware-signature description: Nested version of malware_signature fieldset. flat_name: threat.indicator.file.Ext.malware_signature level: custom name: Ext.malware_signature normalize: [] original_fieldset: file short: Nested version of malware_signature fieldset. type: nested threat.indicator.file.Ext.malware_signature.all_names: dashed_name: threat-indicator-file-Ext-malware-signature-all-names description: The concatenated names of all yara signatures flat_name: threat.indicator.file.Ext.malware_signature.all_names level: custom name: Ext.malware_signature.all_names normalize: [] norms: false original_fieldset: file short: Yara signature names type: text threat.indicator.file.Ext.malware_signature.identifier: dashed_name: threat-indicator-file-Ext-malware-signature-identifier description: Malware artifact identifier. flat_name: threat.indicator.file.Ext.malware_signature.identifier level: custom name: Ext.malware_signature.identifier normalize: [] norms: false original_fieldset: file short: Malware artifact identifier type: text threat.indicator.file.Ext.malware_signature.primary: dashed_name: threat-indicator-file-Ext-malware-signature-primary description: Primary malware signature match. flat_name: threat.indicator.file.Ext.malware_signature.primary level: custom name: Ext.malware_signature.primary normalize: [] original_fieldset: file short: Primary malware signature match type: nested threat.indicator.file.Ext.malware_signature.primary.matches: dashed_name: threat-indicator-file-Ext-malware-signature-primary-matches description: An array of bytes representing yara signature matches flat_name: threat.indicator.file.Ext.malware_signature.primary.matches level: custom name: Ext.malware_signature.primary.matches normalize: - array original_fieldset: file short: signature match bytes type: nested threat.indicator.file.Ext.malware_signature.primary.signature: dashed_name: threat-indicator-file-Ext-malware-signature-primary-signature description: Primary malware signature match. flat_name: threat.indicator.file.Ext.malware_signature.primary.signature level: custom name: Ext.malware_signature.primary.signature normalize: [] original_fieldset: file short: Primary malware signature match type: nested threat.indicator.file.Ext.malware_signature.primary.signature.hash: dashed_name: threat-indicator-file-Ext-malware-signature-primary-signature-hash description: Primary malware signature hash. flat_name: threat.indicator.file.Ext.malware_signature.primary.signature.hash level: custom name: Ext.malware_signature.primary.signature.hash normalize: [] original_fieldset: file short: Primary malware signature hash type: nested threat.indicator.file.Ext.malware_signature.primary.signature.hash.sha256: dashed_name: threat-indicator-file-Ext-malware-signature-primary-signature-hash-sha256 description: Primary malware signature sha256. flat_name: threat.indicator.file.Ext.malware_signature.primary.signature.hash.sha256 ignore_above: 1024 level: custom name: Ext.malware_signature.primary.signature.hash.sha256 normalize: [] original_fieldset: file short: Primary malware signature sha256 type: keyword threat.indicator.file.Ext.malware_signature.primary.signature.id: dashed_name: threat-indicator-file-Ext-malware-signature-primary-signature-id description: Primary malware signature id. flat_name: threat.indicator.file.Ext.malware_signature.primary.signature.id ignore_above: 1024 level: custom name: Ext.malware_signature.primary.signature.id normalize: [] original_fieldset: file short: Primary malware signature id type: keyword threat.indicator.file.Ext.malware_signature.primary.signature.name: dashed_name: threat-indicator-file-Ext-malware-signature-primary-signature-name description: Primary malware signature name. flat_name: threat.indicator.file.Ext.malware_signature.primary.signature.name ignore_above: 1024 level: custom name: Ext.malware_signature.primary.signature.name normalize: [] original_fieldset: file short: Primary malware signature name type: keyword threat.indicator.file.Ext.malware_signature.secondary: dashed_name: threat-indicator-file-Ext-malware-signature-secondary description: An array of malware signature matches flat_name: threat.indicator.file.Ext.malware_signature.secondary level: custom name: Ext.malware_signature.secondary normalize: - array original_fieldset: file short: secondary signature matches type: nested threat.indicator.file.Ext.malware_signature.version: dashed_name: threat-indicator-file-Ext-malware-signature-version description: Primary malware signature version. flat_name: threat.indicator.file.Ext.malware_signature.version ignore_above: 1024 level: custom name: Ext.malware_signature.version normalize: [] original_fieldset: file short: Primary malware signature version type: keyword threat.indicator.file.Ext.monotonic_id: dashed_name: threat-indicator-file-Ext-monotonic-id description: File event monotonic ID. flat_name: threat.indicator.file.Ext.monotonic_id level: custom name: Ext.monotonic_id normalize: [] original_fieldset: file short: File event monotonic ID type: unsigned_long threat.indicator.file.Ext.original: dashed_name: threat-indicator-file-Ext-original description: Original file information during a modification event. flat_name: threat.indicator.file.Ext.original level: custom name: Ext.original normalize: [] original_fieldset: file short: Original file information during a modification event. type: object threat.indicator.file.Ext.original.gid: dashed_name: threat-indicator-file-Ext-original-gid description: Primary group ID (GID) of the file. example: '1001' flat_name: threat.indicator.file.Ext.original.gid ignore_above: 1024 level: custom name: Ext.original.gid normalize: [] original_fieldset: file short: Primary group ID (GID) of the file. type: keyword threat.indicator.file.Ext.original.group: dashed_name: threat-indicator-file-Ext-original-group description: Primary group name of the file. example: alice flat_name: threat.indicator.file.Ext.original.group ignore_above: 1024 level: custom name: Ext.original.group normalize: [] original_fieldset: file short: Primary group name of the file. type: keyword threat.indicator.file.Ext.original.mode: dashed_name: threat-indicator-file-Ext-original-mode description: Original file mode prior to a modification event flat_name: threat.indicator.file.Ext.original.mode ignore_above: 1024 level: custom name: Ext.original.mode normalize: [] original_fieldset: file short: Original file mode prior to a modification event type: keyword threat.indicator.file.Ext.original.name: dashed_name: threat-indicator-file-Ext-original-name description: Original file name prior to a modification event flat_name: threat.indicator.file.Ext.original.name ignore_above: 1024 level: custom name: Ext.original.name normalize: [] original_fieldset: file short: Original file name prior to a modification event type: keyword threat.indicator.file.Ext.original.owner: dashed_name: threat-indicator-file-Ext-original-owner description: File owner's username. example: alice flat_name: threat.indicator.file.Ext.original.owner ignore_above: 1024 level: custom name: Ext.original.owner normalize: [] original_fieldset: file short: File owner's username. type: keyword threat.indicator.file.Ext.original.path: dashed_name: threat-indicator-file-Ext-original-path description: Original file path prior to a modification event flat_name: threat.indicator.file.Ext.original.path ignore_above: 1024 level: custom name: Ext.original.path normalize: [] original_fieldset: file short: Original file path prior to a modification event type: keyword threat.indicator.file.Ext.original.uid: dashed_name: threat-indicator-file-Ext-original-uid description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' flat_name: threat.indicator.file.Ext.original.uid ignore_above: 1024 level: custom name: Ext.original.uid normalize: [] original_fieldset: file short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword threat.indicator.file.Ext.quarantine_message: dashed_name: threat-indicator-file-Ext-quarantine-message description: Message describing quarantine results. flat_name: threat.indicator.file.Ext.quarantine_message ignore_above: 1024 level: custom name: Ext.quarantine_message normalize: [] original_fieldset: file short: Message describing quarantine results. type: keyword threat.indicator.file.Ext.quarantine_path: dashed_name: threat-indicator-file-Ext-quarantine-path description: Path on endpoint the quarantined file was originally. flat_name: threat.indicator.file.Ext.quarantine_path ignore_above: 1024 level: custom name: Ext.quarantine_path normalize: [] original_fieldset: file short: Path on endpoint the quarantined file was originally. type: keyword threat.indicator.file.Ext.quarantine_result: dashed_name: threat-indicator-file-Ext-quarantine-result description: Boolean representing whether or not file quarantine succeeded. flat_name: threat.indicator.file.Ext.quarantine_result level: custom name: Ext.quarantine_result normalize: [] original_fieldset: file short: Boolean representing whether or not file quarantine succeeded. type: boolean threat.indicator.file.Ext.temp_file_path: dashed_name: threat-indicator-file-Ext-temp-file-path description: Path on endpoint where a copy of the file is being stored. Used to make ephemeral files retrievable. flat_name: threat.indicator.file.Ext.temp_file_path ignore_above: 1024 level: custom name: Ext.temp_file_path normalize: [] original_fieldset: file short: Path on endpoint where a copy of the file is being stored. Used to make ephemeral files retrievable. type: keyword threat.indicator.file.Ext.windows: dashed_name: threat-indicator-file-Ext-windows description: Platform-specific Windows fields flat_name: threat.indicator.file.Ext.windows level: custom name: Ext.windows normalize: [] original_fieldset: file short: Platform-specific Windows fields type: object threat.indicator.file.Ext.windows.zone_identifier: dashed_name: threat-indicator-file-Ext-windows-zone-identifier description: Windows zone identifier for a file flat_name: threat.indicator.file.Ext.windows.zone_identifier ignore_above: 1024 level: custom name: Ext.windows.zone_identifier normalize: [] original_fieldset: file short: Windows zone identifier for a file type: keyword threat.indicator.file.accessed: dashed_name: threat-indicator-file-accessed description: 'Last time the file was accessed. Note that not all filesystems keep track of access time.' flat_name: threat.indicator.file.accessed level: extended name: accessed normalize: [] original_fieldset: file short: Last time the file was accessed. type: date threat.indicator.file.attributes: dashed_name: threat-indicator-file-attributes description: 'Array of file attributes. Attributes names will vary by platform. Here''s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.' example: '["readonly", "system"]' flat_name: threat.indicator.file.attributes ignore_above: 1024 level: extended name: attributes normalize: - array original_fieldset: file short: Array of file attributes. type: keyword threat.indicator.file.code_signature.exists: dashed_name: threat-indicator-file-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' flat_name: threat.indicator.file.code_signature.exists level: core name: exists normalize: [] original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean threat.indicator.file.code_signature.signing_id: dashed_name: threat-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy flat_name: threat.indicator.file.code_signature.signing_id ignore_above: 1024 level: extended name: signing_id normalize: [] original_fieldset: code_signature short: The identifier used to sign the process. type: keyword threat.indicator.file.code_signature.status: dashed_name: threat-indicator-file-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: threat.indicator.file.code_signature.status ignore_above: 1024 level: extended name: status normalize: [] original_fieldset: code_signature short: Additional information about the certificate status. type: keyword threat.indicator.file.code_signature.subject_name: dashed_name: threat-indicator-file-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation flat_name: threat.indicator.file.code_signature.subject_name ignore_above: 1024 level: core name: subject_name normalize: [] original_fieldset: code_signature short: Subject name of the code signer type: keyword threat.indicator.file.code_signature.team_id: dashed_name: threat-indicator-file-code-signature-team-id description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV flat_name: threat.indicator.file.code_signature.team_id ignore_above: 1024 level: extended name: team_id normalize: [] original_fieldset: code_signature short: The team identifier used to sign the process. type: keyword threat.indicator.file.code_signature.trusted: dashed_name: threat-indicator-file-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' flat_name: threat.indicator.file.code_signature.trusted level: extended name: trusted normalize: [] original_fieldset: code_signature short: Stores the trust status of the certificate chain. type: boolean threat.indicator.file.code_signature.valid: dashed_name: threat-indicator-file-code-signature-valid description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' flat_name: threat.indicator.file.code_signature.valid level: extended name: valid normalize: [] original_fieldset: code_signature short: Boolean to capture if the digital signature is verified against the binary content. type: boolean threat.indicator.file.created: dashed_name: threat-indicator-file-created description: 'File creation time. Note that not all filesystems store the creation time.' flat_name: threat.indicator.file.created level: extended name: created normalize: [] original_fieldset: file short: File creation time. type: date threat.indicator.file.ctime: dashed_name: threat-indicator-file-ctime description: 'Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.' flat_name: threat.indicator.file.ctime level: extended name: ctime normalize: [] original_fieldset: file short: Last time the file attributes or metadata changed. type: date threat.indicator.file.device: dashed_name: threat-indicator-file-device description: Device that is the source of the file. example: sda flat_name: threat.indicator.file.device ignore_above: 1024 level: extended name: device normalize: [] original_fieldset: file short: Device that is the source of the file. type: keyword threat.indicator.file.directory: dashed_name: threat-indicator-file-directory description: Directory where the file is located. It should include the drive letter, when appropriate. example: /home/alice flat_name: threat.indicator.file.directory ignore_above: 1024 level: extended name: directory normalize: [] original_fieldset: file short: Directory where the file is located. type: keyword threat.indicator.file.drive_letter: dashed_name: threat-indicator-file-drive-letter description: 'Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.' example: C flat_name: threat.indicator.file.drive_letter ignore_above: 1 level: extended name: drive_letter normalize: [] original_fieldset: file short: Drive letter where the file is located. type: keyword threat.indicator.file.elf.architecture: dashed_name: threat-indicator-file-elf-architecture description: Machine architecture of the ELF file. example: x86-64 flat_name: threat.indicator.file.elf.architecture ignore_above: 1024 level: extended name: architecture normalize: [] original_fieldset: elf short: Machine architecture of the ELF file. type: keyword threat.indicator.file.elf.byte_order: dashed_name: threat-indicator-file-elf-byte-order description: Byte sequence of ELF file. example: Little Endian flat_name: threat.indicator.file.elf.byte_order ignore_above: 1024 level: extended name: byte_order normalize: [] original_fieldset: elf short: Byte sequence of ELF file. type: keyword threat.indicator.file.elf.cpu_type: dashed_name: threat-indicator-file-elf-cpu-type description: CPU type of the ELF file. example: Intel flat_name: threat.indicator.file.elf.cpu_type ignore_above: 1024 level: extended name: cpu_type normalize: [] original_fieldset: elf short: CPU type of the ELF file. type: keyword threat.indicator.file.elf.creation_date: dashed_name: threat-indicator-file-elf-creation-date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. flat_name: threat.indicator.file.elf.creation_date level: extended name: creation_date normalize: [] original_fieldset: elf short: Build or compile date. type: date threat.indicator.file.elf.exports: dashed_name: threat-indicator-file-elf-exports description: List of exported element names and types. flat_name: threat.indicator.file.elf.exports level: extended name: exports normalize: - array original_fieldset: elf short: List of exported element names and types. type: flattened threat.indicator.file.elf.go_import_hash: dashed_name: threat-indicator-file-elf-go-import-hash description: 'A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).' example: 10bddcb4cee42080f76c88d9ff964491 flat_name: threat.indicator.file.elf.go_import_hash ignore_above: 1024 level: extended name: go_import_hash normalize: [] original_fieldset: elf short: A hash of the Go language imports in an ELF file. type: keyword threat.indicator.file.elf.go_imports: dashed_name: threat-indicator-file-elf-go-imports description: List of imported Go language element names and types. flat_name: threat.indicator.file.elf.go_imports level: extended name: go_imports normalize: [] original_fieldset: elf short: List of imported Go language element names and types. type: flattened threat.indicator.file.elf.go_imports_names_entropy: dashed_name: threat-indicator-file-elf-go-imports-names-entropy description: Shannon entropy calculation from the list of Go imports. flat_name: threat.indicator.file.elf.go_imports_names_entropy format: number level: extended name: go_imports_names_entropy normalize: [] original_fieldset: elf short: Shannon entropy calculation from the list of Go imports. type: long threat.indicator.file.elf.go_imports_names_var_entropy: dashed_name: threat-indicator-file-elf-go-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of Go imports. flat_name: threat.indicator.file.elf.go_imports_names_var_entropy format: number level: extended name: go_imports_names_var_entropy normalize: [] original_fieldset: elf short: Variance for Shannon entropy calculation from the list of Go imports. type: long threat.indicator.file.elf.go_stripped: dashed_name: threat-indicator-file-elf-go-stripped description: Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. flat_name: threat.indicator.file.elf.go_stripped level: extended name: go_stripped normalize: [] original_fieldset: elf short: Whether the file is a stripped or obfuscated Go executable. type: boolean threat.indicator.file.elf.header.abi_version: dashed_name: threat-indicator-file-elf-header-abi-version description: Version of the ELF Application Binary Interface (ABI). flat_name: threat.indicator.file.elf.header.abi_version ignore_above: 1024 level: extended name: header.abi_version normalize: [] original_fieldset: elf short: Version of the ELF Application Binary Interface (ABI). type: keyword threat.indicator.file.elf.header.class: dashed_name: threat-indicator-file-elf-header-class description: Header class of the ELF file. flat_name: threat.indicator.file.elf.header.class ignore_above: 1024 level: extended name: header.class normalize: [] original_fieldset: elf short: Header class of the ELF file. type: keyword threat.indicator.file.elf.header.data: dashed_name: threat-indicator-file-elf-header-data description: Data table of the ELF header. flat_name: threat.indicator.file.elf.header.data ignore_above: 1024 level: extended name: header.data normalize: [] original_fieldset: elf short: Data table of the ELF header. type: keyword threat.indicator.file.elf.header.entrypoint: dashed_name: threat-indicator-file-elf-header-entrypoint description: Header entrypoint of the ELF file. flat_name: threat.indicator.file.elf.header.entrypoint format: string level: extended name: header.entrypoint normalize: [] original_fieldset: elf short: Header entrypoint of the ELF file. type: long threat.indicator.file.elf.header.object_version: dashed_name: threat-indicator-file-elf-header-object-version description: '"0x1" for original ELF files.' flat_name: threat.indicator.file.elf.header.object_version ignore_above: 1024 level: extended name: header.object_version normalize: [] original_fieldset: elf short: '"0x1" for original ELF files.' type: keyword threat.indicator.file.elf.header.os_abi: dashed_name: threat-indicator-file-elf-header-os-abi description: Application Binary Interface (ABI) of the Linux OS. flat_name: threat.indicator.file.elf.header.os_abi ignore_above: 1024 level: extended name: header.os_abi normalize: [] original_fieldset: elf short: Application Binary Interface (ABI) of the Linux OS. type: keyword threat.indicator.file.elf.header.type: dashed_name: threat-indicator-file-elf-header-type description: Header type of the ELF file. flat_name: threat.indicator.file.elf.header.type ignore_above: 1024 level: extended name: header.type normalize: [] original_fieldset: elf short: Header type of the ELF file. type: keyword threat.indicator.file.elf.header.version: dashed_name: threat-indicator-file-elf-header-version description: Version of the ELF header. flat_name: threat.indicator.file.elf.header.version ignore_above: 1024 level: extended name: header.version normalize: [] original_fieldset: elf short: Version of the ELF header. type: keyword threat.indicator.file.elf.import_hash: dashed_name: threat-indicator-file-elf-import-hash description: 'A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is an ELF implementation of the Windows PE imphash.' example: d41d8cd98f00b204e9800998ecf8427e flat_name: threat.indicator.file.elf.import_hash ignore_above: 1024 level: extended name: import_hash normalize: [] original_fieldset: elf short: A hash of the imports in an ELF file. type: keyword threat.indicator.file.elf.imports: dashed_name: threat-indicator-file-elf-imports description: List of imported element names and types. flat_name: threat.indicator.file.elf.imports level: extended name: imports normalize: - array original_fieldset: elf short: List of imported element names and types. type: flattened threat.indicator.file.elf.imports_names_entropy: dashed_name: threat-indicator-file-elf-imports-names-entropy description: Shannon entropy calculation from the list of imported element names and types. flat_name: threat.indicator.file.elf.imports_names_entropy format: number level: extended name: imports_names_entropy normalize: [] original_fieldset: elf short: Shannon entropy calculation from the list of imported element names and types. type: long threat.indicator.file.elf.imports_names_var_entropy: dashed_name: threat-indicator-file-elf-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of imported element names and types. flat_name: threat.indicator.file.elf.imports_names_var_entropy format: number level: extended name: imports_names_var_entropy normalize: [] original_fieldset: elf short: Variance for Shannon entropy calculation from the list of imported element names and types. type: long threat.indicator.file.elf.sections: dashed_name: threat-indicator-file-elf-sections description: 'An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.' flat_name: threat.indicator.file.elf.sections level: extended name: sections normalize: - array original_fieldset: elf short: Section information of the ELF file. type: nested threat.indicator.file.elf.sections.chi2: dashed_name: threat-indicator-file-elf-sections-chi2 description: Chi-square probability distribution of the section. flat_name: threat.indicator.file.elf.sections.chi2 format: number level: extended name: sections.chi2 normalize: [] original_fieldset: elf short: Chi-square probability distribution of the section. type: long threat.indicator.file.elf.sections.entropy: dashed_name: threat-indicator-file-elf-sections-entropy description: Shannon entropy calculation from the section. flat_name: threat.indicator.file.elf.sections.entropy format: number level: extended name: sections.entropy normalize: [] original_fieldset: elf short: Shannon entropy calculation from the section. type: long threat.indicator.file.elf.sections.flags: dashed_name: threat-indicator-file-elf-sections-flags description: ELF Section List flags. flat_name: threat.indicator.file.elf.sections.flags ignore_above: 1024 level: extended name: sections.flags normalize: [] original_fieldset: elf short: ELF Section List flags. type: keyword threat.indicator.file.elf.sections.name: dashed_name: threat-indicator-file-elf-sections-name description: ELF Section List name. flat_name: threat.indicator.file.elf.sections.name ignore_above: 1024 level: extended name: sections.name normalize: [] original_fieldset: elf short: ELF Section List name. type: keyword threat.indicator.file.elf.sections.physical_offset: dashed_name: threat-indicator-file-elf-sections-physical-offset description: ELF Section List offset. flat_name: threat.indicator.file.elf.sections.physical_offset ignore_above: 1024 level: extended name: sections.physical_offset normalize: [] original_fieldset: elf short: ELF Section List offset. type: keyword threat.indicator.file.elf.sections.physical_size: dashed_name: threat-indicator-file-elf-sections-physical-size description: ELF Section List physical size. flat_name: threat.indicator.file.elf.sections.physical_size format: bytes level: extended name: sections.physical_size normalize: [] original_fieldset: elf short: ELF Section List physical size. type: long threat.indicator.file.elf.sections.type: dashed_name: threat-indicator-file-elf-sections-type description: ELF Section List type. flat_name: threat.indicator.file.elf.sections.type ignore_above: 1024 level: extended name: sections.type normalize: [] original_fieldset: elf short: ELF Section List type. type: keyword threat.indicator.file.elf.sections.var_entropy: dashed_name: threat-indicator-file-elf-sections-var-entropy description: Variance for Shannon entropy calculation from the section. flat_name: threat.indicator.file.elf.sections.var_entropy format: number level: extended name: sections.var_entropy normalize: [] original_fieldset: elf short: Variance for Shannon entropy calculation from the section. type: long threat.indicator.file.elf.sections.virtual_address: dashed_name: threat-indicator-file-elf-sections-virtual-address description: ELF Section List virtual address. flat_name: threat.indicator.file.elf.sections.virtual_address format: string level: extended name: sections.virtual_address normalize: [] original_fieldset: elf short: ELF Section List virtual address. type: long threat.indicator.file.elf.sections.virtual_size: dashed_name: threat-indicator-file-elf-sections-virtual-size description: ELF Section List virtual size. flat_name: threat.indicator.file.elf.sections.virtual_size format: string level: extended name: sections.virtual_size normalize: [] original_fieldset: elf short: ELF Section List virtual size. type: long threat.indicator.file.elf.segments: dashed_name: threat-indicator-file-elf-segments description: 'An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.' flat_name: threat.indicator.file.elf.segments level: extended name: segments normalize: - array original_fieldset: elf short: ELF object segment list. type: nested threat.indicator.file.elf.segments.sections: dashed_name: threat-indicator-file-elf-segments-sections description: ELF object segment sections. flat_name: threat.indicator.file.elf.segments.sections ignore_above: 1024 level: extended name: segments.sections normalize: [] original_fieldset: elf short: ELF object segment sections. type: keyword threat.indicator.file.elf.segments.type: dashed_name: threat-indicator-file-elf-segments-type description: ELF object segment type. flat_name: threat.indicator.file.elf.segments.type ignore_above: 1024 level: extended name: segments.type normalize: [] original_fieldset: elf short: ELF object segment type. type: keyword threat.indicator.file.elf.shared_libraries: dashed_name: threat-indicator-file-elf-shared-libraries description: List of shared libraries used by this ELF object. flat_name: threat.indicator.file.elf.shared_libraries ignore_above: 1024 level: extended name: shared_libraries normalize: - array original_fieldset: elf short: List of shared libraries used by this ELF object. type: keyword threat.indicator.file.elf.telfhash: dashed_name: threat-indicator-file-elf-telfhash description: telfhash symbol hash for ELF file. flat_name: threat.indicator.file.elf.telfhash ignore_above: 1024 level: extended name: telfhash normalize: [] original_fieldset: elf short: telfhash hash for ELF file. type: keyword threat.indicator.file.extension: dashed_name: threat-indicator-file-extension description: 'File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png flat_name: threat.indicator.file.extension ignore_above: 1024 level: extended name: extension normalize: [] original_fieldset: file short: File extension, excluding the leading dot. type: keyword threat.indicator.file.gid: dashed_name: threat-indicator-file-gid description: Primary group ID (GID) of the file. example: '1001' flat_name: threat.indicator.file.gid ignore_above: 1024 level: extended name: gid normalize: [] original_fieldset: file short: Primary group ID (GID) of the file. type: keyword threat.indicator.file.group: dashed_name: threat-indicator-file-group description: Primary group name of the file. example: alice flat_name: threat.indicator.file.group ignore_above: 1024 level: extended name: group normalize: [] original_fieldset: file short: Primary group name of the file. type: keyword threat.indicator.file.hash.md5: dashed_name: threat-indicator-file-hash-md5 description: MD5 hash. flat_name: threat.indicator.file.hash.md5 ignore_above: 1024 level: extended name: md5 normalize: [] original_fieldset: hash short: MD5 hash. type: keyword threat.indicator.file.hash.sha1: dashed_name: threat-indicator-file-hash-sha1 description: SHA1 hash. flat_name: threat.indicator.file.hash.sha1 ignore_above: 1024 level: extended name: sha1 normalize: [] original_fieldset: hash short: SHA1 hash. type: keyword threat.indicator.file.hash.sha256: dashed_name: threat-indicator-file-hash-sha256 description: SHA256 hash. flat_name: threat.indicator.file.hash.sha256 ignore_above: 1024 level: extended name: sha256 normalize: [] original_fieldset: hash short: SHA256 hash. type: keyword threat.indicator.file.hash.sha512: dashed_name: threat-indicator-file-hash-sha512 description: SHA512 hash. flat_name: threat.indicator.file.hash.sha512 ignore_above: 1024 level: extended name: sha512 normalize: [] original_fieldset: hash short: SHA512 hash. type: keyword threat.indicator.file.hash.ssdeep: dashed_name: threat-indicator-file-hash-ssdeep description: SSDEEP hash. flat_name: threat.indicator.file.hash.ssdeep ignore_above: 1024 level: extended name: ssdeep normalize: [] original_fieldset: hash short: SSDEEP hash. type: keyword threat.indicator.file.inode: dashed_name: threat-indicator-file-inode description: Inode representing the file in the filesystem. example: '256383' flat_name: threat.indicator.file.inode ignore_above: 1024 level: extended name: inode normalize: [] original_fieldset: file short: Inode representing the file in the filesystem. type: keyword threat.indicator.file.mime_type: dashed_name: threat-indicator-file-mime-type description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. flat_name: threat.indicator.file.mime_type ignore_above: 1024 level: extended name: mime_type normalize: [] original_fieldset: file short: Media type of file, document, or arrangement of bytes. type: keyword threat.indicator.file.mode: dashed_name: threat-indicator-file-mode description: Mode of the file in octal representation. example: '0640' flat_name: threat.indicator.file.mode ignore_above: 1024 level: extended name: mode normalize: [] original_fieldset: file short: Mode of the file in octal representation. type: keyword threat.indicator.file.mtime: dashed_name: threat-indicator-file-mtime description: Last time the file content was modified. flat_name: threat.indicator.file.mtime level: extended name: mtime normalize: [] original_fieldset: file short: Last time the file content was modified. type: date threat.indicator.file.name: dashed_name: threat-indicator-file-name description: Name of the file including the extension, without the directory. example: example.png flat_name: threat.indicator.file.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: file short: Name of the file including the extension, without the directory. type: keyword threat.indicator.file.owner: dashed_name: threat-indicator-file-owner description: File owner's username. example: alice flat_name: threat.indicator.file.owner ignore_above: 1024 level: extended name: owner normalize: [] original_fieldset: file short: File owner's username. type: keyword threat.indicator.file.path: dashed_name: threat-indicator-file-path description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png flat_name: threat.indicator.file.path ignore_above: 1024 level: extended multi_fields: - flat_name: threat.indicator.file.path.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: threat.indicator.file.path.text name: text norms: false type: text name: path normalize: [] original_fieldset: file short: Full path to the file, including the file name. type: keyword threat.indicator.file.pe.architecture: dashed_name: threat-indicator-file-pe-architecture description: CPU architecture target for the file. example: x64 flat_name: threat.indicator.file.pe.architecture ignore_above: 1024 level: extended name: architecture normalize: [] original_fieldset: pe short: CPU architecture target for the file. type: keyword threat.indicator.file.pe.company: dashed_name: threat-indicator-file-pe-company description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation flat_name: threat.indicator.file.pe.company ignore_above: 1024 level: extended name: company normalize: [] original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword threat.indicator.file.pe.description: dashed_name: threat-indicator-file-pe-description description: Internal description of the file, provided at compile-time. example: Paint flat_name: threat.indicator.file.pe.description ignore_above: 1024 level: extended name: description normalize: [] original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword threat.indicator.file.pe.file_version: dashed_name: threat-indicator-file-pe-file-version description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 flat_name: threat.indicator.file.pe.file_version ignore_above: 1024 level: extended name: file_version normalize: [] original_fieldset: pe short: Process name. type: keyword threat.indicator.file.pe.imphash: dashed_name: threat-indicator-file-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf flat_name: threat.indicator.file.pe.imphash ignore_above: 1024 level: extended name: imphash normalize: [] original_fieldset: pe short: A hash of the imports in a PE file. type: keyword threat.indicator.file.pe.original_file_name: dashed_name: threat-indicator-file-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: threat.indicator.file.pe.original_file_name ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. type: keyword threat.indicator.file.pe.product: dashed_name: threat-indicator-file-pe-product description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" flat_name: threat.indicator.file.pe.product ignore_above: 1024 level: extended name: product normalize: [] original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword threat.indicator.file.size: dashed_name: threat-indicator-file-size description: 'File size in bytes. Only relevant when `file.type` is "file".' example: 16384 flat_name: threat.indicator.file.size level: extended name: size normalize: [] original_fieldset: file short: File size in bytes. type: long threat.indicator.file.target_path: dashed_name: threat-indicator-file-target-path description: Target path for symlinks. flat_name: threat.indicator.file.target_path ignore_above: 1024 level: extended multi_fields: - flat_name: threat.indicator.file.target_path.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: threat.indicator.file.target_path.text name: text norms: false type: text name: target_path normalize: [] original_fieldset: file short: Target path for symlinks. type: keyword threat.indicator.file.type: dashed_name: threat-indicator-file-type description: File type (file, dir, or symlink). example: file flat_name: threat.indicator.file.type ignore_above: 1024 level: extended name: type normalize: [] original_fieldset: file short: File type (file, dir, or symlink). type: keyword threat.indicator.file.uid: dashed_name: threat-indicator-file-uid description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' flat_name: threat.indicator.file.uid ignore_above: 1024 level: extended name: uid normalize: [] original_fieldset: file short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword threat.indicator.first_seen: dashed_name: threat-indicator-first-seen description: The date and time when intelligence source first reported sighting this indicator. example: '2020-11-05T17:25:47.000Z' flat_name: threat.indicator.first_seen level: extended name: indicator.first_seen normalize: [] short: Date/time indicator was first reported. type: date threat.indicator.geo.city_name: dashed_name: threat-indicator-geo-city-name description: City name. example: Montreal flat_name: threat.indicator.geo.city_name ignore_above: 1024 level: core name: city_name normalize: [] original_fieldset: geo short: City name. type: keyword threat.indicator.geo.continent_code: dashed_name: threat-indicator-geo-continent-code description: Two-letter code representing continent's name. example: NA flat_name: threat.indicator.geo.continent_code ignore_above: 1024 level: core name: continent_code normalize: [] original_fieldset: geo short: Continent code. type: keyword threat.indicator.geo.continent_name: dashed_name: threat-indicator-geo-continent-name description: Name of the continent. example: North America flat_name: threat.indicator.geo.continent_name ignore_above: 1024 level: core name: continent_name normalize: [] original_fieldset: geo short: Name of the continent. type: keyword threat.indicator.geo.country_iso_code: dashed_name: threat-indicator-geo-country-iso-code description: Country ISO code. example: CA flat_name: threat.indicator.geo.country_iso_code ignore_above: 1024 level: core name: country_iso_code normalize: [] original_fieldset: geo short: Country ISO code. type: keyword threat.indicator.geo.country_name: dashed_name: threat-indicator-geo-country-name description: Country name. example: Canada flat_name: threat.indicator.geo.country_name ignore_above: 1024 level: core name: country_name normalize: [] original_fieldset: geo short: Country name. type: keyword threat.indicator.geo.location: dashed_name: threat-indicator-geo-location description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' flat_name: threat.indicator.geo.location level: core name: location normalize: [] original_fieldset: geo short: Longitude and latitude. type: geo_point threat.indicator.geo.name: dashed_name: threat-indicator-geo-name description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc flat_name: threat.indicator.geo.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. type: keyword threat.indicator.geo.postal_code: dashed_name: threat-indicator-geo-postal-code description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 flat_name: threat.indicator.geo.postal_code ignore_above: 1024 level: core name: postal_code normalize: [] original_fieldset: geo short: Postal code. type: keyword threat.indicator.geo.region_iso_code: dashed_name: threat-indicator-geo-region-iso-code description: Region ISO code. example: CA-QC flat_name: threat.indicator.geo.region_iso_code ignore_above: 1024 level: core name: region_iso_code normalize: [] original_fieldset: geo short: Region ISO code. type: keyword threat.indicator.geo.region_name: dashed_name: threat-indicator-geo-region-name description: Region name. example: Quebec flat_name: threat.indicator.geo.region_name ignore_above: 1024 level: core name: region_name normalize: [] original_fieldset: geo short: Region name. type: keyword threat.indicator.geo.timezone: dashed_name: threat-indicator-geo-timezone description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires flat_name: threat.indicator.geo.timezone ignore_above: 1024 level: core name: timezone normalize: [] original_fieldset: geo short: Time zone. type: keyword threat.indicator.ip: dashed_name: threat-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of direction). example: 1.2.3.4 flat_name: threat.indicator.ip level: extended name: indicator.ip normalize: [] short: Indicator IP address type: ip threat.indicator.last_seen: dashed_name: threat-indicator-last-seen description: The date and time when intelligence source last reported sighting this indicator. example: '2020-11-05T17:25:47.000Z' flat_name: threat.indicator.last_seen level: extended name: indicator.last_seen normalize: [] short: Date/time indicator was last reported. type: date threat.indicator.marking.tlp: dashed_name: threat-indicator-marking-tlp description: Traffic Light Protocol sharing markings. example: CLEAR expected_values: - WHITE - CLEAR - GREEN - AMBER - AMBER+STRICT - RED flat_name: threat.indicator.marking.tlp ignore_above: 1024 level: extended name: indicator.marking.tlp normalize: [] short: Indicator TLP marking type: keyword threat.indicator.modified_at: dashed_name: threat-indicator-modified-at description: The date and time when intelligence source last modified information for this indicator. example: '2020-11-05T17:25:47.000Z' flat_name: threat.indicator.modified_at level: extended name: indicator.modified_at normalize: [] short: Date/time indicator was last updated. type: date threat.indicator.port: dashed_name: threat-indicator-port description: Identifies a threat indicator as a port number (irrespective of direction). example: 443 flat_name: threat.indicator.port level: extended name: indicator.port normalize: [] short: Indicator port type: long threat.indicator.provider: dashed_name: threat-indicator-provider description: The name of the indicator's provider. example: lrz_urlhaus flat_name: threat.indicator.provider ignore_above: 1024 level: extended name: indicator.provider normalize: [] short: Indicator provider type: keyword threat.indicator.reference: dashed_name: threat-indicator-reference description: Reference URL linking to additional information about this indicator. example: https://system.example.com/indicator/0001234 flat_name: threat.indicator.reference ignore_above: 1024 level: extended name: indicator.reference normalize: [] short: Indicator reference URL type: keyword threat.indicator.registry.data.bytes: dashed_name: threat-indicator-registry-data-bytes description: 'Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.' example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= flat_name: threat.indicator.registry.data.bytes ignore_above: 1024 level: extended name: data.bytes normalize: [] original_fieldset: registry short: Original bytes written with base64 encoding. type: keyword threat.indicator.registry.data.strings: dashed_name: threat-indicator-registry-data-strings description: 'Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' flat_name: threat.indicator.registry.data.strings level: core name: data.strings normalize: - array original_fieldset: registry short: List of strings representing what was written to the registry. type: wildcard threat.indicator.registry.data.type: dashed_name: threat-indicator-registry-data-type description: Standard registry type for encoding contents example: REG_SZ flat_name: threat.indicator.registry.data.type ignore_above: 1024 level: core name: data.type normalize: [] original_fieldset: registry short: Standard registry type for encoding contents type: keyword threat.indicator.registry.hive: dashed_name: threat-indicator-registry-hive description: Abbreviated name for the hive. example: HKLM flat_name: threat.indicator.registry.hive ignore_above: 1024 level: core name: hive normalize: [] original_fieldset: registry short: Abbreviated name for the hive. type: keyword threat.indicator.registry.key: dashed_name: threat-indicator-registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe flat_name: threat.indicator.registry.key ignore_above: 1024 level: core name: key normalize: [] original_fieldset: registry short: Hive-relative path of keys. type: keyword threat.indicator.registry.path: dashed_name: threat-indicator-registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger flat_name: threat.indicator.registry.path ignore_above: 1024 level: core name: path normalize: [] original_fieldset: registry short: Full path, including hive, key and value type: keyword threat.indicator.registry.value: dashed_name: threat-indicator-registry-value description: Name of the value written. example: Debugger flat_name: threat.indicator.registry.value ignore_above: 1024 level: core name: value normalize: [] original_fieldset: registry short: Name of the value written. type: keyword threat.indicator.scanner_stats: dashed_name: threat-indicator-scanner-stats description: Count of AV/EDR vendors that successfully detected malicious file or URL. example: 4 flat_name: threat.indicator.scanner_stats level: extended name: indicator.scanner_stats normalize: [] short: Scanner statistics type: long threat.indicator.sightings: dashed_name: threat-indicator-sightings description: Number of times this indicator was observed conducting threat activity. example: 20 flat_name: threat.indicator.sightings level: extended name: indicator.sightings normalize: [] short: Number of times indicator observed type: long threat.indicator.type: dashed_name: threat-indicator-type description: Type of indicator as represented by Cyber Observable in STIX 2.0. example: ipv4-addr expected_values: - autonomous-system - artifact - directory - domain-name - email-addr - file - ipv4-addr - ipv6-addr - mac-addr - mutex - port - process - software - url - user-account - windows-registry-key - x509-certificate flat_name: threat.indicator.type ignore_above: 1024 level: extended name: indicator.type normalize: [] short: Type of indicator type: keyword threat.indicator.url.domain: dashed_name: threat-indicator-url-domain description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.' example: www.elastic.co flat_name: threat.indicator.url.domain ignore_above: 1024 level: extended name: domain normalize: [] original_fieldset: url short: Domain of the url. type: keyword threat.indicator.url.extension: dashed_name: threat-indicator-url-extension description: 'The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png flat_name: threat.indicator.url.extension ignore_above: 1024 level: extended name: extension normalize: [] original_fieldset: url short: File extension from the request url, excluding the leading dot. type: keyword threat.indicator.url.fragment: dashed_name: threat-indicator-url-fragment description: 'Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.' flat_name: threat.indicator.url.fragment ignore_above: 1024 level: extended name: fragment normalize: [] original_fieldset: url short: Portion of the url after the `#`. type: keyword threat.indicator.url.full: dashed_name: threat-indicator-url-full description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top flat_name: threat.indicator.url.full level: extended multi_fields: - flat_name: threat.indicator.url.full.text name: text type: match_only_text name: full normalize: [] original_fieldset: url short: Full unparsed URL. type: wildcard threat.indicator.url.original: dashed_name: threat-indicator-url-original description: 'Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch flat_name: threat.indicator.url.original level: extended multi_fields: - flat_name: threat.indicator.url.original.text name: text type: match_only_text name: original normalize: [] original_fieldset: url short: Unmodified original url as seen in the event source. type: wildcard threat.indicator.url.password: dashed_name: threat-indicator-url-password description: Password of the request. flat_name: threat.indicator.url.password ignore_above: 1024 level: extended name: password normalize: [] original_fieldset: url short: Password of the request. type: keyword threat.indicator.url.path: dashed_name: threat-indicator-url-path description: Path of the request, such as "/search". flat_name: threat.indicator.url.path level: extended name: path normalize: [] original_fieldset: url short: Path of the request, such as "/search". type: wildcard threat.indicator.url.port: dashed_name: threat-indicator-url-port description: Port of the request, such as 443. example: 443 flat_name: threat.indicator.url.port format: string level: extended name: port normalize: [] original_fieldset: url short: Port of the request, such as 443. type: long threat.indicator.url.query: dashed_name: threat-indicator-url-query description: 'The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' flat_name: threat.indicator.url.query ignore_above: 1024 level: extended name: query normalize: [] original_fieldset: url short: Query string of the request. type: keyword threat.indicator.url.registered_domain: dashed_name: threat-indicator-url-registered-domain description: 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: threat.indicator.url.registered_domain ignore_above: 1024 level: extended name: registered_domain normalize: [] original_fieldset: url short: The highest registered url domain, stripped of the subdomain. type: keyword threat.indicator.url.scheme: dashed_name: threat-indicator-url-scheme description: 'Scheme of the request, such as "https". Note: The `:` is not part of the scheme.' example: https flat_name: threat.indicator.url.scheme ignore_above: 1024 level: extended name: scheme normalize: [] original_fieldset: url short: Scheme of the url. type: keyword threat.indicator.url.subdomain: dashed_name: threat-indicator-url-subdomain description: 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: east flat_name: threat.indicator.url.subdomain ignore_above: 1024 level: extended name: subdomain normalize: [] original_fieldset: url short: The subdomain of the domain. type: keyword threat.indicator.url.top_level_domain: dashed_name: threat-indicator-url-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk flat_name: threat.indicator.url.top_level_domain ignore_above: 1024 level: extended name: top_level_domain normalize: [] original_fieldset: url short: The effective top level domain (com, org, net, co.uk). type: keyword threat.indicator.url.username: dashed_name: threat-indicator-url-username description: Username of the request. flat_name: threat.indicator.url.username ignore_above: 1024 level: extended name: username normalize: [] original_fieldset: url short: Username of the request. type: keyword threat.indicator.x509.alternative_names: dashed_name: threat-indicator-x509-alternative-names description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: '*.elastic.co' flat_name: threat.indicator.x509.alternative_names ignore_above: 1024 level: extended name: alternative_names normalize: - array original_fieldset: x509 short: List of subject alternative names (SAN). type: keyword threat.indicator.x509.issuer.common_name: dashed_name: threat-indicator-x509-issuer-common-name description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA flat_name: threat.indicator.x509.issuer.common_name ignore_above: 1024 level: extended name: issuer.common_name normalize: - array original_fieldset: x509 short: List of common name (CN) of issuing certificate authority. type: keyword threat.indicator.x509.issuer.country: dashed_name: threat-indicator-x509-issuer-country description: List of country \(C) codes example: US flat_name: threat.indicator.x509.issuer.country ignore_above: 1024 level: extended name: issuer.country normalize: - array original_fieldset: x509 short: List of country \(C) codes type: keyword threat.indicator.x509.issuer.distinguished_name: dashed_name: threat-indicator-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA flat_name: threat.indicator.x509.issuer.distinguished_name ignore_above: 1024 level: extended name: issuer.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. type: keyword threat.indicator.x509.issuer.locality: dashed_name: threat-indicator-x509-issuer-locality description: List of locality names (L) example: Mountain View flat_name: threat.indicator.x509.issuer.locality ignore_above: 1024 level: extended name: issuer.locality normalize: - array original_fieldset: x509 short: List of locality names (L) type: keyword threat.indicator.x509.issuer.organization: dashed_name: threat-indicator-x509-issuer-organization description: List of organizations (O) of issuing certificate authority. example: Example Inc flat_name: threat.indicator.x509.issuer.organization ignore_above: 1024 level: extended name: issuer.organization normalize: - array original_fieldset: x509 short: List of organizations (O) of issuing certificate authority. type: keyword threat.indicator.x509.issuer.organizational_unit: dashed_name: threat-indicator-x509-issuer-organizational-unit description: List of organizational units (OU) of issuing certificate authority. example: www.example.com flat_name: threat.indicator.x509.issuer.organizational_unit ignore_above: 1024 level: extended name: issuer.organizational_unit normalize: - array original_fieldset: x509 short: List of organizational units (OU) of issuing certificate authority. type: keyword threat.indicator.x509.issuer.state_or_province: dashed_name: threat-indicator-x509-issuer-state-or-province description: List of state or province names (ST, S, or P) example: California flat_name: threat.indicator.x509.issuer.state_or_province ignore_above: 1024 level: extended name: issuer.state_or_province normalize: - array original_fieldset: x509 short: List of state or province names (ST, S, or P) type: keyword threat.indicator.x509.not_after: dashed_name: threat-indicator-x509-not-after description: Time at which the certificate is no longer considered valid. example: '2020-07-16T03:15:39Z' flat_name: threat.indicator.x509.not_after level: extended name: not_after normalize: [] original_fieldset: x509 short: Time at which the certificate is no longer considered valid. type: date threat.indicator.x509.not_before: dashed_name: threat-indicator-x509-not-before description: Time at which the certificate is first considered valid. example: '2019-08-16T01:40:25Z' flat_name: threat.indicator.x509.not_before level: extended name: not_before normalize: [] original_fieldset: x509 short: Time at which the certificate is first considered valid. type: date threat.indicator.x509.public_key_algorithm: dashed_name: threat-indicator-x509-public-key-algorithm description: Algorithm used to generate the public key. example: RSA flat_name: threat.indicator.x509.public_key_algorithm ignore_above: 1024 level: extended name: public_key_algorithm normalize: [] original_fieldset: x509 short: Algorithm used to generate the public key. type: keyword threat.indicator.x509.public_key_curve: dashed_name: threat-indicator-x509-public-key-curve description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 flat_name: threat.indicator.x509.public_key_curve ignore_above: 1024 level: extended name: public_key_curve normalize: [] original_fieldset: x509 short: The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword threat.indicator.x509.public_key_exponent: dashed_name: threat-indicator-x509-public-key-exponent description: Exponent used to derive the public key. This is algorithm specific. doc_values: false example: 65537 flat_name: threat.indicator.x509.public_key_exponent index: false level: extended name: public_key_exponent normalize: [] original_fieldset: x509 short: Exponent used to derive the public key. This is algorithm specific. type: long threat.indicator.x509.public_key_size: dashed_name: threat-indicator-x509-public-key-size description: The size of the public key space in bits. example: 2048 flat_name: threat.indicator.x509.public_key_size level: extended name: public_key_size normalize: [] original_fieldset: x509 short: The size of the public key space in bits. type: long threat.indicator.x509.serial_number: dashed_name: threat-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.indicator.x509.serial_number ignore_above: 1024 level: extended name: serial_number normalize: [] original_fieldset: x509 short: Unique serial number issued by the certificate authority. type: keyword threat.indicator.x509.signature_algorithm: dashed_name: threat-indicator-x509-signature-algorithm description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA flat_name: threat.indicator.x509.signature_algorithm ignore_above: 1024 level: extended name: signature_algorithm normalize: [] original_fieldset: x509 short: Identifier for certificate signature algorithm. type: keyword threat.indicator.x509.subject.common_name: dashed_name: threat-indicator-x509-subject-common-name description: List of common names (CN) of subject. example: shared.global.example.net flat_name: threat.indicator.x509.subject.common_name ignore_above: 1024 level: extended name: subject.common_name normalize: - array original_fieldset: x509 short: List of common names (CN) of subject. type: keyword threat.indicator.x509.subject.country: dashed_name: threat-indicator-x509-subject-country description: List of country \(C) code example: US flat_name: threat.indicator.x509.subject.country ignore_above: 1024 level: extended name: subject.country normalize: - array original_fieldset: x509 short: List of country \(C) code type: keyword threat.indicator.x509.subject.distinguished_name: dashed_name: threat-indicator-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net flat_name: threat.indicator.x509.subject.distinguished_name ignore_above: 1024 level: extended name: subject.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. type: keyword threat.indicator.x509.subject.locality: dashed_name: threat-indicator-x509-subject-locality description: List of locality names (L) example: San Francisco flat_name: threat.indicator.x509.subject.locality ignore_above: 1024 level: extended name: subject.locality normalize: - array original_fieldset: x509 short: List of locality names (L) type: keyword threat.indicator.x509.subject.organization: dashed_name: threat-indicator-x509-subject-organization description: List of organizations (O) of subject. example: Example, Inc. flat_name: threat.indicator.x509.subject.organization ignore_above: 1024 level: extended name: subject.organization normalize: - array original_fieldset: x509 short: List of organizations (O) of subject. type: keyword threat.indicator.x509.subject.organizational_unit: dashed_name: threat-indicator-x509-subject-organizational-unit description: List of organizational units (OU) of subject. flat_name: threat.indicator.x509.subject.organizational_unit ignore_above: 1024 level: extended name: subject.organizational_unit normalize: - array original_fieldset: x509 short: List of organizational units (OU) of subject. type: keyword threat.indicator.x509.subject.state_or_province: dashed_name: threat-indicator-x509-subject-state-or-province description: List of state or province names (ST, S, or P) example: California flat_name: threat.indicator.x509.subject.state_or_province ignore_above: 1024 level: extended name: subject.state_or_province normalize: - array original_fieldset: x509 short: List of state or province names (ST, S, or P) type: keyword threat.indicator.x509.version_number: dashed_name: threat-indicator-x509-version-number description: Version of x509 format. example: 3 flat_name: threat.indicator.x509.version_number ignore_above: 1024 level: extended name: version_number normalize: [] original_fieldset: x509 short: Version of x509 format. type: keyword threat.software.id: dashed_name: threat-software-id description: "The id of the software used by this threat to conduct behavior commonly\ \ modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use a MITRE ATT&CK\xAE\ \ software id." example: S0552 flat_name: threat.software.id ignore_above: 1024 level: extended name: software.id normalize: [] short: ID of the software type: keyword threat.software.name: dashed_name: threat-software-name description: "The name of the software used by this threat to conduct behavior commonly\ \ modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use a MITRE ATT&CK\xAE\ \ software name." example: AdFind flat_name: threat.software.name ignore_above: 1024 level: extended name: software.name normalize: [] short: Name of the software. type: keyword threat.software.platforms: dashed_name: threat-software-platforms description: "The platforms of the software used by this threat to conduct behavior\ \ commonly modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use MITRE\ \ ATT&CK\xAE software platform values." example: '[ "Windows" ]' expected_values: - AWS - Azure - Azure AD - GCP - Linux - macOS - Network - Office 365 - SaaS - Windows flat_name: threat.software.platforms ignore_above: 1024 level: extended name: software.platforms normalize: - array short: Platforms of the software. type: keyword threat.software.reference: dashed_name: threat-software-reference description: "The reference URL of the software used by this threat to conduct behavior\ \ commonly modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use a\ \ MITRE ATT&CK\xAE software reference URL." example: https://attack.mitre.org/software/S0552/ flat_name: threat.software.reference ignore_above: 1024 level: extended name: software.reference normalize: [] short: Software reference URL. type: keyword threat.software.type: dashed_name: threat-software-type description: "The type of software used by this threat to conduct behavior commonly\ \ modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use a MITRE ATT&CK\xAE\ \ software type." example: Tool expected_values: - Malware - Tool flat_name: threat.software.type ignore_above: 1024 level: extended name: software.type normalize: [] short: Software type. type: keyword threat.tactic.id: dashed_name: threat-tactic-id description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\ \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )" example: TA0002 flat_name: threat.tactic.id ignore_above: 1024 level: extended name: tactic.id normalize: - array short: Threat tactic id. type: keyword threat.tactic.name: dashed_name: threat-tactic-name description: "Name of the type of tactic used by this threat. You can use a MITRE\ \ ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)" example: Execution flat_name: threat.tactic.name ignore_above: 1024 level: extended name: tactic.name normalize: - array short: Threat tactic. type: keyword threat.tactic.reference: dashed_name: threat-tactic-reference description: "The reference url of tactic used by this threat. You can use a MITRE\ \ ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\ \ )" example: https://attack.mitre.org/tactics/TA0002/ flat_name: threat.tactic.reference ignore_above: 1024 level: extended name: tactic.reference normalize: - array short: Threat tactic URL reference. type: keyword threat.technique.id: dashed_name: threat-technique-id description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\ \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" example: T1059 flat_name: threat.technique.id ignore_above: 1024 level: extended name: technique.id normalize: - array short: Threat technique id. type: keyword threat.technique.name: dashed_name: threat-technique-name description: "The name of technique used by this threat. You can use a MITRE ATT&CK\xAE\ \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" example: Command and Scripting Interpreter flat_name: threat.technique.name ignore_above: 1024 level: extended multi_fields: - flat_name: threat.technique.name.text name: text type: match_only_text name: technique.name normalize: - array short: Threat technique name. type: keyword threat.technique.reference: dashed_name: threat-technique-reference description: "The reference url of technique used by this threat. You can use a\ \ MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" example: https://attack.mitre.org/techniques/T1059/ flat_name: threat.technique.reference ignore_above: 1024 level: extended name: technique.reference normalize: - array short: Threat technique URL reference. type: keyword threat.technique.subtechnique.id: dashed_name: threat-technique-subtechnique-id description: "The full id of subtechnique used by this threat. You can use a MITRE\ \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" example: T1059.001 flat_name: threat.technique.subtechnique.id ignore_above: 1024 level: extended name: technique.subtechnique.id normalize: - array short: Threat subtechnique id. type: keyword threat.technique.subtechnique.name: dashed_name: threat-technique-subtechnique-name description: "The name of subtechnique used by this threat. You can use a MITRE\ \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" example: PowerShell flat_name: threat.technique.subtechnique.name ignore_above: 1024 level: extended multi_fields: - flat_name: threat.technique.subtechnique.name.text name: text type: match_only_text name: technique.subtechnique.name normalize: - array short: Threat subtechnique name. type: keyword threat.technique.subtechnique.reference: dashed_name: threat-technique-subtechnique-reference description: "The reference url of subtechnique used by this threat. You can use\ \ a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" example: https://attack.mitre.org/techniques/T1059/001/ flat_name: threat.technique.subtechnique.reference ignore_above: 1024 level: extended name: technique.subtechnique.reference normalize: - array short: Threat subtechnique URL reference. type: keyword