'@timestamp': dashed_name: timestamp description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.' example: '2016-05-23T08:05:34.853Z' flat_name: '@timestamp' level: core name: '@timestamp' normalize: [] required: true short: Date/time when the event originated. type: date Target.process.Ext: dashed_name: Target-process-Ext description: Object for all custom defined fields to live in. flat_name: Target.process.Ext level: custom name: Ext normalize: [] original_fieldset: process short: Object for all custom defined fields to live in. type: object Target.process.Ext.created_suspended: dashed_name: Target-process-Ext-created-suspended description: A heuristic indicating if the CREATE_SUSPENDED flag was passed to the Win32 CreateProcess API. Not valid for direct syscalls. example: 'true' flat_name: Target.process.Ext.created_suspended level: custom name: Ext.created_suspended normalize: [] original_fieldset: process short: A heuristic indicating if the CREATE_SUSPENDED flag was passed to the Win32 CreateProcess API. type: boolean Target.process.Ext.memory_region.allocation_base: dashed_name: Target-process-Ext-memory-region-allocation-base description: Base address of the memory allocation containing the memory region. example: 2431737462784 flat_name: Target.process.Ext.memory_region.allocation_base level: custom name: allocation_base normalize: [] original_fieldset: memory_region short: Base address of the memory allocation containing the memory region. type: unsigned_long Target.process.Ext.memory_region.allocation_protection: dashed_name: Target-process-Ext-memory-region-allocation-protection description: Original memory protection requested when the memory was allocated. Example values include "RWX" and "R-X". example: RWX flat_name: Target.process.Ext.memory_region.allocation_protection ignore_above: 1024 level: custom name: allocation_protection normalize: [] original_fieldset: memory_region short: Original memory protection requested when the memory was allocated. Example values include "RWX" and "R-X". type: keyword Target.process.Ext.memory_region.allocation_size: dashed_name: Target-process-Ext-memory-region-allocation-size description: Original memory size requested when the memory was allocated. example: 4096 flat_name: Target.process.Ext.memory_region.allocation_size level: custom name: allocation_size normalize: [] original_fieldset: memory_region short: Original memory size requested when the memory was allocated. type: unsigned_long Target.process.Ext.memory_region.allocation_type: dashed_name: Target-process-Ext-memory-region-allocation-type description: The memory allocation type. Example values include "IMAGE", "MAPPED", and "PRIVATE". example: PRIVATE flat_name: Target.process.Ext.memory_region.allocation_type ignore_above: 1024 level: custom name: allocation_type normalize: [] original_fieldset: memory_region short: The memory allocation type. Example values include "IMAGE", "MAPPED", and "PRIVATE". type: keyword Target.process.Ext.memory_region.bytes_address: dashed_name: Target-process-Ext-memory-region-bytes-address description: The address where bytes_compressed begins. example: 2431737462784 flat_name: Target.process.Ext.memory_region.bytes_address level: custom name: bytes_address normalize: [] original_fieldset: memory_region short: The address where bytes_compressed begins. type: unsigned_long Target.process.Ext.memory_region.bytes_allocation_offset: dashed_name: Target-process-Ext-memory-region-bytes-allocation-offset description: Offset of bytes_address the memory allocation. Equal to bytes_address - allocation_base. example: 0 flat_name: Target.process.Ext.memory_region.bytes_allocation_offset level: custom name: bytes_allocation_offset normalize: [] original_fieldset: memory_region short: Offset of bytes_address the memory allocation. Equal to bytes_address - allocation_base. type: unsigned_long Target.process.Ext.memory_region.bytes_compressed: dashed_name: Target-process-Ext-memory-region-bytes-compressed description: Up to 4MB of raw data from the memory allocation. This is compressed with zlib.To reduce data volume, this is de-duplicated on the endpoint, and may be missing from many alerts if the same data would be sent multiple times. doc_values: false example: eJzzSM3JyVcIzy/KSVEEABxJBD4= flat_name: Target.process.Ext.memory_region.bytes_compressed index: false level: custom name: bytes_compressed normalize: [] original_fieldset: memory_region short: Up to 4MB of raw data from the memory allocation. type: keyword Target.process.Ext.memory_region.bytes_compressed_present: dashed_name: Target-process-Ext-memory-region-bytes-compressed-present description: Whether bytes_compressed is present in this event. example: false flat_name: Target.process.Ext.memory_region.bytes_compressed_present level: custom name: bytes_compressed_present normalize: [] original_fieldset: memory_region short: Whether bytes_compressed is present in this event. type: boolean Target.process.Ext.memory_region.hash.sha256: dashed_name: Target-process-Ext-memory-region-hash-sha256 description: The sha256 of the memory region. example: d25ff1e6c6460a7f9de39198d182058c1712726008d187e1953b83abe977e4a0 flat_name: Target.process.Ext.memory_region.hash.sha256 ignore_above: 1024 level: custom name: hash.sha256 normalize: [] original_fieldset: memory_region short: The sha256 of the memory region. type: keyword Target.process.Ext.memory_region.malware_signature.all_names: dashed_name: Target-process-Ext-memory-region-malware-signature-all-names description: A sequence of signature names matched. example: Windows.EICAR.Not-a-virus flat_name: Target.process.Ext.memory_region.malware_signature.all_names ignore_above: 1024 level: custom name: all_names normalize: [] original_fieldset: malware_signature short: A sequence of signature names matched. type: keyword Target.process.Ext.memory_region.malware_signature.identifier: dashed_name: Target-process-Ext-memory-region-malware-signature-identifier description: malware signature identifier flat_name: Target.process.Ext.memory_region.malware_signature.identifier ignore_above: 1024 level: custom name: identifier normalize: [] original_fieldset: malware_signature short: malware signature identifier type: keyword Target.process.Ext.memory_region.malware_signature.primary: dashed_name: Target-process-Ext-memory-region-malware-signature-primary description: The first matching details. flat_name: Target.process.Ext.memory_region.malware_signature.primary level: custom name: primary normalize: [] original_fieldset: malware_signature short: The first matching details. type: object Target.process.Ext.memory_region.malware_signature.primary.matches: dashed_name: Target-process-Ext-memory-region-malware-signature-primary-matches description: The first matching details. doc_values: false flat_name: Target.process.Ext.memory_region.malware_signature.primary.matches index: false level: custom name: primary.matches normalize: [] original_fieldset: malware_signature short: The first matching details. type: keyword Target.process.Ext.memory_region.malware_signature.primary.signature.hash: dashed_name: Target-process-Ext-memory-region-malware-signature-primary-signature-hash description: hash of file matching signature. flat_name: Target.process.Ext.memory_region.malware_signature.primary.signature.hash level: custom name: primary.signature.hash normalize: [] original_fieldset: malware_signature short: hash of file matching signature. type: nested Target.process.Ext.memory_region.malware_signature.primary.signature.hash.sha256: dashed_name: Target-process-Ext-memory-region-malware-signature-primary-signature-hash-sha256 description: sha256 hash of file matching signature. flat_name: Target.process.Ext.memory_region.malware_signature.primary.signature.hash.sha256 ignore_above: 1024 level: custom name: primary.signature.hash.sha256 normalize: [] original_fieldset: malware_signature short: sha256 hash of file matching signature. type: keyword Target.process.Ext.memory_region.malware_signature.primary.signature.id: dashed_name: Target-process-Ext-memory-region-malware-signature-primary-signature-id description: The id of the first yara rule matched. flat_name: Target.process.Ext.memory_region.malware_signature.primary.signature.id ignore_above: 1024 level: custom name: primary.signature.id normalize: [] original_fieldset: malware_signature short: The id of the first yara rule matched. type: keyword Target.process.Ext.memory_region.malware_signature.primary.signature.name: dashed_name: Target-process-Ext-memory-region-malware-signature-primary-signature-name description: The name of the first yara rule matched. flat_name: Target.process.Ext.memory_region.malware_signature.primary.signature.name ignore_above: 1024 level: custom name: primary.signature.name normalize: [] original_fieldset: malware_signature short: The name of the first yara rule matched. type: keyword Target.process.Ext.memory_region.malware_signature.secondary: dashed_name: Target-process-Ext-memory-region-malware-signature-secondary description: Additional matching details if available. enabled: false flat_name: Target.process.Ext.memory_region.malware_signature.secondary level: custom name: secondary normalize: [] original_fieldset: malware_signature short: Additional matching details if available. type: nested Target.process.Ext.memory_region.malware_signature.secondary.matches: dashed_name: Target-process-Ext-memory-region-malware-signature-secondary-matches description: The second matching details. enabled: false flat_name: Target.process.Ext.memory_region.malware_signature.secondary.matches ignore_above: 1024 level: custom name: secondary.matches normalize: [] original_fieldset: malware_signature short: The second matching details. type: keyword Target.process.Ext.memory_region.malware_signature.secondary.signature.hash: dashed_name: Target-process-Ext-memory-region-malware-signature-secondary-signature-hash description: hash of second file matching signature. enabled: false flat_name: Target.process.Ext.memory_region.malware_signature.secondary.signature.hash level: custom name: secondary.signature.hash normalize: [] original_fieldset: malware_signature short: hash of second file matching signature. type: nested Target.process.Ext.memory_region.malware_signature.secondary.signature.hash.sha256: dashed_name: Target-process-Ext-memory-region-malware-signature-secondary-signature-hash-sha256 description: sha256 hash of second file matching signature. enabled: false flat_name: Target.process.Ext.memory_region.malware_signature.secondary.signature.hash.sha256 ignore_above: 1024 level: custom name: secondary.signature.hash.sha256 normalize: [] original_fieldset: malware_signature short: sha256 hash of second file matching signature. type: keyword Target.process.Ext.memory_region.malware_signature.secondary.signature.id: dashed_name: Target-process-Ext-memory-region-malware-signature-secondary-signature-id description: The id of the second yara rule matched. enabled: false flat_name: Target.process.Ext.memory_region.malware_signature.secondary.signature.id ignore_above: 1024 level: custom name: secondary.signature.id normalize: [] original_fieldset: malware_signature short: The id of the second yara rule matched. type: keyword Target.process.Ext.memory_region.malware_signature.secondary.signature.name: dashed_name: Target-process-Ext-memory-region-malware-signature-secondary-signature-name description: The name of the second yara rule matched. enabled: false flat_name: Target.process.Ext.memory_region.malware_signature.secondary.signature.name ignore_above: 1024 level: custom name: secondary.signature.name normalize: [] original_fieldset: malware_signature short: The name of the second yara rule matched. type: keyword Target.process.Ext.memory_region.malware_signature.version: dashed_name: Target-process-Ext-memory-region-malware-signature-version description: malware signature version flat_name: Target.process.Ext.memory_region.malware_signature.version ignore_above: 1024 level: custom name: version normalize: [] original_fieldset: malware_signature short: malware signature version type: keyword Target.process.Ext.memory_region.mapped_path: dashed_name: Target-process-Ext-memory-region-mapped-path description: If the memory corresponds to a file mapping, this is the file's path. example: C:\Windows\System32\mshtml.dll flat_name: Target.process.Ext.memory_region.mapped_path ignore_above: 1024 level: custom name: mapped_path normalize: [] original_fieldset: memory_region short: If the memory corresponds to a file mapping, this is the file's path. type: keyword Target.process.Ext.memory_region.mapped_pe.Ext.dotnet: dashed_name: Target-process-Ext-memory-region-mapped-pe-Ext-dotnet description: Whether this file is a .NET PE example: 'true' flat_name: Target.process.Ext.memory_region.mapped_pe.Ext.dotnet level: custom name: Ext.dotnet normalize: [] original_fieldset: pe short: Whether this file is a .NET PE type: boolean Target.process.Ext.memory_region.mapped_pe.Ext.sections: dashed_name: Target-process-Ext-memory-region-mapped-pe-Ext-sections description: The file's relevant sections, if it is a PE flat_name: Target.process.Ext.memory_region.mapped_pe.Ext.sections level: custom name: Ext.sections normalize: [] original_fieldset: pe short: The file's sections, if it is a PE type: object Target.process.Ext.memory_region.mapped_pe.Ext.sections.hash.md5: dashed_name: Target-process-Ext-memory-region-mapped-pe-Ext-sections-hash-md5 description: MD5 hash. flat_name: Target.process.Ext.memory_region.mapped_pe.Ext.sections.hash.md5 ignore_above: 1024 level: extended name: md5 normalize: [] original_fieldset: hash short: MD5 hash. type: keyword Target.process.Ext.memory_region.mapped_pe.Ext.sections.hash.sha1: dashed_name: Target-process-Ext-memory-region-mapped-pe-Ext-sections-hash-sha1 description: SHA1 hash. flat_name: Target.process.Ext.memory_region.mapped_pe.Ext.sections.hash.sha1 ignore_above: 1024 level: extended name: sha1 normalize: [] original_fieldset: hash short: SHA1 hash. type: keyword Target.process.Ext.memory_region.mapped_pe.Ext.sections.hash.sha256: dashed_name: Target-process-Ext-memory-region-mapped-pe-Ext-sections-hash-sha256 description: SHA256 hash. flat_name: Target.process.Ext.memory_region.mapped_pe.Ext.sections.hash.sha256 ignore_above: 1024 level: extended name: sha256 normalize: [] original_fieldset: hash short: SHA256 hash. type: keyword Target.process.Ext.memory_region.mapped_pe.Ext.sections.hash.sha384: dashed_name: Target-process-Ext-memory-region-mapped-pe-Ext-sections-hash-sha384 description: SHA384 hash. flat_name: Target.process.Ext.memory_region.mapped_pe.Ext.sections.hash.sha384 ignore_above: 1024 level: extended name: sha384 normalize: [] original_fieldset: hash short: SHA384 hash. type: keyword Target.process.Ext.memory_region.mapped_pe.Ext.sections.hash.sha512: dashed_name: Target-process-Ext-memory-region-mapped-pe-Ext-sections-hash-sha512 description: SHA512 hash. flat_name: Target.process.Ext.memory_region.mapped_pe.Ext.sections.hash.sha512 ignore_above: 1024 level: extended name: sha512 normalize: [] original_fieldset: hash short: SHA512 hash. type: keyword Target.process.Ext.memory_region.mapped_pe.Ext.sections.hash.ssdeep: dashed_name: Target-process-Ext-memory-region-mapped-pe-Ext-sections-hash-ssdeep description: SSDEEP hash. flat_name: Target.process.Ext.memory_region.mapped_pe.Ext.sections.hash.ssdeep ignore_above: 1024 level: extended name: ssdeep normalize: [] original_fieldset: hash short: SSDEEP hash. type: keyword Target.process.Ext.memory_region.mapped_pe.Ext.sections.hash.tlsh: dashed_name: Target-process-Ext-memory-region-mapped-pe-Ext-sections-hash-tlsh description: TLSH hash. flat_name: Target.process.Ext.memory_region.mapped_pe.Ext.sections.hash.tlsh ignore_above: 1024 level: extended name: tlsh normalize: [] original_fieldset: hash short: TLSH hash. type: keyword Target.process.Ext.memory_region.mapped_pe.Ext.sections.name: dashed_name: Target-process-Ext-memory-region-mapped-pe-Ext-sections-name description: The section's name example: .reloc flat_name: Target.process.Ext.memory_region.mapped_pe.Ext.sections.name ignore_above: 1024 level: custom name: Ext.sections.name normalize: [] original_fieldset: pe short: The section's name type: keyword Target.process.Ext.memory_region.mapped_pe.Ext.streams: dashed_name: Target-process-Ext-memory-region-mapped-pe-Ext-streams description: The file's streams, if it is a PE flat_name: Target.process.Ext.memory_region.mapped_pe.Ext.streams level: custom name: Ext.streams normalize: [] original_fieldset: pe short: The file's streams, if it is a PE type: object Target.process.Ext.memory_region.mapped_pe.Ext.streams.hash.md5: dashed_name: Target-process-Ext-memory-region-mapped-pe-Ext-streams-hash-md5 description: MD5 hash. flat_name: Target.process.Ext.memory_region.mapped_pe.Ext.streams.hash.md5 ignore_above: 1024 level: extended name: md5 normalize: [] original_fieldset: hash short: MD5 hash. type: keyword Target.process.Ext.memory_region.mapped_pe.Ext.streams.hash.sha1: dashed_name: Target-process-Ext-memory-region-mapped-pe-Ext-streams-hash-sha1 description: SHA1 hash. flat_name: Target.process.Ext.memory_region.mapped_pe.Ext.streams.hash.sha1 ignore_above: 1024 level: extended name: sha1 normalize: [] original_fieldset: hash short: SHA1 hash. type: keyword Target.process.Ext.memory_region.mapped_pe.Ext.streams.hash.sha256: dashed_name: Target-process-Ext-memory-region-mapped-pe-Ext-streams-hash-sha256 description: SHA256 hash. flat_name: Target.process.Ext.memory_region.mapped_pe.Ext.streams.hash.sha256 ignore_above: 1024 level: extended name: sha256 normalize: [] original_fieldset: hash short: SHA256 hash. type: keyword Target.process.Ext.memory_region.mapped_pe.Ext.streams.hash.sha384: dashed_name: Target-process-Ext-memory-region-mapped-pe-Ext-streams-hash-sha384 description: SHA384 hash. flat_name: Target.process.Ext.memory_region.mapped_pe.Ext.streams.hash.sha384 ignore_above: 1024 level: extended name: sha384 normalize: [] original_fieldset: hash short: SHA384 hash. type: keyword Target.process.Ext.memory_region.mapped_pe.Ext.streams.hash.sha512: dashed_name: Target-process-Ext-memory-region-mapped-pe-Ext-streams-hash-sha512 description: SHA512 hash. flat_name: Target.process.Ext.memory_region.mapped_pe.Ext.streams.hash.sha512 ignore_above: 1024 level: extended name: sha512 normalize: [] original_fieldset: hash short: SHA512 hash. type: keyword Target.process.Ext.memory_region.mapped_pe.Ext.streams.hash.ssdeep: dashed_name: Target-process-Ext-memory-region-mapped-pe-Ext-streams-hash-ssdeep description: SSDEEP hash. flat_name: Target.process.Ext.memory_region.mapped_pe.Ext.streams.hash.ssdeep ignore_above: 1024 level: extended name: ssdeep normalize: [] original_fieldset: hash short: SSDEEP hash. type: keyword Target.process.Ext.memory_region.mapped_pe.Ext.streams.hash.tlsh: dashed_name: Target-process-Ext-memory-region-mapped-pe-Ext-streams-hash-tlsh description: TLSH hash. flat_name: Target.process.Ext.memory_region.mapped_pe.Ext.streams.hash.tlsh ignore_above: 1024 level: extended name: tlsh normalize: [] original_fieldset: hash short: TLSH hash. type: keyword Target.process.Ext.memory_region.mapped_pe.Ext.streams.name: dashed_name: Target-process-Ext-memory-region-mapped-pe-Ext-streams-name description: The stream's name example: .reloc flat_name: Target.process.Ext.memory_region.mapped_pe.Ext.streams.name ignore_above: 1024 level: custom name: Ext.streams.name normalize: [] original_fieldset: pe short: The stream's name type: keyword Target.process.Ext.memory_region.mapped_pe.architecture: dashed_name: Target-process-Ext-memory-region-mapped-pe-architecture description: CPU architecture target for the file. example: x64 flat_name: Target.process.Ext.memory_region.mapped_pe.architecture ignore_above: 1024 level: extended name: architecture normalize: [] original_fieldset: pe short: CPU architecture target for the file. type: keyword Target.process.Ext.memory_region.mapped_pe.company: dashed_name: Target-process-Ext-memory-region-mapped-pe-company description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation flat_name: Target.process.Ext.memory_region.mapped_pe.company ignore_above: 1024 level: extended name: company normalize: [] original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword Target.process.Ext.memory_region.mapped_pe.description: dashed_name: Target-process-Ext-memory-region-mapped-pe-description description: Internal description of the file, provided at compile-time. example: Paint flat_name: Target.process.Ext.memory_region.mapped_pe.description ignore_above: 1024 level: extended name: description normalize: [] original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword Target.process.Ext.memory_region.mapped_pe.file_version: dashed_name: Target-process-Ext-memory-region-mapped-pe-file-version description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 flat_name: Target.process.Ext.memory_region.mapped_pe.file_version ignore_above: 1024 level: extended name: file_version normalize: [] original_fieldset: pe short: Process name. type: keyword Target.process.Ext.memory_region.mapped_pe.go_import_hash: dashed_name: Target-process-Ext-memory-region-mapped-pe-go-import-hash description: 'A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).' example: 10bddcb4cee42080f76c88d9ff964491 flat_name: Target.process.Ext.memory_region.mapped_pe.go_import_hash ignore_above: 1024 level: extended name: go_import_hash normalize: [] original_fieldset: pe short: A hash of the Go language imports in a PE file. type: keyword Target.process.Ext.memory_region.mapped_pe.go_imports: dashed_name: Target-process-Ext-memory-region-mapped-pe-go-imports description: List of imported Go language element names and types. flat_name: Target.process.Ext.memory_region.mapped_pe.go_imports level: extended name: go_imports normalize: [] original_fieldset: pe short: List of imported Go language element names and types. type: flattened Target.process.Ext.memory_region.mapped_pe.go_imports_names_entropy: dashed_name: Target-process-Ext-memory-region-mapped-pe-go-imports-names-entropy description: Shannon entropy calculation from the list of Go imports. flat_name: Target.process.Ext.memory_region.mapped_pe.go_imports_names_entropy format: number level: extended name: go_imports_names_entropy normalize: [] original_fieldset: pe short: Shannon entropy calculation from the list of Go imports. type: long Target.process.Ext.memory_region.mapped_pe.go_imports_names_var_entropy: dashed_name: Target-process-Ext-memory-region-mapped-pe-go-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of Go imports. flat_name: Target.process.Ext.memory_region.mapped_pe.go_imports_names_var_entropy format: number level: extended name: go_imports_names_var_entropy normalize: [] original_fieldset: pe short: Variance for Shannon entropy calculation from the list of Go imports. type: long Target.process.Ext.memory_region.mapped_pe.go_stripped: dashed_name: Target-process-Ext-memory-region-mapped-pe-go-stripped description: Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. flat_name: Target.process.Ext.memory_region.mapped_pe.go_stripped level: extended name: go_stripped normalize: [] original_fieldset: pe short: Whether the file is a stripped or obfuscated Go executable. type: boolean Target.process.Ext.memory_region.mapped_pe.imphash: dashed_name: Target-process-Ext-memory-region-mapped-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf flat_name: Target.process.Ext.memory_region.mapped_pe.imphash ignore_above: 1024 level: extended name: imphash normalize: [] original_fieldset: pe short: A hash of the imports in a PE file. type: keyword Target.process.Ext.memory_region.mapped_pe.import_hash: dashed_name: Target-process-Ext-memory-region-mapped-pe-import-hash description: 'A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for imphash.' example: d41d8cd98f00b204e9800998ecf8427e flat_name: Target.process.Ext.memory_region.mapped_pe.import_hash ignore_above: 1024 level: extended name: import_hash normalize: [] original_fieldset: pe short: A hash of the imports in a PE file. type: keyword Target.process.Ext.memory_region.mapped_pe.imports: dashed_name: Target-process-Ext-memory-region-mapped-pe-imports description: List of imported element names and types. flat_name: Target.process.Ext.memory_region.mapped_pe.imports level: extended name: imports normalize: - array original_fieldset: pe short: List of imported element names and types. type: flattened Target.process.Ext.memory_region.mapped_pe.imports_names_entropy: dashed_name: Target-process-Ext-memory-region-mapped-pe-imports-names-entropy description: Shannon entropy calculation from the list of imported element names and types. flat_name: Target.process.Ext.memory_region.mapped_pe.imports_names_entropy format: number level: extended name: imports_names_entropy normalize: [] original_fieldset: pe short: Shannon entropy calculation from the list of imported element names and types. type: long Target.process.Ext.memory_region.mapped_pe.imports_names_var_entropy: dashed_name: Target-process-Ext-memory-region-mapped-pe-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of imported element names and types. flat_name: Target.process.Ext.memory_region.mapped_pe.imports_names_var_entropy format: number level: extended name: imports_names_var_entropy normalize: [] original_fieldset: pe short: Variance for Shannon entropy calculation from the list of imported element names and types. type: long Target.process.Ext.memory_region.mapped_pe.original_file_name: dashed_name: Target-process-Ext-memory-region-mapped-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: Target.process.Ext.memory_region.mapped_pe.original_file_name ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. type: keyword Target.process.Ext.memory_region.mapped_pe.pehash: dashed_name: Target-process-Ext-memory-region-mapped-pe-pehash description: 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' example: 73ff189b63cd6be375a7ff25179a38d347651975 flat_name: Target.process.Ext.memory_region.mapped_pe.pehash ignore_above: 1024 level: extended name: pehash normalize: [] original_fieldset: pe short: A hash of the PE header and data from one or more PE sections. type: keyword Target.process.Ext.memory_region.mapped_pe.product: dashed_name: Target-process-Ext-memory-region-mapped-pe-product description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" flat_name: Target.process.Ext.memory_region.mapped_pe.product ignore_above: 1024 level: extended name: product normalize: [] original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword Target.process.Ext.memory_region.mapped_pe.sections: dashed_name: Target-process-Ext-memory-region-mapped-pe-sections description: 'An array containing an object for each section of the PE file. The keys that should be present in these objects are defined by sub-fields underneath `pe.sections.*`.' flat_name: Target.process.Ext.memory_region.mapped_pe.sections level: extended name: sections normalize: - array original_fieldset: pe short: Section information of the PE file. type: nested Target.process.Ext.memory_region.mapped_pe.sections.entropy: dashed_name: Target-process-Ext-memory-region-mapped-pe-sections-entropy description: Shannon entropy calculation from the section. flat_name: Target.process.Ext.memory_region.mapped_pe.sections.entropy format: number level: extended name: sections.entropy normalize: [] original_fieldset: pe short: Shannon entropy calculation from the section. type: long Target.process.Ext.memory_region.mapped_pe.sections.name: dashed_name: Target-process-Ext-memory-region-mapped-pe-sections-name description: PE Section List name. flat_name: Target.process.Ext.memory_region.mapped_pe.sections.name ignore_above: 1024 level: extended name: sections.name normalize: [] original_fieldset: pe short: PE Section List name. type: keyword Target.process.Ext.memory_region.mapped_pe.sections.physical_size: dashed_name: Target-process-Ext-memory-region-mapped-pe-sections-physical-size description: PE Section List physical size. flat_name: Target.process.Ext.memory_region.mapped_pe.sections.physical_size format: bytes level: extended name: sections.physical_size normalize: [] original_fieldset: pe short: PE Section List physical size. type: long Target.process.Ext.memory_region.mapped_pe.sections.var_entropy: dashed_name: Target-process-Ext-memory-region-mapped-pe-sections-var-entropy description: Variance for Shannon entropy calculation from the section. flat_name: Target.process.Ext.memory_region.mapped_pe.sections.var_entropy format: number level: extended name: sections.var_entropy normalize: [] original_fieldset: pe short: Variance for Shannon entropy calculation from the section. type: long Target.process.Ext.memory_region.mapped_pe.sections.virtual_size: dashed_name: Target-process-Ext-memory-region-mapped-pe-sections-virtual-size description: PE Section List virtual size. This is always the same as `physical_size`. flat_name: Target.process.Ext.memory_region.mapped_pe.sections.virtual_size format: string level: extended name: sections.virtual_size normalize: [] original_fieldset: pe short: PE Section List virtual size. This is always the same as `physical_size`. type: long Target.process.Ext.memory_region.mapped_pe_detected: dashed_name: Target-process-Ext-memory-region-mapped-pe-detected description: Whether the file at mapped_path is an executable. example: false flat_name: Target.process.Ext.memory_region.mapped_pe_detected level: custom name: mapped_pe_detected normalize: [] original_fieldset: memory_region short: Whether the file at mapped_path is an executable. type: boolean Target.process.Ext.memory_region.memory_pe.Ext.dotnet: dashed_name: Target-process-Ext-memory-region-memory-pe-Ext-dotnet description: Whether this file is a .NET PE example: 'true' flat_name: Target.process.Ext.memory_region.memory_pe.Ext.dotnet level: custom name: Ext.dotnet normalize: [] original_fieldset: pe short: Whether this file is a .NET PE type: boolean Target.process.Ext.memory_region.memory_pe.Ext.sections: dashed_name: Target-process-Ext-memory-region-memory-pe-Ext-sections description: The file's relevant sections, if it is a PE flat_name: Target.process.Ext.memory_region.memory_pe.Ext.sections level: custom name: Ext.sections normalize: [] original_fieldset: pe short: The file's sections, if it is a PE type: object Target.process.Ext.memory_region.memory_pe.Ext.sections.hash.md5: dashed_name: Target-process-Ext-memory-region-memory-pe-Ext-sections-hash-md5 description: MD5 hash. flat_name: Target.process.Ext.memory_region.memory_pe.Ext.sections.hash.md5 ignore_above: 1024 level: extended name: md5 normalize: [] original_fieldset: hash short: MD5 hash. type: keyword Target.process.Ext.memory_region.memory_pe.Ext.sections.hash.sha1: dashed_name: Target-process-Ext-memory-region-memory-pe-Ext-sections-hash-sha1 description: SHA1 hash. flat_name: Target.process.Ext.memory_region.memory_pe.Ext.sections.hash.sha1 ignore_above: 1024 level: extended name: sha1 normalize: [] original_fieldset: hash short: SHA1 hash. type: keyword Target.process.Ext.memory_region.memory_pe.Ext.sections.hash.sha256: dashed_name: Target-process-Ext-memory-region-memory-pe-Ext-sections-hash-sha256 description: SHA256 hash. flat_name: Target.process.Ext.memory_region.memory_pe.Ext.sections.hash.sha256 ignore_above: 1024 level: extended name: sha256 normalize: [] original_fieldset: hash short: SHA256 hash. type: keyword Target.process.Ext.memory_region.memory_pe.Ext.sections.hash.sha384: dashed_name: Target-process-Ext-memory-region-memory-pe-Ext-sections-hash-sha384 description: SHA384 hash. flat_name: Target.process.Ext.memory_region.memory_pe.Ext.sections.hash.sha384 ignore_above: 1024 level: extended name: sha384 normalize: [] original_fieldset: hash short: SHA384 hash. type: keyword Target.process.Ext.memory_region.memory_pe.Ext.sections.hash.sha512: dashed_name: Target-process-Ext-memory-region-memory-pe-Ext-sections-hash-sha512 description: SHA512 hash. flat_name: Target.process.Ext.memory_region.memory_pe.Ext.sections.hash.sha512 ignore_above: 1024 level: extended name: sha512 normalize: [] original_fieldset: hash short: SHA512 hash. type: keyword Target.process.Ext.memory_region.memory_pe.Ext.sections.hash.ssdeep: dashed_name: Target-process-Ext-memory-region-memory-pe-Ext-sections-hash-ssdeep description: SSDEEP hash. flat_name: Target.process.Ext.memory_region.memory_pe.Ext.sections.hash.ssdeep ignore_above: 1024 level: extended name: ssdeep normalize: [] original_fieldset: hash short: SSDEEP hash. type: keyword Target.process.Ext.memory_region.memory_pe.Ext.sections.hash.tlsh: dashed_name: Target-process-Ext-memory-region-memory-pe-Ext-sections-hash-tlsh description: TLSH hash. flat_name: Target.process.Ext.memory_region.memory_pe.Ext.sections.hash.tlsh ignore_above: 1024 level: extended name: tlsh normalize: [] original_fieldset: hash short: TLSH hash. type: keyword Target.process.Ext.memory_region.memory_pe.Ext.sections.name: dashed_name: Target-process-Ext-memory-region-memory-pe-Ext-sections-name description: The section's name example: .reloc flat_name: Target.process.Ext.memory_region.memory_pe.Ext.sections.name ignore_above: 1024 level: custom name: Ext.sections.name normalize: [] original_fieldset: pe short: The section's name type: keyword Target.process.Ext.memory_region.memory_pe.Ext.streams: dashed_name: Target-process-Ext-memory-region-memory-pe-Ext-streams description: The file's streams, if it is a PE flat_name: Target.process.Ext.memory_region.memory_pe.Ext.streams level: custom name: Ext.streams normalize: [] original_fieldset: pe short: The file's streams, if it is a PE type: object Target.process.Ext.memory_region.memory_pe.Ext.streams.hash.md5: dashed_name: Target-process-Ext-memory-region-memory-pe-Ext-streams-hash-md5 description: MD5 hash. flat_name: Target.process.Ext.memory_region.memory_pe.Ext.streams.hash.md5 ignore_above: 1024 level: extended name: md5 normalize: [] original_fieldset: hash short: MD5 hash. type: keyword Target.process.Ext.memory_region.memory_pe.Ext.streams.hash.sha1: dashed_name: Target-process-Ext-memory-region-memory-pe-Ext-streams-hash-sha1 description: SHA1 hash. flat_name: Target.process.Ext.memory_region.memory_pe.Ext.streams.hash.sha1 ignore_above: 1024 level: extended name: sha1 normalize: [] original_fieldset: hash short: SHA1 hash. type: keyword Target.process.Ext.memory_region.memory_pe.Ext.streams.hash.sha256: dashed_name: Target-process-Ext-memory-region-memory-pe-Ext-streams-hash-sha256 description: SHA256 hash. flat_name: Target.process.Ext.memory_region.memory_pe.Ext.streams.hash.sha256 ignore_above: 1024 level: extended name: sha256 normalize: [] original_fieldset: hash short: SHA256 hash. type: keyword Target.process.Ext.memory_region.memory_pe.Ext.streams.hash.sha384: dashed_name: Target-process-Ext-memory-region-memory-pe-Ext-streams-hash-sha384 description: SHA384 hash. flat_name: Target.process.Ext.memory_region.memory_pe.Ext.streams.hash.sha384 ignore_above: 1024 level: extended name: sha384 normalize: [] original_fieldset: hash short: SHA384 hash. type: keyword Target.process.Ext.memory_region.memory_pe.Ext.streams.hash.sha512: dashed_name: Target-process-Ext-memory-region-memory-pe-Ext-streams-hash-sha512 description: SHA512 hash. flat_name: Target.process.Ext.memory_region.memory_pe.Ext.streams.hash.sha512 ignore_above: 1024 level: extended name: sha512 normalize: [] original_fieldset: hash short: SHA512 hash. type: keyword Target.process.Ext.memory_region.memory_pe.Ext.streams.hash.ssdeep: dashed_name: Target-process-Ext-memory-region-memory-pe-Ext-streams-hash-ssdeep description: SSDEEP hash. flat_name: Target.process.Ext.memory_region.memory_pe.Ext.streams.hash.ssdeep ignore_above: 1024 level: extended name: ssdeep normalize: [] original_fieldset: hash short: SSDEEP hash. type: keyword Target.process.Ext.memory_region.memory_pe.Ext.streams.hash.tlsh: dashed_name: Target-process-Ext-memory-region-memory-pe-Ext-streams-hash-tlsh description: TLSH hash. flat_name: Target.process.Ext.memory_region.memory_pe.Ext.streams.hash.tlsh ignore_above: 1024 level: extended name: tlsh normalize: [] original_fieldset: hash short: TLSH hash. type: keyword Target.process.Ext.memory_region.memory_pe.Ext.streams.name: dashed_name: Target-process-Ext-memory-region-memory-pe-Ext-streams-name description: The stream's name example: .reloc flat_name: Target.process.Ext.memory_region.memory_pe.Ext.streams.name ignore_above: 1024 level: custom name: Ext.streams.name normalize: [] original_fieldset: pe short: The stream's name type: keyword Target.process.Ext.memory_region.memory_pe.architecture: dashed_name: Target-process-Ext-memory-region-memory-pe-architecture description: CPU architecture target for the file. example: x64 flat_name: Target.process.Ext.memory_region.memory_pe.architecture ignore_above: 1024 level: extended name: architecture normalize: [] original_fieldset: pe short: CPU architecture target for the file. type: keyword Target.process.Ext.memory_region.memory_pe.company: dashed_name: Target-process-Ext-memory-region-memory-pe-company description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation flat_name: Target.process.Ext.memory_region.memory_pe.company ignore_above: 1024 level: extended name: company normalize: [] original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword Target.process.Ext.memory_region.memory_pe.description: dashed_name: Target-process-Ext-memory-region-memory-pe-description description: Internal description of the file, provided at compile-time. example: Paint flat_name: Target.process.Ext.memory_region.memory_pe.description ignore_above: 1024 level: extended name: description normalize: [] original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword Target.process.Ext.memory_region.memory_pe.file_version: dashed_name: Target-process-Ext-memory-region-memory-pe-file-version description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 flat_name: Target.process.Ext.memory_region.memory_pe.file_version ignore_above: 1024 level: extended name: file_version normalize: [] original_fieldset: pe short: Process name. type: keyword Target.process.Ext.memory_region.memory_pe.go_import_hash: dashed_name: Target-process-Ext-memory-region-memory-pe-go-import-hash description: 'A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).' example: 10bddcb4cee42080f76c88d9ff964491 flat_name: Target.process.Ext.memory_region.memory_pe.go_import_hash ignore_above: 1024 level: extended name: go_import_hash normalize: [] original_fieldset: pe short: A hash of the Go language imports in a PE file. type: keyword Target.process.Ext.memory_region.memory_pe.go_imports: dashed_name: Target-process-Ext-memory-region-memory-pe-go-imports description: List of imported Go language element names and types. flat_name: Target.process.Ext.memory_region.memory_pe.go_imports level: extended name: go_imports normalize: [] original_fieldset: pe short: List of imported Go language element names and types. type: flattened Target.process.Ext.memory_region.memory_pe.go_imports_names_entropy: dashed_name: Target-process-Ext-memory-region-memory-pe-go-imports-names-entropy description: Shannon entropy calculation from the list of Go imports. flat_name: Target.process.Ext.memory_region.memory_pe.go_imports_names_entropy format: number level: extended name: go_imports_names_entropy normalize: [] original_fieldset: pe short: Shannon entropy calculation from the list of Go imports. type: long Target.process.Ext.memory_region.memory_pe.go_imports_names_var_entropy: dashed_name: Target-process-Ext-memory-region-memory-pe-go-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of Go imports. flat_name: Target.process.Ext.memory_region.memory_pe.go_imports_names_var_entropy format: number level: extended name: go_imports_names_var_entropy normalize: [] original_fieldset: pe short: Variance for Shannon entropy calculation from the list of Go imports. type: long Target.process.Ext.memory_region.memory_pe.go_stripped: dashed_name: Target-process-Ext-memory-region-memory-pe-go-stripped description: Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. flat_name: Target.process.Ext.memory_region.memory_pe.go_stripped level: extended name: go_stripped normalize: [] original_fieldset: pe short: Whether the file is a stripped or obfuscated Go executable. type: boolean Target.process.Ext.memory_region.memory_pe.imphash: dashed_name: Target-process-Ext-memory-region-memory-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf flat_name: Target.process.Ext.memory_region.memory_pe.imphash ignore_above: 1024 level: extended name: imphash normalize: [] original_fieldset: pe short: A hash of the imports in a PE file. type: keyword Target.process.Ext.memory_region.memory_pe.import_hash: dashed_name: Target-process-Ext-memory-region-memory-pe-import-hash description: 'A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for imphash.' example: d41d8cd98f00b204e9800998ecf8427e flat_name: Target.process.Ext.memory_region.memory_pe.import_hash ignore_above: 1024 level: extended name: import_hash normalize: [] original_fieldset: pe short: A hash of the imports in a PE file. type: keyword Target.process.Ext.memory_region.memory_pe.imports: dashed_name: Target-process-Ext-memory-region-memory-pe-imports description: List of imported element names and types. flat_name: Target.process.Ext.memory_region.memory_pe.imports level: extended name: imports normalize: - array original_fieldset: pe short: List of imported element names and types. type: flattened Target.process.Ext.memory_region.memory_pe.imports_names_entropy: dashed_name: Target-process-Ext-memory-region-memory-pe-imports-names-entropy description: Shannon entropy calculation from the list of imported element names and types. flat_name: Target.process.Ext.memory_region.memory_pe.imports_names_entropy format: number level: extended name: imports_names_entropy normalize: [] original_fieldset: pe short: Shannon entropy calculation from the list of imported element names and types. type: long Target.process.Ext.memory_region.memory_pe.imports_names_var_entropy: dashed_name: Target-process-Ext-memory-region-memory-pe-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of imported element names and types. flat_name: Target.process.Ext.memory_region.memory_pe.imports_names_var_entropy format: number level: extended name: imports_names_var_entropy normalize: [] original_fieldset: pe short: Variance for Shannon entropy calculation from the list of imported element names and types. type: long Target.process.Ext.memory_region.memory_pe.original_file_name: dashed_name: Target-process-Ext-memory-region-memory-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: Target.process.Ext.memory_region.memory_pe.original_file_name ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. type: keyword Target.process.Ext.memory_region.memory_pe.pehash: dashed_name: Target-process-Ext-memory-region-memory-pe-pehash description: 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' example: 73ff189b63cd6be375a7ff25179a38d347651975 flat_name: Target.process.Ext.memory_region.memory_pe.pehash ignore_above: 1024 level: extended name: pehash normalize: [] original_fieldset: pe short: A hash of the PE header and data from one or more PE sections. type: keyword Target.process.Ext.memory_region.memory_pe.product: dashed_name: Target-process-Ext-memory-region-memory-pe-product description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" flat_name: Target.process.Ext.memory_region.memory_pe.product ignore_above: 1024 level: extended name: product normalize: [] original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword Target.process.Ext.memory_region.memory_pe.sections: dashed_name: Target-process-Ext-memory-region-memory-pe-sections description: 'An array containing an object for each section of the PE file. The keys that should be present in these objects are defined by sub-fields underneath `pe.sections.*`.' flat_name: Target.process.Ext.memory_region.memory_pe.sections level: extended name: sections normalize: - array original_fieldset: pe short: Section information of the PE file. type: nested Target.process.Ext.memory_region.memory_pe.sections.entropy: dashed_name: Target-process-Ext-memory-region-memory-pe-sections-entropy description: Shannon entropy calculation from the section. flat_name: Target.process.Ext.memory_region.memory_pe.sections.entropy format: number level: extended name: sections.entropy normalize: [] original_fieldset: pe short: Shannon entropy calculation from the section. type: long Target.process.Ext.memory_region.memory_pe.sections.name: dashed_name: Target-process-Ext-memory-region-memory-pe-sections-name description: PE Section List name. flat_name: Target.process.Ext.memory_region.memory_pe.sections.name ignore_above: 1024 level: extended name: sections.name normalize: [] original_fieldset: pe short: PE Section List name. type: keyword Target.process.Ext.memory_region.memory_pe.sections.physical_size: dashed_name: Target-process-Ext-memory-region-memory-pe-sections-physical-size description: PE Section List physical size. flat_name: Target.process.Ext.memory_region.memory_pe.sections.physical_size format: bytes level: extended name: sections.physical_size normalize: [] original_fieldset: pe short: PE Section List physical size. type: long Target.process.Ext.memory_region.memory_pe.sections.var_entropy: dashed_name: Target-process-Ext-memory-region-memory-pe-sections-var-entropy description: Variance for Shannon entropy calculation from the section. flat_name: Target.process.Ext.memory_region.memory_pe.sections.var_entropy format: number level: extended name: sections.var_entropy normalize: [] original_fieldset: pe short: Variance for Shannon entropy calculation from the section. type: long Target.process.Ext.memory_region.memory_pe.sections.virtual_size: dashed_name: Target-process-Ext-memory-region-memory-pe-sections-virtual-size description: PE Section List virtual size. This is always the same as `physical_size`. flat_name: Target.process.Ext.memory_region.memory_pe.sections.virtual_size format: string level: extended name: sections.virtual_size normalize: [] original_fieldset: pe short: PE Section List virtual size. This is always the same as `physical_size`. type: long Target.process.Ext.memory_region.memory_pe_detected: dashed_name: Target-process-Ext-memory-region-memory-pe-detected description: Whether an executable file was found in memory. example: false flat_name: Target.process.Ext.memory_region.memory_pe_detected level: custom name: memory_pe_detected normalize: [] original_fieldset: memory_region short: Whether an executable file was found in memory. type: boolean Target.process.Ext.memory_region.region_base: dashed_name: Target-process-Ext-memory-region-region-base description: Base address of the memory region. example: 2431737462784 flat_name: Target.process.Ext.memory_region.region_base level: custom name: region_base normalize: [] original_fieldset: memory_region short: Base address of the memory region. type: unsigned_long Target.process.Ext.memory_region.region_protection: dashed_name: Target-process-Ext-memory-region-region-protection description: Memory protection of the memory region. Example values include "RWX" and "R-X". example: RWX flat_name: Target.process.Ext.memory_region.region_protection ignore_above: 1024 level: custom name: region_protection normalize: [] original_fieldset: memory_region short: Memory protection of the memory region. Example values include "RWX" and "R-X". type: keyword Target.process.Ext.memory_region.region_size: dashed_name: Target-process-Ext-memory-region-region-size description: Size of the memory region. example: 4096 flat_name: Target.process.Ext.memory_region.region_size level: custom name: region_size normalize: [] original_fieldset: memory_region short: Size of the memory region. type: unsigned_long Target.process.Ext.memory_region.region_start_bytes: dashed_name: Target-process-Ext-memory-region-region-start-bytes description: First 64 bytes at the region base address. example: 4d5a90000300000004000000ffff0000b80000000000000040000000000000000000000000000000000000000000000000000000000000000000000000000000 flat_name: Target.process.Ext.memory_region.region_start_bytes ignore_above: 1024 level: custom name: region_start_bytes normalize: [] original_fieldset: memory_region short: First 64 bytes at the region base address. type: keyword Target.process.Ext.memory_region.region_state: dashed_name: Target-process-Ext-memory-region-region-state description: State of the memory region. Example values include "RESERVE", "COMMIT", and "FREE". example: COMMIT flat_name: Target.process.Ext.memory_region.region_state ignore_above: 1024 level: custom name: region_state normalize: [] original_fieldset: memory_region short: State of the memory region. Example values include "RESERVE", "COMMIT", and "FREE". type: keyword Target.process.Ext.memory_region.strings: dashed_name: Target-process-Ext-memory-region-strings description: Array of strings found within the memory region. doc_values: false flat_name: Target.process.Ext.memory_region.strings index: false level: custom name: strings normalize: [] original_fieldset: memory_region short: Array of strings found within the memory region. type: keyword Target.process.Ext.protection: dashed_name: Target-process-Ext-protection description: Indicates the protection level of this process. Uses the same syntax as Process Explorer. Examples include PsProtectedSignerWinTcb, PsProtectedSignerWinTcb-Light, and PsProtectedSignerWindows-Light. flat_name: Target.process.Ext.protection ignore_above: 1024 level: custom name: Ext.protection normalize: [] original_fieldset: process short: OS-level protections granted to this process type: keyword Target.process.Ext.token.integrity_level_name: dashed_name: Target-process-Ext-token-integrity-level-name description: Human readable integrity level. example: one of "system", "high", "medium", "low", "untrusted" flat_name: Target.process.Ext.token.integrity_level_name ignore_above: 1024 level: custom name: integrity_level_name normalize: [] original_fieldset: token short: Human readable integrity level. type: keyword Target.process.entity_id: dashed_name: Target-process-entity-id description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d flat_name: Target.process.entity_id ignore_above: 1024 level: extended name: entity_id normalize: [] original_fieldset: process short: Unique identifier for the process. type: keyword Target.process.executable: dashed_name: Target-process-executable description: Absolute path to the process executable. example: /usr/bin/ssh flat_name: Target.process.executable ignore_above: 1024 level: extended multi_fields: - flat_name: Target.process.executable.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: Target.process.executable.text name: text norms: false type: text name: executable normalize: [] original_fieldset: process short: Absolute path to the process executable. type: keyword Target.process.name: dashed_name: Target-process-name description: 'Process name. Sometimes called program name or similar.' example: ssh flat_name: Target.process.name ignore_above: 1024 level: extended multi_fields: - flat_name: Target.process.name.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: Target.process.name.text name: text norms: false type: text name: name normalize: [] original_fieldset: process short: Process name. type: keyword Target.process.pid: dashed_name: Target-process-pid description: Process id. example: 4242 flat_name: Target.process.pid format: string level: core name: pid normalize: [] original_fieldset: process short: Process id. type: long data_stream.dataset: dashed_name: data-stream-dataset description: Data stream dataset name. example: nginx.access flat_name: data_stream.dataset level: custom name: dataset normalize: [] short: The field can contain anything that makes sense to signify the source of the data. type: constant_keyword data_stream.namespace: dashed_name: data-stream-namespace description: Data stream namespace. example: production flat_name: data_stream.namespace level: custom name: namespace normalize: [] short: A user defined namespace. Namespaces are useful to allow grouping of data. type: constant_keyword data_stream.type: dashed_name: data-stream-type description: Data stream type. example: logs flat_name: data_stream.type level: custom name: type normalize: [] short: An overarching type for the data stream. type: constant_keyword destination.ip: dashed_name: destination-ip description: IP address of the destination (IPv4 or IPv6). flat_name: destination.ip level: core name: ip normalize: [] short: IP address of the destination. type: ip destination.port: dashed_name: destination-port description: Port of the destination. flat_name: destination.port format: string level: core name: port normalize: [] short: Port of the destination. type: long dll.Ext: dashed_name: dll-Ext description: Object for all custom defined fields to live in. flat_name: dll.Ext level: custom name: Ext normalize: [] short: Object for all custom defined fields to live in. type: object dll.Ext.code_signature: dashed_name: dll-Ext-code-signature description: Nested version of ECS code_signature fieldset. flat_name: dll.Ext.code_signature level: custom name: Ext.code_signature normalize: [] short: Nested version of ECS code_signature fieldset. type: nested dll.Ext.code_signature.exists: dashed_name: dll-Ext-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' flat_name: dll.Ext.code_signature.exists level: custom name: Ext.code_signature.exists normalize: [] short: Boolean to capture if a signature is present. type: boolean dll.Ext.code_signature.status: dashed_name: dll-Ext-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: dll.Ext.code_signature.status ignore_above: 1024 level: custom name: Ext.code_signature.status normalize: [] short: Additional information about the certificate status. type: keyword dll.Ext.code_signature.subject_name: dashed_name: dll-Ext-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation flat_name: dll.Ext.code_signature.subject_name ignore_above: 1024 level: custom name: Ext.code_signature.subject_name normalize: [] short: Subject name of the code signer type: keyword dll.Ext.code_signature.trusted: dashed_name: dll-Ext-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' flat_name: dll.Ext.code_signature.trusted level: custom name: Ext.code_signature.trusted normalize: [] short: Stores the trust status of the certificate chain. type: boolean dll.hash.sha256: dashed_name: dll-hash-sha256 description: SHA256 hash. flat_name: dll.hash.sha256 ignore_above: 1024 level: extended name: sha256 normalize: [] original_fieldset: hash short: SHA256 hash. type: keyword dll.path: dashed_name: dll-path description: Full file path of the library. example: C:\Windows\System32\kernel32.dll flat_name: dll.path ignore_above: 1024 level: extended name: path normalize: [] short: Full file path of the library. type: keyword ecs.version: dashed_name: ecs-version description: 'ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.' example: 1.0.0 flat_name: ecs.version ignore_above: 1024 level: core name: version normalize: [] required: true short: ECS version this event conforms to. type: keyword event.action: dashed_name: event-action description: 'The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.' example: user-password-change flat_name: event.action ignore_above: 1024 level: core name: action normalize: [] short: The action captured by the event. type: keyword event.category: allowed_values: - description: Events in this category annotate API calls that occured on a system. Typical sources for those events could be from the Operating System level through the native libraries (for example Windows Win32, Linux libc, etc.), or managed sources of events (such as ETW, syslog), but can also include network protocols (such as SOAP, RPC, Websocket, REST, etc.) expected_event_types: - access - admin - allowed - change - creation - deletion - denied - end - info - start - user name: api - description: Events in this category are related to the challenge and response process in which credentials are supplied and verified to allow the creation of a session. Common sources for these logs are Windows event logs and ssh logs. Visualize and analyze events in this category to look for failed logins, and other authentication-related activity. expected_event_types: - start - end - info name: authentication - description: 'Events in the configuration category have to deal with creating, modifying, or deleting the settings or parameters of an application, process, or system. Example sources include security policy change logs, configuration auditing logging, and system integrity monitoring.' expected_event_types: - access - change - creation - deletion - info name: configuration - description: The database category denotes events and metrics relating to a data storage and retrieval system. Note that use of this category is not limited to relational database systems. Examples include event logs from MS SQL, MySQL, Elasticsearch, MongoDB, etc. Use this category to visualize and analyze database activity such as accesses and changes. expected_event_types: - access - change - info - error name: database - description: 'Events in the driver category have to do with operating system device drivers and similar software entities such as Windows drivers, kernel extensions, kernel modules, etc. Use events and metrics in this category to visualize and analyze driver-related activity and status on hosts.' expected_event_types: - change - end - info - start name: driver - description: 'This category is used for events relating to email messages, email attachments, and email network or protocol activity. Emails events can be produced by email security gateways, mail transfer agents, email cloud service providers, or mail server monitoring applications.' expected_event_types: - info name: email - description: Relating to a set of information that has been created on, or has existed on a filesystem. Use this category of events to visualize and analyze the creation, access, and deletions of files. Events in this category can come from both host-based and network-based sources. An example source of a network-based detection of a file transfer would be the Zeek file.log. expected_event_types: - access - change - creation - deletion - info name: file - description: 'Use this category to visualize and analyze information such as host inventory or host lifecycle events. Most of the events in this category can usually be observed from the outside, such as from a hypervisor or a control plane''s point of view. Some can also be seen from within, such as "start" or "end". Note that this category is for information about hosts themselves; it is not meant to capture activity "happening on a host".' expected_event_types: - access - change - end - info - start name: host - description: Identity and access management (IAM) events relating to users, groups, and administration. Use this category to visualize and analyze IAM-related logs and data from active directory, LDAP, Okta, Duo, and other IAM systems. expected_event_types: - admin - change - creation - deletion - group - info - user name: iam - description: Relating to intrusion detections from IDS/IPS systems and functions, both network and host-based. Use this category to visualize and analyze intrusion detection alerts from systems such as Snort, Suricata, and Palo Alto threat detections. expected_event_types: - allowed - denied - info name: intrusion_detection - description: Events in this category refer to the loading of a library, such as (dll / so / dynlib), into a process. Use this category to visualize and analyze library loading related activity on hosts. Keep in mind that driver related activity will be captured under the "driver" category above. expected_event_types: - start name: library - description: Malware detection events and alerts. Use this category to visualize and analyze malware detections from EDR/EPP systems such as Elastic Endpoint Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems such as Suricata, or other sources of malware-related events such as Palo Alto Networks threat logs and Wildfire logs. expected_event_types: - info name: malware - description: Relating to all network activity, including network connection lifecycle, network traffic, and essentially any event that includes an IP address. Many events containing decoded network protocol transactions fit into this category. Use events in this category to visualize or analyze counts of network ports, protocols, addresses, geolocation information, etc. expected_event_types: - access - allowed - connection - denied - end - info - protocol - start name: network - description: Relating to software packages installed on hosts. Use this category to visualize and analyze inventory of software installed on various hosts, or to determine host vulnerability in the absence of vulnerability scan data. expected_event_types: - access - change - deletion - info - installation - start name: package - description: Use this category of events to visualize and analyze process-specific information such as lifecycle events or process ancestry. expected_event_types: - access - change - end - info - start name: process - description: Having to do with settings and assets stored in the Windows registry. Use this category to visualize and analyze activity such as registry access and modifications. expected_event_types: - access - change - creation - deletion name: registry - description: The session category is applied to events and metrics regarding logical persistent connections to hosts and services. Use this category to visualize and analyze interactive or automated persistent connections between assets. Data for this category may come from Windows Event logs, SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc. expected_event_types: - start - end - info name: session - description: Use this category to visualize and analyze events describing threat actors' targets, motives, or behaviors. expected_event_types: - indicator name: threat - description: Relating to vulnerability scan results. Use this category to analyze vulnerabilities detected by Tenable, Qualys, internal scanners, and other vulnerability management sources. expected_event_types: - info name: vulnerability - description: 'Relating to web server access. Use this category to create a dashboard of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: events from network observers such as Zeek http log may also be included in this category.' expected_event_types: - access - error - info name: web dashed_name: event-category description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.' example: authentication flat_name: event.category ignore_above: 1024 level: core name: category normalize: - array short: Event category. The second categorization field in the hierarchy. type: keyword event.created: dashed_name: event-created description: '`event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent''s or pipeline''s ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used.' example: '2016-05-23T08:05:34.857Z' flat_name: event.created level: core name: created normalize: [] short: Time when the event was first read by an agent or by your pipeline. type: date event.dataset: dashed_name: event-dataset description: 'Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It''s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.' example: apache.access flat_name: event.dataset ignore_above: 1024 level: core name: dataset normalize: [] short: Name of the dataset. type: keyword event.end: dashed_name: event-end description: '`event.end` contains the date when the event ended or when the activity was last observed.' flat_name: event.end level: extended name: end normalize: [] short: '`event.end` contains the date when the event ended or when the activity was last observed.' type: date event.hash: dashed_name: event-hash description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. example: 123456789012345678901234567890ABCD flat_name: event.hash ignore_above: 1024 level: extended name: hash normalize: [] short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. type: keyword event.id: dashed_name: event-id description: Unique ID to describe the event. example: 8a4f500d flat_name: event.id ignore_above: 1024 level: core name: id normalize: [] short: Unique ID to describe the event. type: keyword event.ingested: dashed_name: event-ingested description: 'Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It''s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' example: '2016-05-23T08:05:35.101Z' flat_name: event.ingested level: core name: ingested normalize: [] short: Timestamp when an event arrived in the central data store. type: date event.outcome: allowed_values: - description: Indicates that this event describes a failed result. A common example is `event.category:file AND event.type:access AND event.outcome:failure` to indicate that a file access was attempted, but was not successful. name: failure - description: Indicates that this event describes a successful result. A common example is `event.category:file AND event.type:create AND event.outcome:success` to indicate that a file was successfully created. name: success - description: Indicates that this event describes only an attempt for which the result is unknown from the perspective of the event producer. For example, if the event contains information only about the request side of a transaction that results in a response, populating `event.outcome:unknown` in the request event is appropriate. The unknown value should not be used when an outcome doesn't make logical sense for the event. In such cases `event.outcome` should not be populated. name: unknown dashed_name: event-outcome description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.' example: success flat_name: event.outcome ignore_above: 1024 level: core name: outcome normalize: [] short: The outcome of the event. The lowest level categorization field in the hierarchy. type: keyword event.start: dashed_name: event-start description: '`event.start` contains the date when the event started or when the activity was first observed.' flat_name: event.start level: extended name: start normalize: [] short: '`event.start` contains the date when the event started or when the activity was first observed.' type: date event.type: allowed_values: - description: The access event type is used for the subset of events within a category that indicate that something was accessed. Common examples include `event.category:database AND event.type:access`, or `event.category:file AND event.type:access`. Note for file access, both directory listings and file opens should be included in this subcategory. You can further distinguish access operations using the ECS `event.action` field. name: access - description: 'The admin event type is used for the subset of events within a category that are related to admin objects. For example, administrative changes within an IAM framework that do not specifically affect a user or group (e.g., adding new applications to a federation solution or connecting discrete forests in Active Directory) would fall into this subcategory. Common example: `event.category:iam AND event.type:change AND event.type:admin`. You can further distinguish admin operations using the ECS `event.action` field.' name: admin - description: The allowed event type is used for the subset of events within a category that indicate that something was allowed. Common examples include `event.category:network AND event.type:connection AND event.type:allowed` (to indicate a network firewall event for which the firewall disposition was to allow the connection to complete) and `event.category:intrusion_detection AND event.type:allowed` (to indicate a network intrusion prevention system event for which the IPS disposition was to allow the connection to complete). You can further distinguish allowed operations using the ECS `event.action` field, populating with values of your choosing, such as "allow", "detect", or "pass". name: allowed - description: The change event type is used for the subset of events within a category that indicate that something has changed. If semantics best describe an event as modified, then include them in this subcategory. Common examples include `event.category:process AND event.type:change`, and `event.category:file AND event.type:change`. You can further distinguish change operations using the ECS `event.action` field. name: change - description: Used primarily with `event.category:network` this value is used for the subset of network traffic that includes sufficient information for the event to be included in flow or connection analysis. Events in this subcategory will contain at least source and destination IP addresses, source and destination TCP/UDP ports, and will usually contain counts of bytes and/or packets transferred. Events in this subcategory may contain unidirectional or bidirectional information, including summary information. Use this subcategory to visualize and analyze network connections. Flow analysis, including Netflow, IPFIX, and other flow-related events fit in this subcategory. Note that firewall events from many Next-Generation Firewall (NGFW) devices will also fit into this subcategory. A common filter for flow/connection information would be `event.category:network AND event.type:connection AND event.type:end` (to view or analyze all completed network connections, ignoring mid-flow reports). You can further distinguish connection events using the ECS `event.action` field, populating with values of your choosing, such as "timeout", or "reset". name: connection - description: The "creation" event type is used for the subset of events within a category that indicate that something was created. A common example is `event.category:file AND event.type:creation`. name: creation - description: The deletion event type is used for the subset of events within a category that indicate that something was deleted. A common example is `event.category:file AND event.type:deletion` to indicate that a file has been deleted. name: deletion - description: The denied event type is used for the subset of events within a category that indicate that something was denied. Common examples include `event.category:network AND event.type:denied` (to indicate a network firewall event for which the firewall disposition was to deny the connection) and `event.category:intrusion_detection AND event.type:denied` (to indicate a network intrusion prevention system event for which the IPS disposition was to deny the connection to complete). You can further distinguish denied operations using the ECS `event.action` field, populating with values of your choosing, such as "blocked", "dropped", or "quarantined". name: denied - description: The end event type is used for the subset of events within a category that indicate something has ended. A common example is `event.category:process AND event.type:end`. name: end - description: The error event type is used for the subset of events within a category that indicate or describe an error. A common example is `event.category:database AND event.type:error`. Note that pipeline errors that occur during the event ingestion process should not use this `event.type` value. Instead, they should use `event.kind:pipeline_error`. name: error - description: 'The group event type is used for the subset of events within a category that are related to group objects. Common example: `event.category:iam AND event.type:creation AND event.type:group`. You can further distinguish group operations using the ECS `event.action` field.' name: group - description: 'The indicator event type is used for the subset of events within a category that contain details about indicators of compromise (IOCs). A common example is `event.category:threat AND event.type:indicator`.' name: indicator - description: The info event type is used for the subset of events within a category that indicate that they are purely informational, and don't report a state change, or any type of action. For example, an initial run of a file integrity monitoring system (FIM), where an agent reports all files under management, would fall into the "info" subcategory. Similarly, an event containing a dump of all currently running processes (as opposed to reporting that a process started/ended) would fall into the "info" subcategory. An additional common examples is `event.category:intrusion_detection AND event.type:info`. name: info - description: The installation event type is used for the subset of events within a category that indicate that something was installed. A common example is `event.category:package` AND `event.type:installation`. name: installation - description: The protocol event type is used for the subset of events within a category that indicate that they contain protocol details or analysis, beyond simply identifying the protocol. Generally, network events that contain specific protocol details will fall into this subcategory. A common example is `event.category:network AND event.type:protocol AND event.type:connection AND event.type:end` (to indicate that the event is a network connection event sent at the end of a connection that also includes a protocol detail breakdown). Note that events that only indicate the name or id of the protocol should not use the protocol value. Further note that when the protocol subcategory is used, the identified protocol is populated in the ECS `network.protocol` field. name: protocol - description: The start event type is used for the subset of events within a category that indicate something has started. A common example is `event.category:process AND event.type:start`. name: start - description: 'The user event type is used for the subset of events within a category that are related to user objects. Common example: `event.category:iam AND event.type:deletion AND event.type:user`. You can further distinguish user operations using the ECS `event.action` field.' name: user dashed_name: event-type description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.' flat_name: event.type ignore_above: 1024 level: core name: type normalize: - array short: Event type. The third categorization field in the hierarchy. type: keyword host.architecture: dashed_name: host-architecture description: Operating system architecture. example: x86_64 flat_name: host.architecture ignore_above: 1024 level: core name: architecture normalize: [] short: Operating system architecture. type: keyword host.domain: dashed_name: host-domain description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO flat_name: host.domain ignore_above: 1024 level: extended name: domain normalize: [] short: Name of the directory the group is a member of. type: keyword host.hostname: dashed_name: host-hostname description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' flat_name: host.hostname ignore_above: 1024 level: core name: hostname normalize: [] short: Hostname of the host. type: keyword host.id: dashed_name: host-id description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' flat_name: host.id ignore_above: 1024 level: core name: id normalize: [] short: Unique host id. type: keyword host.ip: dashed_name: host-ip description: Host ip addresses. flat_name: host.ip level: core name: ip normalize: - array short: Host ip addresses. type: ip host.mac: dashed_name: host-mac description: 'Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.' example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' flat_name: host.mac ignore_above: 1024 level: core name: mac normalize: - array pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ short: Host MAC addresses. type: keyword host.name: dashed_name: host-name description: 'Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.' flat_name: host.name ignore_above: 1024 level: core name: name normalize: [] short: Name of the host. type: keyword host.os.Ext: dashed_name: host-os-Ext description: Object for all custom defined fields to live in. flat_name: host.os.Ext level: custom name: Ext normalize: [] original_fieldset: os short: Object for all custom defined fields to live in. type: object host.os.Ext.variant: dashed_name: host-os-Ext-variant description: A string value or phrase that further aid to classify or qualify the operating system (OS). For example the distribution for a Linux OS will be entered in this field. example: Ubuntu flat_name: host.os.Ext.variant ignore_above: 1024 level: custom name: Ext.variant normalize: [] original_fieldset: os short: A string value or phrase that further aid to classify or qualify the operating system (OS). type: keyword host.os.family: dashed_name: host-os-family description: OS family (such as redhat, debian, freebsd, windows). example: debian flat_name: host.os.family ignore_above: 1024 level: extended name: family normalize: [] original_fieldset: os short: OS family (such as redhat, debian, freebsd, windows). type: keyword host.os.full: dashed_name: host-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave flat_name: host.os.full ignore_above: 1024 level: extended multi_fields: - flat_name: host.os.full.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: host.os.full.text name: text norms: false type: text name: full normalize: [] original_fieldset: os short: Operating system name, including the version or code name. type: keyword host.os.kernel: dashed_name: host-os-kernel description: Operating system kernel version as a raw string. example: 4.4.0-112-generic flat_name: host.os.kernel ignore_above: 1024 level: extended name: kernel normalize: [] original_fieldset: os short: Operating system kernel version as a raw string. type: keyword host.os.name: dashed_name: host-os-name description: Operating system name, without the version. example: Mac OS X flat_name: host.os.name ignore_above: 1024 level: extended multi_fields: - flat_name: host.os.name.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: host.os.name.text name: text norms: false type: text name: name normalize: [] original_fieldset: os short: Operating system name, without the version. type: keyword host.os.platform: dashed_name: host-os-platform description: Operating system platform (such centos, ubuntu, windows). example: darwin flat_name: host.os.platform ignore_above: 1024 level: extended name: platform normalize: [] original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword host.os.type: dashed_name: host-os-type description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos expected_values: - linux - macos - unix - windows - ios - android flat_name: host.os.type ignore_above: 1024 level: extended name: type normalize: [] original_fieldset: os short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or android).' type: keyword host.os.version: dashed_name: host-os-version description: Operating system version as a raw string. example: 10.14.1 flat_name: host.os.version ignore_above: 1024 level: extended name: version normalize: [] original_fieldset: os short: Operating system version as a raw string. type: keyword host.type: dashed_name: host-type description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' flat_name: host.type ignore_above: 1024 level: core name: type normalize: [] short: Type of host. type: keyword host.uptime: dashed_name: host-uptime description: Seconds the host has been up. example: 1325 flat_name: host.uptime level: extended name: uptime normalize: [] short: Seconds the host has been up. type: long message: dashed_name: message description: 'For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.' example: Hello World flat_name: message level: core name: message normalize: [] short: Log message optimized for viewing in a log viewer. type: match_only_text network.transport: dashed_name: network-transport description: 'Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying.' example: tcp flat_name: network.transport ignore_above: 1024 level: core name: transport normalize: [] short: Protocol Name corresponding to the field `iana_number`. type: keyword network.type: dashed_name: network-type description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying.' example: ipv4 flat_name: network.type ignore_above: 1024 level: core name: type normalize: [] short: In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc type: keyword process.Ext: dashed_name: process-Ext description: Object for all custom defined fields to live in. flat_name: process.Ext level: custom name: Ext normalize: [] short: Object for all custom defined fields to live in. type: object process.Ext.ancestry: dashed_name: process-Ext-ancestry description: An array of entity_ids indicating the ancestors for this event flat_name: process.Ext.ancestry ignore_above: 1024 level: custom name: Ext.ancestry normalize: [] short: An array of entity_ids indicating the ancestors for this event type: keyword process.Ext.api.behaviors: dashed_name: process-Ext-api-behaviors description: "A list of observed behaviors.\n \"cross-process\" - the observed\ \ activity was between two processes\n \"parent-child\" - the observed activity\ \ was between a parent process and its child\n \"native_api\" - a call was made\ \ directly to the Native API rather than the Win32 API\n \"direct_syscall\" -\ \ a syscall instruction originated outside of the Native API layer\n \"proxy_call\"\ \ - the call stack may indicate of a proxied API call to mask the true source\n\ \ \"sensitive_api\" - executable non-image memory is unexpectedly calling a sensitive\ \ API\n \"shellcode\" - suspicious executable non-image memory is calling a sensitive\ \ API\n \"image_hooked\" - an entry in the callstack appears to have been hooked\n\ \ \"image_indirect_call\" - an entry in the callstack was preceded by a call\ \ to a dynamically resolved function\n \"image_rop\" - no call instruction preceded\ \ an entry in the call stack\n \"image_rwx\" - an entry in the callstack is writable\n\ \ \"unbacked_rwx\" - an entry in the callstack is non-image and writable\n \"\ truncated_stack\" - call stack is unexpected truncated due to malicious tampering\ \ or system load\n \"allocate_shellcode\" - a region of non-image executable\ \ memory allocated more executable memory\n \"execute_fluctuation\" - the PAGE_EXECUTE\ \ protection is unexpectedly fluctuating\n \"write_fluctuation\" - the PAGE_WRITE\ \ protection of executable memory is unexpectedly fluctuating\n \"hook_api\"\ \ - a change to the memory protection of a small executable image memory region\ \ was made\n \"hollow_image\" - a change to the memory protection of a large\ \ executable image memory region was made\n \"hook_unbacked\" - a change to the\ \ memory protection of a small executable non-image memory was made\n \"hollow_unbacked\"\ \ - a change to the memory protection of a large executable non-image memory was\ \ made\n \"guarded_code\" - executable memory was unexpectedly marked as PAGE_GUARD\n\ \ \"hidden_code\" - executable memory was unexpectedly marked as PAGE_NOACCESS\n\ \ \"execute_shellcode\" - a region of non-image executable memory was unexpectedly\ \ transferred control\n \"hardware_breakpoint_set\" - a hardware breakpoint was\ \ set\n \"rapid_background_polling\" - a suspicious process which does rapid\ \ input polling via GetAsyncKeyState API was observed\n \"multiple_polling_processes\"\ \ - multiple suspicious processes which do rapid input polling via the GetAsyncKeyState\ \ API were observed\n \"pid_spoofing\" - The acting process details may have\ \ been spoofed to hide the true origin\n \"legacy_api\" - a deprecated or superseded\ \ API was called" example: '[ "cross-process", "rapid_background_polling", "multiple_polling_processes", "native_api", "shellcode" ]' flat_name: process.Ext.api.behaviors ignore_above: 1024 level: custom name: behaviors normalize: [] original_fieldset: api short: A list of observed behaviors. type: keyword process.Ext.api.metadata: dashed_name: process-Ext-api-metadata description: Information related to the API call. flat_name: process.Ext.api.metadata level: custom name: metadata normalize: [] original_fieldset: api short: Information related to the API call. type: object process.Ext.api.metadata.amsi_filenames: dashed_name: process-Ext-api-metadata-amsi-filenames description: A list of filenames previously scanned by AMSI. example: '[ "C:\script.ps1" ]' flat_name: process.Ext.api.metadata.amsi_filenames ignore_above: 1024 level: custom name: metadata.amsi_filenames normalize: [] original_fieldset: api short: A list of filenames previously scanned by AMSI. type: keyword process.Ext.api.metadata.amsi_logs: dashed_name: process-Ext-api-metadata-amsi-logs description: Information related to previous AMSI scans. flat_name: process.Ext.api.metadata.amsi_logs level: custom name: metadata.amsi_logs normalize: [] original_fieldset: api short: Information related to previous AMSI scans. type: object process.Ext.api.metadata.amsi_logs.entries: dashed_name: process-Ext-api-metadata-amsi-logs-entries description: A subset of the AMSI content buffers scanned prior to this event. example: '[ "[Ref].Assembly.GetType(''System.Management.Automation.AmsiUtils'').GetField(''amsiInitFailed'', ''NonPublic,Static'').SetValue($null, $true);Add-Type -TypeDefinition ''using System; using System.Runtime.InteropServices; public class Kernel32 { [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);}" ]' flat_name: process.Ext.api.metadata.amsi_logs.entries ignore_above: 1024 level: custom name: metadata.amsi_logs.entries normalize: [] original_fieldset: api short: A subset of the AMSI content buffers scanned prior to this event. type: keyword process.Ext.api.metadata.amsi_logs.type: dashed_name: process-Ext-api-metadata-amsi-logs-type description: The AMSI content type scanned prior to this event. example: PowerShell flat_name: process.Ext.api.metadata.amsi_logs.type ignore_above: 1024 level: custom name: metadata.amsi_logs.type normalize: [] original_fieldset: api short: The AMSI content type scanned prior to this event. type: keyword process.Ext.api.metadata.background_callcount: dashed_name: process-Ext-api-metadata-background-callcount description: This field indicates a number of all GetAsyncKeyState api calls, including unsuccessful calls, between the last successful GetAsyncKeyState call. example: 6021 flat_name: process.Ext.api.metadata.background_callcount level: custom name: metadata.background_callcount normalize: [] original_fieldset: api short: The number of api calls since the last successful call. type: unsigned_long process.Ext.api.metadata.client_is_local: dashed_name: process-Ext-api-metadata-client-is-local description: Indicates whether a method was called locally or remotely. It will be true if called locally, and false if called remotely. example: 'true' flat_name: process.Ext.api.metadata.client_is_local level: custom name: metadata.client_is_local normalize: [] original_fieldset: api short: Indicates whether a method was called locally or from a remote host. type: boolean process.Ext.api.metadata.client_machine: dashed_name: process-Ext-api-metadata-client-machine description: Client process's machine name (provided by the client and potentially untrustworthy). example: DESKTOP-EXAMPLE flat_name: process.Ext.api.metadata.client_machine ignore_above: 1024 level: custom name: metadata.client_machine normalize: [] original_fieldset: api short: Client process's machine name (provided by the client and potentially untrustworthy). type: keyword process.Ext.api.metadata.client_machine_fqdn: dashed_name: process-Ext-api-metadata-client-machine-fqdn description: Client process's machine name FQDN (provided by the client and potentially untrustworthy). example: DESKTOP-EXAMPLE.elastic.co flat_name: process.Ext.api.metadata.client_machine_fqdn ignore_above: 1024 level: custom name: metadata.client_machine_fqdn normalize: [] original_fieldset: api short: Client process's machine name FQDN (provided by the client and potentially untrustworthy). type: keyword process.Ext.api.metadata.client_process_id: dashed_name: process-Ext-api-metadata-client-process-id description: Client process id example: 3600 flat_name: process.Ext.api.metadata.client_process_id level: custom name: metadata.client_process_id normalize: [] original_fieldset: api short: Client process id type: unsigned_long process.Ext.api.metadata.ms_since_last_keyevent: dashed_name: process-Ext-api-metadata-ms-since-last-keyevent description: This field indicates the elapsed time in milliseconds since the last GetAsyncKeyState event. example: 94 flat_name: process.Ext.api.metadata.ms_since_last_keyevent level: custom name: metadata.ms_since_last_keyevent normalize: [] original_fieldset: api short: This field indicates the elapsed time in milliseconds since the last GetAsyncKeyState event. type: unsigned_long process.Ext.api.metadata.procedure_symbol: dashed_name: process-Ext-api-metadata-procedure-symbol description: Summary of the hook procedure. example: taskbar.dll flat_name: process.Ext.api.metadata.procedure_symbol ignore_above: 1024 level: custom name: metadata.procedure_symbol normalize: [] original_fieldset: api short: Summary of the hook procedure. type: keyword process.Ext.api.metadata.return_value: dashed_name: process-Ext-api-metadata-return-value description: Return value of RegisterRawInputDevices API call. example: 1 flat_name: process.Ext.api.metadata.return_value level: custom name: metadata.return_value normalize: [] original_fieldset: api short: Return value of RegisterRawInputDevices API call. type: unsigned_long process.Ext.api.metadata.security_descriptor: dashed_name: process-Ext-api-metadata-security-descriptor description: The security descriptor of the device. example: O:BAG:SYD:P(A;;FA;;;SY)(A;;FA;;;BA)S:AI(ML;;NW;;;LW) flat_name: process.Ext.api.metadata.security_descriptor ignore_above: 1024 level: custom name: metadata.security_descriptor normalize: [] original_fieldset: api short: The security descriptor of the device. type: keyword process.Ext.api.metadata.start_address_allocation_protection: dashed_name: process-Ext-api-metadata-start-address-allocation-protection description: Memory protection attributes associated with the starting address of a thread. example: RCX flat_name: process.Ext.api.metadata.start_address_allocation_protection ignore_above: 1024 level: custom name: metadata.start_address_allocation_protection normalize: [] original_fieldset: api short: Memory protection attributes associated with the starting address of a thread. type: keyword process.Ext.api.metadata.start_address_module: dashed_name: process-Ext-api-metadata-start-address-module description: Name of the module associated with the starting address of a thread. example: C:\Windows\System32\DellTPad\ApMsgFwd.exe flat_name: process.Ext.api.metadata.start_address_module ignore_above: 1024 level: custom name: metadata.start_address_module normalize: [] original_fieldset: api short: Name of the module associated with the starting address of a thread. type: keyword process.Ext.api.metadata.target_address_name: dashed_name: process-Ext-api-metadata-target-address-name description: The name of the memory region targeted by the API call. example: Unbacked flat_name: process.Ext.api.metadata.target_address_name ignore_above: 1024 level: custom name: metadata.target_address_name normalize: [] original_fieldset: api short: The name of the memory region targeted by the API call. type: keyword process.Ext.api.metadata.target_address_path: dashed_name: process-Ext-api-metadata-target-address-path description: The path of the memory region targeted by the API call. example: C:\programdata\example.dll flat_name: process.Ext.api.metadata.target_address_path ignore_above: 1024 level: custom name: metadata.target_address_path normalize: [] original_fieldset: api short: The path of the memory region targeted by the API call. type: keyword process.Ext.api.metadata.thread_info_flags: dashed_name: process-Ext-api-metadata-thread-info-flags description: Thread info flags. example: 16 flat_name: process.Ext.api.metadata.thread_info_flags level: custom name: metadata.thread_info_flags normalize: [] original_fieldset: api short: Thread info flags. type: unsigned_long process.Ext.api.metadata.visible_windows_count: dashed_name: process-Ext-api-metadata-visible-windows-count description: Number of visible windows owned by the caller thread. example: 0 flat_name: process.Ext.api.metadata.visible_windows_count level: custom name: metadata.visible_windows_count normalize: [] original_fieldset: api short: Number of visible windows owned by the caller thread. type: unsigned_long process.Ext.api.metadata.windows_count: dashed_name: process-Ext-api-metadata-windows-count description: Number of windows owned by the caller thread. example: 2 flat_name: process.Ext.api.metadata.windows_count level: custom name: metadata.windows_count normalize: [] original_fieldset: api short: Number of windows owned by the caller thread. type: unsigned_long process.Ext.api.name: dashed_name: process-Ext-api-name description: The name of the API, usually the name of the function or system call. example: VirtualAlloc flat_name: process.Ext.api.name ignore_above: 1024 level: custom name: name normalize: [] original_fieldset: api short: The name of the API, usually the name of the function or system call. type: keyword process.Ext.api.parameters: dashed_name: process-Ext-api-parameters description: Parameter values passed to the API call. flat_name: process.Ext.api.parameters level: custom name: parameters normalize: [] original_fieldset: api short: Parameter values passed to the API call. type: object process.Ext.api.parameters.address: dashed_name: process-Ext-api-parameters-address description: The target memory address. example: 2431737462784 flat_name: process.Ext.api.parameters.address level: custom name: parameters.address normalize: [] original_fieldset: api short: The target memory address. type: unsigned_long process.Ext.api.parameters.allocation_type: dashed_name: process-Ext-api-parameters-allocation-type description: The type of memory allocation. Corresponds to `MEMORY_BASIC_INFORMATION.State` example: COMMIT|RESERVE flat_name: process.Ext.api.parameters.allocation_type ignore_above: 1024 level: custom name: parameters.allocation_type normalize: [] original_fieldset: api short: The type of memory allocation. Corresponds to `MEMORY_BASIC_INFORMATION.State` type: keyword process.Ext.api.parameters.app_name: dashed_name: process-Ext-api-parameters-app-name description: The application name requesting the AMSI scan. example: PowerShell flat_name: process.Ext.api.parameters.app_name ignore_above: 1024 level: custom name: parameters.app_name normalize: [] original_fieldset: api short: The application name requesting the AMSI scan. type: keyword process.Ext.api.parameters.argument1: dashed_name: process-Ext-api-parameters-argument1 description: The first argument to the procedure. example: 1 flat_name: process.Ext.api.parameters.argument1 level: custom name: parameters.argument1 normalize: [] original_fieldset: api short: The first argument to the procedure. type: unsigned_long process.Ext.api.parameters.argument2: dashed_name: process-Ext-api-parameters-argument2 description: The second argument to the procedure. example: 2 flat_name: process.Ext.api.parameters.argument2 level: custom name: parameters.argument2 normalize: [] original_fieldset: api short: The second argument to the procedure. type: unsigned_long process.Ext.api.parameters.argument3: dashed_name: process-Ext-api-parameters-argument3 description: The third argument to the procedure. example: 3 flat_name: process.Ext.api.parameters.argument3 level: custom name: parameters.argument3 normalize: [] original_fieldset: api short: The third argument to the procedure. type: unsigned_long process.Ext.api.parameters.buffer: dashed_name: process-Ext-api-parameters-buffer description: The content associated with an AMSI scan. example: '[Ref].Assembly.GetType(''System.Management.Automation.AmsiUtils'').GetField(''amsiInitFailed'', ''NonPublic,Static'').SetValue($null, $true);Add-Type -TypeDefinition ''using System; using System.Runtime.InteropServices; public class Kernel32 { [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);}''; [Kernel32]::VirtualAlloc([IntPtr]::Zero, 0x1234, 0x1000, 0x20);' flat_name: process.Ext.api.parameters.buffer ignore_above: 1024 level: custom name: parameters.buffer normalize: [] original_fieldset: api short: The content associated with an AMSI scan. type: keyword process.Ext.api.parameters.consumer_details: dashed_name: process-Ext-api-parameters-consumer-details description: Provides specific information about an event consumer, including its configuration, such as the command it executes, associated SID, and the consumer's name. flat_name: process.Ext.api.parameters.consumer_details ignore_above: 1024 level: custom name: parameters.consumer_details normalize: [] original_fieldset: api short: WMI Event consumer details. type: keyword process.Ext.api.parameters.consumer_name: dashed_name: process-Ext-api-parameters-consumer-name description: Consumer Name. Consumers specify what should happen when the conditions in the Event Filter are triggered. example: ExampleConsumer flat_name: process.Ext.api.parameters.consumer_name ignore_above: 1024 level: custom name: parameters.consumer_name normalize: [] original_fieldset: api short: Consumer Name. Consumers specify what should happen when the conditions in the Event Filter are triggered. type: keyword process.Ext.api.parameters.consumer_type: dashed_name: process-Ext-api-parameters-consumer-type description: "An example list of consumer type.\n \"ActiveScriptEventConsumer\"\ \ - Executes a predefined script in an arbitrary scripting language when an event\ \ is delivered to it.\n \"CommandLineEventConsumer\" - Launches an arbitrary\ \ process in the local system context when an event is delivered to it.\n \"\ LogFileEventConsumer\" - Writes customized strings to a text log file when events\ \ are delivered to it.\n \"NTEventLogEventConsumer\" - Logs a specific message\ \ to the Windows event log when an event is delivered to it.\n \"SMTPEventConsumer\"\ \ - Sends an email message using SMTP each time an event is delivered to it." example: CommandLineEventConsumer flat_name: process.Ext.api.parameters.consumer_type ignore_above: 1024 level: custom name: parameters.consumer_type normalize: [] original_fieldset: api short: WMI event consumer type. type: keyword process.Ext.api.parameters.content_name: dashed_name: process-Ext-api-parameters-content-name description: The content name, typically a filename, associated with an AMSI scan. example: C:\script.ps1 flat_name: process.Ext.api.parameters.content_name ignore_above: 1024 level: custom name: parameters.content_name normalize: [] original_fieldset: api short: The content name, typically a filename, associated with an AMSI scan. type: keyword process.Ext.api.parameters.context_flags: dashed_name: process-Ext-api-parameters-context-flags description: The bitmask of CPU registers operated on by this call. Corresponds to `CONTEXT.ContextFlags` example: 1048607 flat_name: process.Ext.api.parameters.context_flags level: custom name: parameters.context_flags normalize: [] original_fieldset: api short: The bitmask of CPU registers operated on by this call. Corresponds to `CONTEXT.ContextFlags` type: unsigned_long process.Ext.api.parameters.desired_access: dashed_name: process-Ext-api-parameters-desired-access description: This parameter indicates the string value of the `DesiredAccess` field to `OpenProcess` or `OpenThread`. flat_name: process.Ext.api.parameters.desired_access ignore_above: 1024 level: custom name: parameters.desired_access normalize: [] original_fieldset: api short: This parameter indicates the string value of the `DesiredAccess` field to `OpenProcess` or `OpenThread`. type: keyword process.Ext.api.parameters.desired_access_numeric: dashed_name: process-Ext-api-parameters-desired-access-numeric description: This parameter indicates the numeric value of the `DesiredAccess` field passed to `OpenProcess` or `OpenThread`. flat_name: process.Ext.api.parameters.desired_access_numeric level: custom name: parameters.desired_access_numeric normalize: [] original_fieldset: api short: This parameter indicates the numeric value of the `DesiredAccess` field passed to `OpenProcess` or `OpenThread`. type: long process.Ext.api.parameters.device: dashed_name: process-Ext-api-parameters-device description: The name of the device object. example: \Device\NPCAP flat_name: process.Ext.api.parameters.device ignore_above: 1024 level: custom name: parameters.device normalize: [] original_fieldset: api short: The name of the device object. type: keyword process.Ext.api.parameters.driver: dashed_name: process-Ext-api-parameters-driver description: The name of the driver object. example: \Driver\npcap flat_name: process.Ext.api.parameters.driver ignore_above: 1024 level: custom name: parameters.driver normalize: [] original_fieldset: api short: The name of the driver object. type: keyword process.Ext.api.parameters.eax: dashed_name: process-Ext-api-parameters-eax description: The x86 EAX general purpose register. Return value in __cdecl, __stdcall, __thiscall and __fastcall. example: 0 flat_name: process.Ext.api.parameters.eax level: custom name: parameters.eax normalize: [] original_fieldset: api short: The x86 EAX general purpose register. Return value in __cdecl, __stdcall, __thiscall and __fastcall. type: unsigned_long process.Ext.api.parameters.ebp: dashed_name: process-Ext-api-parameters-ebp description: The x86 EBP frame pointer register. example: 15006644 flat_name: process.Ext.api.parameters.ebp level: custom name: parameters.ebp normalize: [] original_fieldset: api short: The x86 EBP frame pointer register. type: unsigned_long process.Ext.api.parameters.ebx: dashed_name: process-Ext-api-parameters-ebx description: The x86 EBX general purpose register. example: 0 flat_name: process.Ext.api.parameters.ebx level: custom name: parameters.ebx normalize: [] original_fieldset: api short: The x86 EBX general purpose register. type: unsigned_long process.Ext.api.parameters.ecx: dashed_name: process-Ext-api-parameters-ecx description: The x86 ECX general purpose register. First argument in __fastcall and __thiscall. example: 0 flat_name: process.Ext.api.parameters.ecx level: custom name: parameters.ecx normalize: [] original_fieldset: api short: The x86 ECX general purpose register. First argument in __fastcall and __thiscall. type: unsigned_long process.Ext.api.parameters.edi: dashed_name: process-Ext-api-parameters-edi description: The x86 EDI general purpose register. example: 0 flat_name: process.Ext.api.parameters.edi level: custom name: parameters.edi normalize: [] original_fieldset: api short: The x86 EDI general purpose register. type: unsigned_long process.Ext.api.parameters.edx: dashed_name: process-Ext-api-parameters-edx description: The x86 EDX general purpose register. Second argument in a __fastcall. example: 0 flat_name: process.Ext.api.parameters.edx level: custom name: parameters.edx normalize: [] original_fieldset: api short: The x86 EDX general purpose register. Second argument in a __fastcall. type: unsigned_long process.Ext.api.parameters.eip: dashed_name: process-Ext-api-parameters-eip description: The x86 EIP instruction pointer register. example: 1472790528 flat_name: process.Ext.api.parameters.eip level: custom name: parameters.eip normalize: [] original_fieldset: api short: The x86 EIP instruction pointer register. type: unsigned_long process.Ext.api.parameters.esi: dashed_name: process-Ext-api-parameters-esi description: The x86 ESI general purpose register. example: 0 flat_name: process.Ext.api.parameters.esi level: custom name: parameters.esi normalize: [] original_fieldset: api short: The x86 ESI general purpose register. type: unsigned_long process.Ext.api.parameters.esp: dashed_name: process-Ext-api-parameters-esp description: The x86 ESP stack pointer register. example: 15007744 flat_name: process.Ext.api.parameters.esp level: custom name: parameters.esp normalize: [] original_fieldset: api short: The x86 ESP stack pointer register. type: unsigned_long process.Ext.api.parameters.event_filter_details: dashed_name: process-Ext-api-parameters-event-filter-details description: Provide an overview of the query that define when an event should be triggered. flat_name: process.Ext.api.parameters.event_filter_details ignore_above: 1024 level: custom name: parameters.event_filter_details normalize: [] original_fieldset: api short: Provide an overview of the query that define when an event should be triggered. type: keyword process.Ext.api.parameters.event_filter_name: dashed_name: process-Ext-api-parameters-event-filter-name description: Event filter name. An event filter is a WMI class that defines which events WMI delivers to a consumer. example: ExampleFilter flat_name: process.Ext.api.parameters.event_filter_name ignore_above: 1024 level: custom name: parameters.event_filter_name normalize: [] original_fieldset: api short: Event filter name. An event filter is a WMI class that defines which events WMI delivers to a consumer. type: keyword process.Ext.api.parameters.flags: dashed_name: process-Ext-api-parameters-flags description: Mode flag that specifies how to interpret the information provided by UsagePage and Usage. Third member RAWINPUTDEVICE structure. example: INPUTSINK flat_name: process.Ext.api.parameters.flags ignore_above: 1024 level: custom name: parameters.flags normalize: [] original_fieldset: api short: Mode flag that specifies how to interpret the information provided by UsagePage and Usage. type: keyword process.Ext.api.parameters.handle_type: dashed_name: process-Ext-api-parameters-handle-type description: This parameter indicates whether the detected access was attempt against a process or a thread. example: process flat_name: process.Ext.api.parameters.handle_type ignore_above: 1024 level: custom name: parameters.handle_type normalize: [] original_fieldset: api short: This parameter indicates whether the detected access was attempt against a process or a thread. type: keyword process.Ext.api.parameters.hook_module: dashed_name: process-Ext-api-parameters-hook-module description: DLL containing the hook procedure. example: c:\windows\system32\taskbar.dll flat_name: process.Ext.api.parameters.hook_module ignore_above: 1024 level: custom name: parameters.hook_module normalize: [] original_fieldset: api short: DLL containing the hook procedure. type: keyword process.Ext.api.parameters.hook_type: dashed_name: process-Ext-api-parameters-hook-type description: Type of hook procedure to be installed. example: WH_KEYBOARD_LL flat_name: process.Ext.api.parameters.hook_type ignore_above: 1024 level: custom name: parameters.hook_type normalize: [] original_fieldset: api short: Type of hook procedure to be installed. type: keyword process.Ext.api.parameters.io_control_code: dashed_name: process-Ext-api-parameters-io-control-code description: The I/O control code for the requested device operation. example: 27365 flat_name: process.Ext.api.parameters.io_control_code level: custom name: parameters.io_control_code normalize: [] original_fieldset: api short: The I/O control code for the requested device operation. type: unsigned_long process.Ext.api.parameters.namespace: dashed_name: process-Ext-api-parameters-namespace description: WMI namespace to which the connection is made. example: root\Microsoft\Windows\DeviceGuard flat_name: process.Ext.api.parameters.namespace ignore_above: 1024 level: custom name: parameters.namespace normalize: [] original_fieldset: api short: WMI namespace to which the connection is made. type: keyword process.Ext.api.parameters.operation: dashed_name: process-Ext-api-parameters-operation description: Specifies the connection or request to WMI example: Win32_Process::Create flat_name: process.Ext.api.parameters.operation ignore_above: 1024 level: custom name: parameters.operation normalize: [] original_fieldset: api short: Specifies the connection or request to WMI type: keyword process.Ext.api.parameters.procedure: dashed_name: process-Ext-api-parameters-procedure description: The memory address of the procedure or function. example: 2431737462784 flat_name: process.Ext.api.parameters.procedure level: custom name: parameters.procedure normalize: [] original_fieldset: api short: The memory address of the procedure or function. type: unsigned_long process.Ext.api.parameters.protection: dashed_name: process-Ext-api-parameters-protection description: The memory protection for the region of pages. Corresponds to `MEMORY_BASIC_INFORMATION.Protect` example: RWX|GUARD flat_name: process.Ext.api.parameters.protection ignore_above: 1024 level: custom name: parameters.protection normalize: [] original_fieldset: api short: The memory protection for the region of pages. Corresponds to `MEMORY_BASIC_INFORMATION.Protect` type: keyword process.Ext.api.parameters.protection_old: dashed_name: process-Ext-api-parameters-protection-old description: The previous memory protection returned by the API call. Corresponds to `MEMORY_BASIC_INFORMATION.Protect` example: RCX flat_name: process.Ext.api.parameters.protection_old ignore_above: 1024 level: custom name: parameters.protection_old normalize: [] original_fieldset: api short: The previous memory protection returned by the API call. Corresponds to `MEMORY_BASIC_INFORMATION.Protect` type: keyword process.Ext.api.parameters.r8: dashed_name: process-Ext-api-parameters-r8 description: The x64 R8 general purpose register. Third argument in a __fastcall. example: 3 flat_name: process.Ext.api.parameters.r8 level: custom name: parameters.r8 normalize: [] original_fieldset: api short: The x64 R8 general purpose register. Third argument in a __fastcall. type: unsigned_long process.Ext.api.parameters.r9: dashed_name: process-Ext-api-parameters-r9 description: The x64 R9 general purpose register. Fourth argument in a __fastcall. example: 4 flat_name: process.Ext.api.parameters.r9 level: custom name: parameters.r9 normalize: [] original_fieldset: api short: The x64 R9 general purpose register. Fourth argument in a __fastcall. type: unsigned_long process.Ext.api.parameters.rax: dashed_name: process-Ext-api-parameters-rax description: The x64 RAX general purpose register. Return value in a __fastcall. example: 0 flat_name: process.Ext.api.parameters.rax level: custom name: parameters.rax normalize: [] original_fieldset: api short: The x64 RAX general purpose register. Return value in a __fastcall. type: unsigned_long process.Ext.api.parameters.rbp: dashed_name: process-Ext-api-parameters-rbp description: The x64 RBP general purpose register. example: 0 flat_name: process.Ext.api.parameters.rbp level: custom name: parameters.rbp normalize: [] original_fieldset: api short: The x64 RBP general purpose register. type: unsigned_long process.Ext.api.parameters.rbx: dashed_name: process-Ext-api-parameters-rbx description: The x64 RBX general purpose register. example: 0 flat_name: process.Ext.api.parameters.rbx ignore_above: 1024 level: custom name: parameters.rbx normalize: [] original_fieldset: api short: The x64 RBX general purpose register. type: keyword process.Ext.api.parameters.rcx: dashed_name: process-Ext-api-parameters-rcx description: The x64 RCX general purpose register. First argument in a __fastcall. example: 1 flat_name: process.Ext.api.parameters.rcx level: custom name: parameters.rcx normalize: [] original_fieldset: api short: The x64 RCX general purpose register. First argument in a __fastcall. type: unsigned_long process.Ext.api.parameters.rdi: dashed_name: process-Ext-api-parameters-rdi description: The x64 RDI general purpose register. example: 0 flat_name: process.Ext.api.parameters.rdi level: custom name: parameters.rdi normalize: [] original_fieldset: api short: The x64 RDI general purpose register. type: unsigned_long process.Ext.api.parameters.rdx: dashed_name: process-Ext-api-parameters-rdx description: The x64 RDX general purpose register. Second argument in a __fastcall. example: 2 flat_name: process.Ext.api.parameters.rdx level: custom name: parameters.rdx normalize: [] original_fieldset: api short: The x64 RDX general purpose register. Second argument in a __fastcall. type: unsigned_long process.Ext.api.parameters.rip: dashed_name: process-Ext-api-parameters-rip description: The x64 RIP instruction pointer register. example: 140706153693184 flat_name: process.Ext.api.parameters.rip level: custom name: parameters.rip normalize: [] original_fieldset: api short: The x64 RIP instruction pointer register. type: unsigned_long process.Ext.api.parameters.rsi: dashed_name: process-Ext-api-parameters-rsi description: The x64 RSI general purpose register. example: 0 flat_name: process.Ext.api.parameters.rsi ignore_above: 1024 level: custom name: parameters.rsi normalize: [] original_fieldset: api short: The x64 RSI general purpose register. type: keyword process.Ext.api.parameters.rsp: dashed_name: process-Ext-api-parameters-rsp description: The x64 RSP stack pointer register. example: 2431737462784 flat_name: process.Ext.api.parameters.rsp level: custom name: parameters.rsp normalize: [] original_fieldset: api short: The x64 RSP stack pointer register. type: unsigned_long process.Ext.api.parameters.size: dashed_name: process-Ext-api-parameters-size description: The size. example: 4096 flat_name: process.Ext.api.parameters.size level: custom name: parameters.size normalize: [] original_fieldset: api short: The size. type: unsigned_long process.Ext.api.parameters.usage: dashed_name: process-Ext-api-parameters-usage description: This parameter indicates the specific device (Usage) within the Usage Page. Second member RAWINPUTDEVICE structure. example: KEYBOARD flat_name: process.Ext.api.parameters.usage ignore_above: 1024 level: custom name: parameters.usage normalize: [] original_fieldset: api short: This parameter indicates the specific device (Usage) within the Usage Page. Second member RAWINPUTDEVICE structure. type: keyword process.Ext.api.parameters.usage_page: dashed_name: process-Ext-api-parameters-usage-page description: This parameter indicates the top-level collection (Usage Page) of the device. First member RAWINPUTDEVICE structure. example: GENERIC flat_name: process.Ext.api.parameters.usage_page ignore_above: 1024 level: custom name: parameters.usage_page normalize: [] original_fieldset: api short: This parameter indicates the top-level collection (Usage Page) of the device. First member RAWINPUTDEVICE structure. type: keyword process.Ext.api.summary: dashed_name: process-Ext-api-summary description: The summary of the API call and its parameters. example: VirtualAllocEx( file.exe, NULL, 0x42000, COMMIT|RESERVE, RWX ) flat_name: process.Ext.api.summary ignore_above: 1024 level: custom name: summary normalize: [] original_fieldset: api short: The summary of the API call and its parameters. type: keyword process.Ext.code_signature: dashed_name: process-Ext-code-signature description: Nested version of ECS code_signature fieldset. flat_name: process.Ext.code_signature level: custom name: Ext.code_signature normalize: [] short: Nested version of ECS code_signature fieldset. type: nested process.Ext.code_signature.exists: dashed_name: process-Ext-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' flat_name: process.Ext.code_signature.exists level: custom name: Ext.code_signature.exists normalize: [] short: Boolean to capture if a signature is present. type: boolean process.Ext.code_signature.status: dashed_name: process-Ext-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: process.Ext.code_signature.status ignore_above: 1024 level: custom name: Ext.code_signature.status normalize: [] short: Additional information about the certificate status. type: keyword process.Ext.code_signature.subject_name: dashed_name: process-Ext-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation flat_name: process.Ext.code_signature.subject_name ignore_above: 1024 level: custom name: Ext.code_signature.subject_name normalize: [] short: Subject name of the code signer type: keyword process.Ext.code_signature.trusted: dashed_name: process-Ext-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' flat_name: process.Ext.code_signature.trusted level: custom name: Ext.code_signature.trusted normalize: [] short: Stores the trust status of the certificate chain. type: boolean process.Ext.created_suspended: dashed_name: process-Ext-created-suspended description: A heuristic indicating if the CREATE_SUSPENDED flag was passed to the Win32 CreateProcess API. Not valid for direct syscalls. example: 'true' flat_name: process.Ext.created_suspended level: custom name: Ext.created_suspended normalize: [] short: A heuristic indicating if the CREATE_SUSPENDED flag was passed to the Win32 CreateProcess API. type: boolean process.Ext.memory_region.allocation_base: dashed_name: process-Ext-memory-region-allocation-base description: Base address of the memory allocation containing the memory region. example: 2431737462784 flat_name: process.Ext.memory_region.allocation_base level: custom name: allocation_base normalize: [] original_fieldset: memory_region short: Base address of the memory allocation containing the memory region. type: unsigned_long process.Ext.memory_region.allocation_protection: dashed_name: process-Ext-memory-region-allocation-protection description: Original memory protection requested when the memory was allocated. Example values include "RWX" and "R-X". example: RWX flat_name: process.Ext.memory_region.allocation_protection ignore_above: 1024 level: custom name: allocation_protection normalize: [] original_fieldset: memory_region short: Original memory protection requested when the memory was allocated. Example values include "RWX" and "R-X". type: keyword process.Ext.memory_region.allocation_size: dashed_name: process-Ext-memory-region-allocation-size description: Original memory size requested when the memory was allocated. example: 4096 flat_name: process.Ext.memory_region.allocation_size level: custom name: allocation_size normalize: [] original_fieldset: memory_region short: Original memory size requested when the memory was allocated. type: unsigned_long process.Ext.memory_region.allocation_type: dashed_name: process-Ext-memory-region-allocation-type description: The memory allocation type. Example values include "IMAGE", "MAPPED", and "PRIVATE". example: PRIVATE flat_name: process.Ext.memory_region.allocation_type ignore_above: 1024 level: custom name: allocation_type normalize: [] original_fieldset: memory_region short: The memory allocation type. Example values include "IMAGE", "MAPPED", and "PRIVATE". type: keyword process.Ext.memory_region.bytes_address: dashed_name: process-Ext-memory-region-bytes-address description: The address where bytes_compressed begins. example: 2431737462784 flat_name: process.Ext.memory_region.bytes_address level: custom name: bytes_address normalize: [] original_fieldset: memory_region short: The address where bytes_compressed begins. type: unsigned_long process.Ext.memory_region.bytes_allocation_offset: dashed_name: process-Ext-memory-region-bytes-allocation-offset description: Offset of bytes_address the memory allocation. Equal to bytes_address - allocation_base. example: 0 flat_name: process.Ext.memory_region.bytes_allocation_offset level: custom name: bytes_allocation_offset normalize: [] original_fieldset: memory_region short: Offset of bytes_address the memory allocation. Equal to bytes_address - allocation_base. type: unsigned_long process.Ext.memory_region.bytes_compressed: dashed_name: process-Ext-memory-region-bytes-compressed description: Up to 4MB of raw data from the memory allocation. This is compressed with zlib.To reduce data volume, this is de-duplicated on the endpoint, and may be missing from many alerts if the same data would be sent multiple times. doc_values: false example: eJzzSM3JyVcIzy/KSVEEABxJBD4= flat_name: process.Ext.memory_region.bytes_compressed index: false level: custom name: bytes_compressed normalize: [] original_fieldset: memory_region short: Up to 4MB of raw data from the memory allocation. type: keyword process.Ext.memory_region.bytes_compressed_present: dashed_name: process-Ext-memory-region-bytes-compressed-present description: Whether bytes_compressed is present in this event. example: false flat_name: process.Ext.memory_region.bytes_compressed_present level: custom name: bytes_compressed_present normalize: [] original_fieldset: memory_region short: Whether bytes_compressed is present in this event. type: boolean process.Ext.memory_region.hash.sha256: dashed_name: process-Ext-memory-region-hash-sha256 description: The sha256 of the memory region. example: d25ff1e6c6460a7f9de39198d182058c1712726008d187e1953b83abe977e4a0 flat_name: process.Ext.memory_region.hash.sha256 ignore_above: 1024 level: custom name: hash.sha256 normalize: [] original_fieldset: memory_region short: The sha256 of the memory region. type: keyword process.Ext.memory_region.malware_signature.all_names: dashed_name: process-Ext-memory-region-malware-signature-all-names description: A sequence of signature names matched. example: Windows.EICAR.Not-a-virus flat_name: process.Ext.memory_region.malware_signature.all_names ignore_above: 1024 level: custom name: all_names normalize: [] original_fieldset: malware_signature short: A sequence of signature names matched. type: keyword process.Ext.memory_region.malware_signature.identifier: dashed_name: process-Ext-memory-region-malware-signature-identifier description: malware signature identifier flat_name: process.Ext.memory_region.malware_signature.identifier ignore_above: 1024 level: custom name: identifier normalize: [] original_fieldset: malware_signature short: malware signature identifier type: keyword process.Ext.memory_region.malware_signature.primary: dashed_name: process-Ext-memory-region-malware-signature-primary description: The first matching details. flat_name: process.Ext.memory_region.malware_signature.primary level: custom name: primary normalize: [] original_fieldset: malware_signature short: The first matching details. type: object process.Ext.memory_region.malware_signature.primary.matches: dashed_name: process-Ext-memory-region-malware-signature-primary-matches description: The first matching details. doc_values: false flat_name: process.Ext.memory_region.malware_signature.primary.matches index: false level: custom name: primary.matches normalize: [] original_fieldset: malware_signature short: The first matching details. type: keyword process.Ext.memory_region.malware_signature.primary.signature.hash: dashed_name: process-Ext-memory-region-malware-signature-primary-signature-hash description: hash of file matching signature. flat_name: process.Ext.memory_region.malware_signature.primary.signature.hash level: custom name: primary.signature.hash normalize: [] original_fieldset: malware_signature short: hash of file matching signature. type: nested process.Ext.memory_region.malware_signature.primary.signature.hash.sha256: dashed_name: process-Ext-memory-region-malware-signature-primary-signature-hash-sha256 description: sha256 hash of file matching signature. flat_name: process.Ext.memory_region.malware_signature.primary.signature.hash.sha256 ignore_above: 1024 level: custom name: primary.signature.hash.sha256 normalize: [] original_fieldset: malware_signature short: sha256 hash of file matching signature. type: keyword process.Ext.memory_region.malware_signature.primary.signature.id: dashed_name: process-Ext-memory-region-malware-signature-primary-signature-id description: The id of the first yara rule matched. flat_name: process.Ext.memory_region.malware_signature.primary.signature.id ignore_above: 1024 level: custom name: primary.signature.id normalize: [] original_fieldset: malware_signature short: The id of the first yara rule matched. type: keyword process.Ext.memory_region.malware_signature.primary.signature.name: dashed_name: process-Ext-memory-region-malware-signature-primary-signature-name description: The name of the first yara rule matched. flat_name: process.Ext.memory_region.malware_signature.primary.signature.name ignore_above: 1024 level: custom name: primary.signature.name normalize: [] original_fieldset: malware_signature short: The name of the first yara rule matched. type: keyword process.Ext.memory_region.malware_signature.secondary: dashed_name: process-Ext-memory-region-malware-signature-secondary description: Additional matching details if available. enabled: false flat_name: process.Ext.memory_region.malware_signature.secondary level: custom name: secondary normalize: [] original_fieldset: malware_signature short: Additional matching details if available. type: nested process.Ext.memory_region.malware_signature.secondary.matches: dashed_name: process-Ext-memory-region-malware-signature-secondary-matches description: The second matching details. enabled: false flat_name: process.Ext.memory_region.malware_signature.secondary.matches ignore_above: 1024 level: custom name: secondary.matches normalize: [] original_fieldset: malware_signature short: The second matching details. type: keyword process.Ext.memory_region.malware_signature.secondary.signature.hash: dashed_name: process-Ext-memory-region-malware-signature-secondary-signature-hash description: hash of second file matching signature. enabled: false flat_name: process.Ext.memory_region.malware_signature.secondary.signature.hash level: custom name: secondary.signature.hash normalize: [] original_fieldset: malware_signature short: hash of second file matching signature. type: nested process.Ext.memory_region.malware_signature.secondary.signature.hash.sha256: dashed_name: process-Ext-memory-region-malware-signature-secondary-signature-hash-sha256 description: sha256 hash of second file matching signature. enabled: false flat_name: process.Ext.memory_region.malware_signature.secondary.signature.hash.sha256 ignore_above: 1024 level: custom name: secondary.signature.hash.sha256 normalize: [] original_fieldset: malware_signature short: sha256 hash of second file matching signature. type: keyword process.Ext.memory_region.malware_signature.secondary.signature.id: dashed_name: process-Ext-memory-region-malware-signature-secondary-signature-id description: The id of the second yara rule matched. enabled: false flat_name: process.Ext.memory_region.malware_signature.secondary.signature.id ignore_above: 1024 level: custom name: secondary.signature.id normalize: [] original_fieldset: malware_signature short: The id of the second yara rule matched. type: keyword process.Ext.memory_region.malware_signature.secondary.signature.name: dashed_name: process-Ext-memory-region-malware-signature-secondary-signature-name description: The name of the second yara rule matched. enabled: false flat_name: process.Ext.memory_region.malware_signature.secondary.signature.name ignore_above: 1024 level: custom name: secondary.signature.name normalize: [] original_fieldset: malware_signature short: The name of the second yara rule matched. type: keyword process.Ext.memory_region.malware_signature.version: dashed_name: process-Ext-memory-region-malware-signature-version description: malware signature version flat_name: process.Ext.memory_region.malware_signature.version ignore_above: 1024 level: custom name: version normalize: [] original_fieldset: malware_signature short: malware signature version type: keyword process.Ext.memory_region.mapped_path: dashed_name: process-Ext-memory-region-mapped-path description: If the memory corresponds to a file mapping, this is the file's path. example: C:\Windows\System32\mshtml.dll flat_name: process.Ext.memory_region.mapped_path ignore_above: 1024 level: custom name: mapped_path normalize: [] original_fieldset: memory_region short: If the memory corresponds to a file mapping, this is the file's path. type: keyword process.Ext.memory_region.mapped_pe.Ext.dotnet: dashed_name: process-Ext-memory-region-mapped-pe-Ext-dotnet description: Whether this file is a .NET PE example: 'true' flat_name: process.Ext.memory_region.mapped_pe.Ext.dotnet level: custom name: Ext.dotnet normalize: [] original_fieldset: pe short: Whether this file is a .NET PE type: boolean process.Ext.memory_region.mapped_pe.Ext.sections: dashed_name: process-Ext-memory-region-mapped-pe-Ext-sections description: The file's relevant sections, if it is a PE flat_name: process.Ext.memory_region.mapped_pe.Ext.sections level: custom name: Ext.sections normalize: [] original_fieldset: pe short: The file's sections, if it is a PE type: object process.Ext.memory_region.mapped_pe.Ext.sections.hash.md5: dashed_name: process-Ext-memory-region-mapped-pe-Ext-sections-hash-md5 description: MD5 hash. flat_name: process.Ext.memory_region.mapped_pe.Ext.sections.hash.md5 ignore_above: 1024 level: extended name: md5 normalize: [] original_fieldset: hash short: MD5 hash. type: keyword process.Ext.memory_region.mapped_pe.Ext.sections.hash.sha1: dashed_name: process-Ext-memory-region-mapped-pe-Ext-sections-hash-sha1 description: SHA1 hash. flat_name: process.Ext.memory_region.mapped_pe.Ext.sections.hash.sha1 ignore_above: 1024 level: extended name: sha1 normalize: [] original_fieldset: hash short: SHA1 hash. type: keyword process.Ext.memory_region.mapped_pe.Ext.sections.hash.sha256: dashed_name: process-Ext-memory-region-mapped-pe-Ext-sections-hash-sha256 description: SHA256 hash. flat_name: process.Ext.memory_region.mapped_pe.Ext.sections.hash.sha256 ignore_above: 1024 level: extended name: sha256 normalize: [] original_fieldset: hash short: SHA256 hash. type: keyword process.Ext.memory_region.mapped_pe.Ext.sections.hash.sha384: dashed_name: process-Ext-memory-region-mapped-pe-Ext-sections-hash-sha384 description: SHA384 hash. flat_name: process.Ext.memory_region.mapped_pe.Ext.sections.hash.sha384 ignore_above: 1024 level: extended name: sha384 normalize: [] original_fieldset: hash short: SHA384 hash. type: keyword process.Ext.memory_region.mapped_pe.Ext.sections.hash.sha512: dashed_name: process-Ext-memory-region-mapped-pe-Ext-sections-hash-sha512 description: SHA512 hash. flat_name: process.Ext.memory_region.mapped_pe.Ext.sections.hash.sha512 ignore_above: 1024 level: extended name: sha512 normalize: [] original_fieldset: hash short: SHA512 hash. type: keyword process.Ext.memory_region.mapped_pe.Ext.sections.hash.ssdeep: dashed_name: process-Ext-memory-region-mapped-pe-Ext-sections-hash-ssdeep description: SSDEEP hash. flat_name: process.Ext.memory_region.mapped_pe.Ext.sections.hash.ssdeep ignore_above: 1024 level: extended name: ssdeep normalize: [] original_fieldset: hash short: SSDEEP hash. type: keyword process.Ext.memory_region.mapped_pe.Ext.sections.hash.tlsh: dashed_name: process-Ext-memory-region-mapped-pe-Ext-sections-hash-tlsh description: TLSH hash. flat_name: process.Ext.memory_region.mapped_pe.Ext.sections.hash.tlsh ignore_above: 1024 level: extended name: tlsh normalize: [] original_fieldset: hash short: TLSH hash. type: keyword process.Ext.memory_region.mapped_pe.Ext.sections.name: dashed_name: process-Ext-memory-region-mapped-pe-Ext-sections-name description: The section's name example: .reloc flat_name: process.Ext.memory_region.mapped_pe.Ext.sections.name ignore_above: 1024 level: custom name: Ext.sections.name normalize: [] original_fieldset: pe short: The section's name type: keyword process.Ext.memory_region.mapped_pe.Ext.streams: dashed_name: process-Ext-memory-region-mapped-pe-Ext-streams description: The file's streams, if it is a PE flat_name: process.Ext.memory_region.mapped_pe.Ext.streams level: custom name: Ext.streams normalize: [] original_fieldset: pe short: The file's streams, if it is a PE type: object process.Ext.memory_region.mapped_pe.Ext.streams.hash.md5: dashed_name: process-Ext-memory-region-mapped-pe-Ext-streams-hash-md5 description: MD5 hash. flat_name: process.Ext.memory_region.mapped_pe.Ext.streams.hash.md5 ignore_above: 1024 level: extended name: md5 normalize: [] original_fieldset: hash short: MD5 hash. type: keyword process.Ext.memory_region.mapped_pe.Ext.streams.hash.sha1: dashed_name: process-Ext-memory-region-mapped-pe-Ext-streams-hash-sha1 description: SHA1 hash. flat_name: process.Ext.memory_region.mapped_pe.Ext.streams.hash.sha1 ignore_above: 1024 level: extended name: sha1 normalize: [] original_fieldset: hash short: SHA1 hash. type: keyword process.Ext.memory_region.mapped_pe.Ext.streams.hash.sha256: dashed_name: process-Ext-memory-region-mapped-pe-Ext-streams-hash-sha256 description: SHA256 hash. flat_name: process.Ext.memory_region.mapped_pe.Ext.streams.hash.sha256 ignore_above: 1024 level: extended name: sha256 normalize: [] original_fieldset: hash short: SHA256 hash. type: keyword process.Ext.memory_region.mapped_pe.Ext.streams.hash.sha384: dashed_name: process-Ext-memory-region-mapped-pe-Ext-streams-hash-sha384 description: SHA384 hash. flat_name: process.Ext.memory_region.mapped_pe.Ext.streams.hash.sha384 ignore_above: 1024 level: extended name: sha384 normalize: [] original_fieldset: hash short: SHA384 hash. type: keyword process.Ext.memory_region.mapped_pe.Ext.streams.hash.sha512: dashed_name: process-Ext-memory-region-mapped-pe-Ext-streams-hash-sha512 description: SHA512 hash. flat_name: process.Ext.memory_region.mapped_pe.Ext.streams.hash.sha512 ignore_above: 1024 level: extended name: sha512 normalize: [] original_fieldset: hash short: SHA512 hash. type: keyword process.Ext.memory_region.mapped_pe.Ext.streams.hash.ssdeep: dashed_name: process-Ext-memory-region-mapped-pe-Ext-streams-hash-ssdeep description: SSDEEP hash. flat_name: process.Ext.memory_region.mapped_pe.Ext.streams.hash.ssdeep ignore_above: 1024 level: extended name: ssdeep normalize: [] original_fieldset: hash short: SSDEEP hash. type: keyword process.Ext.memory_region.mapped_pe.Ext.streams.hash.tlsh: dashed_name: process-Ext-memory-region-mapped-pe-Ext-streams-hash-tlsh description: TLSH hash. flat_name: process.Ext.memory_region.mapped_pe.Ext.streams.hash.tlsh ignore_above: 1024 level: extended name: tlsh normalize: [] original_fieldset: hash short: TLSH hash. type: keyword process.Ext.memory_region.mapped_pe.Ext.streams.name: dashed_name: process-Ext-memory-region-mapped-pe-Ext-streams-name description: The stream's name example: .reloc flat_name: process.Ext.memory_region.mapped_pe.Ext.streams.name ignore_above: 1024 level: custom name: Ext.streams.name normalize: [] original_fieldset: pe short: The stream's name type: keyword process.Ext.memory_region.mapped_pe.architecture: dashed_name: process-Ext-memory-region-mapped-pe-architecture description: CPU architecture target for the file. example: x64 flat_name: process.Ext.memory_region.mapped_pe.architecture ignore_above: 1024 level: extended name: architecture normalize: [] original_fieldset: pe short: CPU architecture target for the file. type: keyword process.Ext.memory_region.mapped_pe.company: dashed_name: process-Ext-memory-region-mapped-pe-company description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation flat_name: process.Ext.memory_region.mapped_pe.company ignore_above: 1024 level: extended name: company normalize: [] original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword process.Ext.memory_region.mapped_pe.description: dashed_name: process-Ext-memory-region-mapped-pe-description description: Internal description of the file, provided at compile-time. example: Paint flat_name: process.Ext.memory_region.mapped_pe.description ignore_above: 1024 level: extended name: description normalize: [] original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword process.Ext.memory_region.mapped_pe.file_version: dashed_name: process-Ext-memory-region-mapped-pe-file-version description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 flat_name: process.Ext.memory_region.mapped_pe.file_version ignore_above: 1024 level: extended name: file_version normalize: [] original_fieldset: pe short: Process name. type: keyword process.Ext.memory_region.mapped_pe.go_import_hash: dashed_name: process-Ext-memory-region-mapped-pe-go-import-hash description: 'A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).' example: 10bddcb4cee42080f76c88d9ff964491 flat_name: process.Ext.memory_region.mapped_pe.go_import_hash ignore_above: 1024 level: extended name: go_import_hash normalize: [] original_fieldset: pe short: A hash of the Go language imports in a PE file. type: keyword process.Ext.memory_region.mapped_pe.go_imports: dashed_name: process-Ext-memory-region-mapped-pe-go-imports description: List of imported Go language element names and types. flat_name: process.Ext.memory_region.mapped_pe.go_imports level: extended name: go_imports normalize: [] original_fieldset: pe short: List of imported Go language element names and types. type: flattened process.Ext.memory_region.mapped_pe.go_imports_names_entropy: dashed_name: process-Ext-memory-region-mapped-pe-go-imports-names-entropy description: Shannon entropy calculation from the list of Go imports. flat_name: process.Ext.memory_region.mapped_pe.go_imports_names_entropy format: number level: extended name: go_imports_names_entropy normalize: [] original_fieldset: pe short: Shannon entropy calculation from the list of Go imports. type: long process.Ext.memory_region.mapped_pe.go_imports_names_var_entropy: dashed_name: process-Ext-memory-region-mapped-pe-go-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of Go imports. flat_name: process.Ext.memory_region.mapped_pe.go_imports_names_var_entropy format: number level: extended name: go_imports_names_var_entropy normalize: [] original_fieldset: pe short: Variance for Shannon entropy calculation from the list of Go imports. type: long process.Ext.memory_region.mapped_pe.go_stripped: dashed_name: process-Ext-memory-region-mapped-pe-go-stripped description: Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. flat_name: process.Ext.memory_region.mapped_pe.go_stripped level: extended name: go_stripped normalize: [] original_fieldset: pe short: Whether the file is a stripped or obfuscated Go executable. type: boolean process.Ext.memory_region.mapped_pe.imphash: dashed_name: process-Ext-memory-region-mapped-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf flat_name: process.Ext.memory_region.mapped_pe.imphash ignore_above: 1024 level: extended name: imphash normalize: [] original_fieldset: pe short: A hash of the imports in a PE file. type: keyword process.Ext.memory_region.mapped_pe.import_hash: dashed_name: process-Ext-memory-region-mapped-pe-import-hash description: 'A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for imphash.' example: d41d8cd98f00b204e9800998ecf8427e flat_name: process.Ext.memory_region.mapped_pe.import_hash ignore_above: 1024 level: extended name: import_hash normalize: [] original_fieldset: pe short: A hash of the imports in a PE file. type: keyword process.Ext.memory_region.mapped_pe.imports: dashed_name: process-Ext-memory-region-mapped-pe-imports description: List of imported element names and types. flat_name: process.Ext.memory_region.mapped_pe.imports level: extended name: imports normalize: - array original_fieldset: pe short: List of imported element names and types. type: flattened process.Ext.memory_region.mapped_pe.imports_names_entropy: dashed_name: process-Ext-memory-region-mapped-pe-imports-names-entropy description: Shannon entropy calculation from the list of imported element names and types. flat_name: process.Ext.memory_region.mapped_pe.imports_names_entropy format: number level: extended name: imports_names_entropy normalize: [] original_fieldset: pe short: Shannon entropy calculation from the list of imported element names and types. type: long process.Ext.memory_region.mapped_pe.imports_names_var_entropy: dashed_name: process-Ext-memory-region-mapped-pe-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of imported element names and types. flat_name: process.Ext.memory_region.mapped_pe.imports_names_var_entropy format: number level: extended name: imports_names_var_entropy normalize: [] original_fieldset: pe short: Variance for Shannon entropy calculation from the list of imported element names and types. type: long process.Ext.memory_region.mapped_pe.original_file_name: dashed_name: process-Ext-memory-region-mapped-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: process.Ext.memory_region.mapped_pe.original_file_name ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. type: keyword process.Ext.memory_region.mapped_pe.pehash: dashed_name: process-Ext-memory-region-mapped-pe-pehash description: 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' example: 73ff189b63cd6be375a7ff25179a38d347651975 flat_name: process.Ext.memory_region.mapped_pe.pehash ignore_above: 1024 level: extended name: pehash normalize: [] original_fieldset: pe short: A hash of the PE header and data from one or more PE sections. type: keyword process.Ext.memory_region.mapped_pe.product: dashed_name: process-Ext-memory-region-mapped-pe-product description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" flat_name: process.Ext.memory_region.mapped_pe.product ignore_above: 1024 level: extended name: product normalize: [] original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword process.Ext.memory_region.mapped_pe.sections: dashed_name: process-Ext-memory-region-mapped-pe-sections description: 'An array containing an object for each section of the PE file. The keys that should be present in these objects are defined by sub-fields underneath `pe.sections.*`.' flat_name: process.Ext.memory_region.mapped_pe.sections level: extended name: sections normalize: - array original_fieldset: pe short: Section information of the PE file. type: nested process.Ext.memory_region.mapped_pe.sections.entropy: dashed_name: process-Ext-memory-region-mapped-pe-sections-entropy description: Shannon entropy calculation from the section. flat_name: process.Ext.memory_region.mapped_pe.sections.entropy format: number level: extended name: sections.entropy normalize: [] original_fieldset: pe short: Shannon entropy calculation from the section. type: long process.Ext.memory_region.mapped_pe.sections.name: dashed_name: process-Ext-memory-region-mapped-pe-sections-name description: PE Section List name. flat_name: process.Ext.memory_region.mapped_pe.sections.name ignore_above: 1024 level: extended name: sections.name normalize: [] original_fieldset: pe short: PE Section List name. type: keyword process.Ext.memory_region.mapped_pe.sections.physical_size: dashed_name: process-Ext-memory-region-mapped-pe-sections-physical-size description: PE Section List physical size. flat_name: process.Ext.memory_region.mapped_pe.sections.physical_size format: bytes level: extended name: sections.physical_size normalize: [] original_fieldset: pe short: PE Section List physical size. type: long process.Ext.memory_region.mapped_pe.sections.var_entropy: dashed_name: process-Ext-memory-region-mapped-pe-sections-var-entropy description: Variance for Shannon entropy calculation from the section. flat_name: process.Ext.memory_region.mapped_pe.sections.var_entropy format: number level: extended name: sections.var_entropy normalize: [] original_fieldset: pe short: Variance for Shannon entropy calculation from the section. type: long process.Ext.memory_region.mapped_pe.sections.virtual_size: dashed_name: process-Ext-memory-region-mapped-pe-sections-virtual-size description: PE Section List virtual size. This is always the same as `physical_size`. flat_name: process.Ext.memory_region.mapped_pe.sections.virtual_size format: string level: extended name: sections.virtual_size normalize: [] original_fieldset: pe short: PE Section List virtual size. This is always the same as `physical_size`. type: long process.Ext.memory_region.mapped_pe_detected: dashed_name: process-Ext-memory-region-mapped-pe-detected description: Whether the file at mapped_path is an executable. example: false flat_name: process.Ext.memory_region.mapped_pe_detected level: custom name: mapped_pe_detected normalize: [] original_fieldset: memory_region short: Whether the file at mapped_path is an executable. type: boolean process.Ext.memory_region.memory_pe.Ext.dotnet: dashed_name: process-Ext-memory-region-memory-pe-Ext-dotnet description: Whether this file is a .NET PE example: 'true' flat_name: process.Ext.memory_region.memory_pe.Ext.dotnet level: custom name: Ext.dotnet normalize: [] original_fieldset: pe short: Whether this file is a .NET PE type: boolean process.Ext.memory_region.memory_pe.Ext.sections: dashed_name: process-Ext-memory-region-memory-pe-Ext-sections description: The file's relevant sections, if it is a PE flat_name: process.Ext.memory_region.memory_pe.Ext.sections level: custom name: Ext.sections normalize: [] original_fieldset: pe short: The file's sections, if it is a PE type: object process.Ext.memory_region.memory_pe.Ext.sections.hash.md5: dashed_name: process-Ext-memory-region-memory-pe-Ext-sections-hash-md5 description: MD5 hash. flat_name: process.Ext.memory_region.memory_pe.Ext.sections.hash.md5 ignore_above: 1024 level: extended name: md5 normalize: [] original_fieldset: hash short: MD5 hash. type: keyword process.Ext.memory_region.memory_pe.Ext.sections.hash.sha1: dashed_name: process-Ext-memory-region-memory-pe-Ext-sections-hash-sha1 description: SHA1 hash. flat_name: process.Ext.memory_region.memory_pe.Ext.sections.hash.sha1 ignore_above: 1024 level: extended name: sha1 normalize: [] original_fieldset: hash short: SHA1 hash. type: keyword process.Ext.memory_region.memory_pe.Ext.sections.hash.sha256: dashed_name: process-Ext-memory-region-memory-pe-Ext-sections-hash-sha256 description: SHA256 hash. flat_name: process.Ext.memory_region.memory_pe.Ext.sections.hash.sha256 ignore_above: 1024 level: extended name: sha256 normalize: [] original_fieldset: hash short: SHA256 hash. type: keyword process.Ext.memory_region.memory_pe.Ext.sections.hash.sha384: dashed_name: process-Ext-memory-region-memory-pe-Ext-sections-hash-sha384 description: SHA384 hash. flat_name: process.Ext.memory_region.memory_pe.Ext.sections.hash.sha384 ignore_above: 1024 level: extended name: sha384 normalize: [] original_fieldset: hash short: SHA384 hash. type: keyword process.Ext.memory_region.memory_pe.Ext.sections.hash.sha512: dashed_name: process-Ext-memory-region-memory-pe-Ext-sections-hash-sha512 description: SHA512 hash. flat_name: process.Ext.memory_region.memory_pe.Ext.sections.hash.sha512 ignore_above: 1024 level: extended name: sha512 normalize: [] original_fieldset: hash short: SHA512 hash. type: keyword process.Ext.memory_region.memory_pe.Ext.sections.hash.ssdeep: dashed_name: process-Ext-memory-region-memory-pe-Ext-sections-hash-ssdeep description: SSDEEP hash. flat_name: process.Ext.memory_region.memory_pe.Ext.sections.hash.ssdeep ignore_above: 1024 level: extended name: ssdeep normalize: [] original_fieldset: hash short: SSDEEP hash. type: keyword process.Ext.memory_region.memory_pe.Ext.sections.hash.tlsh: dashed_name: process-Ext-memory-region-memory-pe-Ext-sections-hash-tlsh description: TLSH hash. flat_name: process.Ext.memory_region.memory_pe.Ext.sections.hash.tlsh ignore_above: 1024 level: extended name: tlsh normalize: [] original_fieldset: hash short: TLSH hash. type: keyword process.Ext.memory_region.memory_pe.Ext.sections.name: dashed_name: process-Ext-memory-region-memory-pe-Ext-sections-name description: The section's name example: .reloc flat_name: process.Ext.memory_region.memory_pe.Ext.sections.name ignore_above: 1024 level: custom name: Ext.sections.name normalize: [] original_fieldset: pe short: The section's name type: keyword process.Ext.memory_region.memory_pe.Ext.streams: dashed_name: process-Ext-memory-region-memory-pe-Ext-streams description: The file's streams, if it is a PE flat_name: process.Ext.memory_region.memory_pe.Ext.streams level: custom name: Ext.streams normalize: [] original_fieldset: pe short: The file's streams, if it is a PE type: object process.Ext.memory_region.memory_pe.Ext.streams.hash.md5: dashed_name: process-Ext-memory-region-memory-pe-Ext-streams-hash-md5 description: MD5 hash. flat_name: process.Ext.memory_region.memory_pe.Ext.streams.hash.md5 ignore_above: 1024 level: extended name: md5 normalize: [] original_fieldset: hash short: MD5 hash. type: keyword process.Ext.memory_region.memory_pe.Ext.streams.hash.sha1: dashed_name: process-Ext-memory-region-memory-pe-Ext-streams-hash-sha1 description: SHA1 hash. flat_name: process.Ext.memory_region.memory_pe.Ext.streams.hash.sha1 ignore_above: 1024 level: extended name: sha1 normalize: [] original_fieldset: hash short: SHA1 hash. type: keyword process.Ext.memory_region.memory_pe.Ext.streams.hash.sha256: dashed_name: process-Ext-memory-region-memory-pe-Ext-streams-hash-sha256 description: SHA256 hash. flat_name: process.Ext.memory_region.memory_pe.Ext.streams.hash.sha256 ignore_above: 1024 level: extended name: sha256 normalize: [] original_fieldset: hash short: SHA256 hash. type: keyword process.Ext.memory_region.memory_pe.Ext.streams.hash.sha384: dashed_name: process-Ext-memory-region-memory-pe-Ext-streams-hash-sha384 description: SHA384 hash. flat_name: process.Ext.memory_region.memory_pe.Ext.streams.hash.sha384 ignore_above: 1024 level: extended name: sha384 normalize: [] original_fieldset: hash short: SHA384 hash. type: keyword process.Ext.memory_region.memory_pe.Ext.streams.hash.sha512: dashed_name: process-Ext-memory-region-memory-pe-Ext-streams-hash-sha512 description: SHA512 hash. flat_name: process.Ext.memory_region.memory_pe.Ext.streams.hash.sha512 ignore_above: 1024 level: extended name: sha512 normalize: [] original_fieldset: hash short: SHA512 hash. type: keyword process.Ext.memory_region.memory_pe.Ext.streams.hash.ssdeep: dashed_name: process-Ext-memory-region-memory-pe-Ext-streams-hash-ssdeep description: SSDEEP hash. flat_name: process.Ext.memory_region.memory_pe.Ext.streams.hash.ssdeep ignore_above: 1024 level: extended name: ssdeep normalize: [] original_fieldset: hash short: SSDEEP hash. type: keyword process.Ext.memory_region.memory_pe.Ext.streams.hash.tlsh: dashed_name: process-Ext-memory-region-memory-pe-Ext-streams-hash-tlsh description: TLSH hash. flat_name: process.Ext.memory_region.memory_pe.Ext.streams.hash.tlsh ignore_above: 1024 level: extended name: tlsh normalize: [] original_fieldset: hash short: TLSH hash. type: keyword process.Ext.memory_region.memory_pe.Ext.streams.name: dashed_name: process-Ext-memory-region-memory-pe-Ext-streams-name description: The stream's name example: .reloc flat_name: process.Ext.memory_region.memory_pe.Ext.streams.name ignore_above: 1024 level: custom name: Ext.streams.name normalize: [] original_fieldset: pe short: The stream's name type: keyword process.Ext.memory_region.memory_pe.architecture: dashed_name: process-Ext-memory-region-memory-pe-architecture description: CPU architecture target for the file. example: x64 flat_name: process.Ext.memory_region.memory_pe.architecture ignore_above: 1024 level: extended name: architecture normalize: [] original_fieldset: pe short: CPU architecture target for the file. type: keyword process.Ext.memory_region.memory_pe.company: dashed_name: process-Ext-memory-region-memory-pe-company description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation flat_name: process.Ext.memory_region.memory_pe.company ignore_above: 1024 level: extended name: company normalize: [] original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword process.Ext.memory_region.memory_pe.description: dashed_name: process-Ext-memory-region-memory-pe-description description: Internal description of the file, provided at compile-time. example: Paint flat_name: process.Ext.memory_region.memory_pe.description ignore_above: 1024 level: extended name: description normalize: [] original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword process.Ext.memory_region.memory_pe.file_version: dashed_name: process-Ext-memory-region-memory-pe-file-version description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 flat_name: process.Ext.memory_region.memory_pe.file_version ignore_above: 1024 level: extended name: file_version normalize: [] original_fieldset: pe short: Process name. type: keyword process.Ext.memory_region.memory_pe.go_import_hash: dashed_name: process-Ext-memory-region-memory-pe-go-import-hash description: 'A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).' example: 10bddcb4cee42080f76c88d9ff964491 flat_name: process.Ext.memory_region.memory_pe.go_import_hash ignore_above: 1024 level: extended name: go_import_hash normalize: [] original_fieldset: pe short: A hash of the Go language imports in a PE file. type: keyword process.Ext.memory_region.memory_pe.go_imports: dashed_name: process-Ext-memory-region-memory-pe-go-imports description: List of imported Go language element names and types. flat_name: process.Ext.memory_region.memory_pe.go_imports level: extended name: go_imports normalize: [] original_fieldset: pe short: List of imported Go language element names and types. type: flattened process.Ext.memory_region.memory_pe.go_imports_names_entropy: dashed_name: process-Ext-memory-region-memory-pe-go-imports-names-entropy description: Shannon entropy calculation from the list of Go imports. flat_name: process.Ext.memory_region.memory_pe.go_imports_names_entropy format: number level: extended name: go_imports_names_entropy normalize: [] original_fieldset: pe short: Shannon entropy calculation from the list of Go imports. type: long process.Ext.memory_region.memory_pe.go_imports_names_var_entropy: dashed_name: process-Ext-memory-region-memory-pe-go-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of Go imports. flat_name: process.Ext.memory_region.memory_pe.go_imports_names_var_entropy format: number level: extended name: go_imports_names_var_entropy normalize: [] original_fieldset: pe short: Variance for Shannon entropy calculation from the list of Go imports. type: long process.Ext.memory_region.memory_pe.go_stripped: dashed_name: process-Ext-memory-region-memory-pe-go-stripped description: Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. flat_name: process.Ext.memory_region.memory_pe.go_stripped level: extended name: go_stripped normalize: [] original_fieldset: pe short: Whether the file is a stripped or obfuscated Go executable. type: boolean process.Ext.memory_region.memory_pe.imphash: dashed_name: process-Ext-memory-region-memory-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf flat_name: process.Ext.memory_region.memory_pe.imphash ignore_above: 1024 level: extended name: imphash normalize: [] original_fieldset: pe short: A hash of the imports in a PE file. type: keyword process.Ext.memory_region.memory_pe.import_hash: dashed_name: process-Ext-memory-region-memory-pe-import-hash description: 'A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for imphash.' example: d41d8cd98f00b204e9800998ecf8427e flat_name: process.Ext.memory_region.memory_pe.import_hash ignore_above: 1024 level: extended name: import_hash normalize: [] original_fieldset: pe short: A hash of the imports in a PE file. type: keyword process.Ext.memory_region.memory_pe.imports: dashed_name: process-Ext-memory-region-memory-pe-imports description: List of imported element names and types. flat_name: process.Ext.memory_region.memory_pe.imports level: extended name: imports normalize: - array original_fieldset: pe short: List of imported element names and types. type: flattened process.Ext.memory_region.memory_pe.imports_names_entropy: dashed_name: process-Ext-memory-region-memory-pe-imports-names-entropy description: Shannon entropy calculation from the list of imported element names and types. flat_name: process.Ext.memory_region.memory_pe.imports_names_entropy format: number level: extended name: imports_names_entropy normalize: [] original_fieldset: pe short: Shannon entropy calculation from the list of imported element names and types. type: long process.Ext.memory_region.memory_pe.imports_names_var_entropy: dashed_name: process-Ext-memory-region-memory-pe-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of imported element names and types. flat_name: process.Ext.memory_region.memory_pe.imports_names_var_entropy format: number level: extended name: imports_names_var_entropy normalize: [] original_fieldset: pe short: Variance for Shannon entropy calculation from the list of imported element names and types. type: long process.Ext.memory_region.memory_pe.original_file_name: dashed_name: process-Ext-memory-region-memory-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: process.Ext.memory_region.memory_pe.original_file_name ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. type: keyword process.Ext.memory_region.memory_pe.pehash: dashed_name: process-Ext-memory-region-memory-pe-pehash description: 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' example: 73ff189b63cd6be375a7ff25179a38d347651975 flat_name: process.Ext.memory_region.memory_pe.pehash ignore_above: 1024 level: extended name: pehash normalize: [] original_fieldset: pe short: A hash of the PE header and data from one or more PE sections. type: keyword process.Ext.memory_region.memory_pe.product: dashed_name: process-Ext-memory-region-memory-pe-product description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" flat_name: process.Ext.memory_region.memory_pe.product ignore_above: 1024 level: extended name: product normalize: [] original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword process.Ext.memory_region.memory_pe.sections: dashed_name: process-Ext-memory-region-memory-pe-sections description: 'An array containing an object for each section of the PE file. The keys that should be present in these objects are defined by sub-fields underneath `pe.sections.*`.' flat_name: process.Ext.memory_region.memory_pe.sections level: extended name: sections normalize: - array original_fieldset: pe short: Section information of the PE file. type: nested process.Ext.memory_region.memory_pe.sections.entropy: dashed_name: process-Ext-memory-region-memory-pe-sections-entropy description: Shannon entropy calculation from the section. flat_name: process.Ext.memory_region.memory_pe.sections.entropy format: number level: extended name: sections.entropy normalize: [] original_fieldset: pe short: Shannon entropy calculation from the section. type: long process.Ext.memory_region.memory_pe.sections.name: dashed_name: process-Ext-memory-region-memory-pe-sections-name description: PE Section List name. flat_name: process.Ext.memory_region.memory_pe.sections.name ignore_above: 1024 level: extended name: sections.name normalize: [] original_fieldset: pe short: PE Section List name. type: keyword process.Ext.memory_region.memory_pe.sections.physical_size: dashed_name: process-Ext-memory-region-memory-pe-sections-physical-size description: PE Section List physical size. flat_name: process.Ext.memory_region.memory_pe.sections.physical_size format: bytes level: extended name: sections.physical_size normalize: [] original_fieldset: pe short: PE Section List physical size. type: long process.Ext.memory_region.memory_pe.sections.var_entropy: dashed_name: process-Ext-memory-region-memory-pe-sections-var-entropy description: Variance for Shannon entropy calculation from the section. flat_name: process.Ext.memory_region.memory_pe.sections.var_entropy format: number level: extended name: sections.var_entropy normalize: [] original_fieldset: pe short: Variance for Shannon entropy calculation from the section. type: long process.Ext.memory_region.memory_pe.sections.virtual_size: dashed_name: process-Ext-memory-region-memory-pe-sections-virtual-size description: PE Section List virtual size. This is always the same as `physical_size`. flat_name: process.Ext.memory_region.memory_pe.sections.virtual_size format: string level: extended name: sections.virtual_size normalize: [] original_fieldset: pe short: PE Section List virtual size. This is always the same as `physical_size`. type: long process.Ext.memory_region.memory_pe_detected: dashed_name: process-Ext-memory-region-memory-pe-detected description: Whether an executable file was found in memory. example: false flat_name: process.Ext.memory_region.memory_pe_detected level: custom name: memory_pe_detected normalize: [] original_fieldset: memory_region short: Whether an executable file was found in memory. type: boolean process.Ext.memory_region.region_base: dashed_name: process-Ext-memory-region-region-base description: Base address of the memory region. example: 2431737462784 flat_name: process.Ext.memory_region.region_base level: custom name: region_base normalize: [] original_fieldset: memory_region short: Base address of the memory region. type: unsigned_long process.Ext.memory_region.region_protection: dashed_name: process-Ext-memory-region-region-protection description: Memory protection of the memory region. Example values include "RWX" and "R-X". example: RWX flat_name: process.Ext.memory_region.region_protection ignore_above: 1024 level: custom name: region_protection normalize: [] original_fieldset: memory_region short: Memory protection of the memory region. Example values include "RWX" and "R-X". type: keyword process.Ext.memory_region.region_size: dashed_name: process-Ext-memory-region-region-size description: Size of the memory region. example: 4096 flat_name: process.Ext.memory_region.region_size level: custom name: region_size normalize: [] original_fieldset: memory_region short: Size of the memory region. type: unsigned_long process.Ext.memory_region.region_start_bytes: dashed_name: process-Ext-memory-region-region-start-bytes description: First 64 bytes at the region base address. example: 4d5a90000300000004000000ffff0000b80000000000000040000000000000000000000000000000000000000000000000000000000000000000000000000000 flat_name: process.Ext.memory_region.region_start_bytes ignore_above: 1024 level: custom name: region_start_bytes normalize: [] original_fieldset: memory_region short: First 64 bytes at the region base address. type: keyword process.Ext.memory_region.region_state: dashed_name: process-Ext-memory-region-region-state description: State of the memory region. Example values include "RESERVE", "COMMIT", and "FREE". example: COMMIT flat_name: process.Ext.memory_region.region_state ignore_above: 1024 level: custom name: region_state normalize: [] original_fieldset: memory_region short: State of the memory region. Example values include "RESERVE", "COMMIT", and "FREE". type: keyword process.Ext.memory_region.strings: dashed_name: process-Ext-memory-region-strings description: Array of strings found within the memory region. doc_values: false flat_name: process.Ext.memory_region.strings index: false level: custom name: strings normalize: [] original_fieldset: memory_region short: Array of strings found within the memory region. type: keyword process.Ext.protection: dashed_name: process-Ext-protection description: Indicates the protection level of this process. Uses the same syntax as Process Explorer. Examples include PsProtectedSignerWinTcb, PsProtectedSignerWinTcb-Light, and PsProtectedSignerWindows-Light. flat_name: process.Ext.protection ignore_above: 1024 level: custom name: Ext.protection normalize: [] short: OS-level protections granted to this process type: keyword process.Ext.token.integrity_level_name: dashed_name: process-Ext-token-integrity-level-name description: Human readable integrity level. example: one of "system", "high", "medium", "low", "untrusted" flat_name: process.Ext.token.integrity_level_name ignore_above: 1024 level: custom name: integrity_level_name normalize: [] original_fieldset: token short: Human readable integrity level. type: keyword process.code_signature.exists: dashed_name: process-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' flat_name: process.code_signature.exists level: core name: exists normalize: [] original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean process.code_signature.status: dashed_name: process-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: process.code_signature.status ignore_above: 1024 level: extended name: status normalize: [] original_fieldset: code_signature short: Additional information about the certificate status. type: keyword process.code_signature.subject_name: dashed_name: process-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation flat_name: process.code_signature.subject_name ignore_above: 1024 level: core name: subject_name normalize: [] original_fieldset: code_signature short: Subject name of the code signer type: keyword process.code_signature.trusted: dashed_name: process-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' flat_name: process.code_signature.trusted level: extended name: trusted normalize: [] original_fieldset: code_signature short: Stores the trust status of the certificate chain. type: boolean process.command_line: dashed_name: process-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 flat_name: process.command_line level: extended multi_fields: - flat_name: process.command_line.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.command_line.text name: text norms: false type: text name: command_line normalize: [] short: Full command line that started the process. type: wildcard process.entity_id: dashed_name: process-entity-id description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d flat_name: process.entity_id ignore_above: 1024 level: extended name: entity_id normalize: [] short: Unique identifier for the process. type: keyword process.executable: dashed_name: process-executable description: Absolute path to the process executable. example: /usr/bin/ssh flat_name: process.executable ignore_above: 1024 level: extended multi_fields: - flat_name: process.executable.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.executable.text name: text norms: false type: text name: executable normalize: [] short: Absolute path to the process executable. type: keyword process.name: dashed_name: process-name description: 'Process name. Sometimes called program name or similar.' example: ssh flat_name: process.name ignore_above: 1024 level: extended multi_fields: - flat_name: process.name.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.name.text name: text norms: false type: text name: name normalize: [] short: Process name. type: keyword process.pid: dashed_name: process-pid description: Process id. example: 4242 flat_name: process.pid format: string level: core name: pid normalize: [] short: Process id. type: long process.thread.Ext: dashed_name: process-thread-Ext description: Object for all custom defined fields to live in. flat_name: process.thread.Ext level: custom name: thread.Ext normalize: [] short: Object for all custom defined fields to live in. type: object process.thread.Ext.call_stack: dashed_name: process-thread-Ext-call-stack description: Fields describing a stack frame. call_stack is expected to be an array where each array element represents a stack frame. enabled: false flat_name: process.thread.Ext.call_stack level: custom name: call_stack normalize: [] original_fieldset: call_stack short: Fields describing a stack frame. type: object process.thread.Ext.call_stack.allocation_private_bytes: dashed_name: process-thread-Ext-call-stack-allocation-private-bytes description: The number of bytes in this memory allocation/image that are both +X and non-shareable. Non-zero values can indicate code hooking, patching, or hollowing. flat_name: process.thread.Ext.call_stack.allocation_private_bytes level: custom name: allocation_private_bytes normalize: [] original_fieldset: call_stack short: The number of bytes in this memory allocation/image that are both +X and non-shareable. type: unsigned_long process.thread.Ext.call_stack.callsite_leading_bytes: dashed_name: process-thread-Ext-call-stack-callsite-leading-bytes description: Hex opcode bytes preceding the callsite flat_name: process.thread.Ext.call_stack.callsite_leading_bytes ignore_above: 1024 level: custom name: callsite_leading_bytes normalize: [] original_fieldset: call_stack short: Hex opcode bytes preceding the callsite type: keyword process.thread.Ext.call_stack.callsite_trailing_bytes: dashed_name: process-thread-Ext-call-stack-callsite-trailing-bytes description: Hex opcode bytes after the callsite (where control will return to) flat_name: process.thread.Ext.call_stack.callsite_trailing_bytes ignore_above: 1024 level: custom name: callsite_trailing_bytes normalize: [] original_fieldset: call_stack short: Hex opcode bytes after the callsite (where control will return to) type: keyword process.thread.Ext.call_stack.instruction_pointer: dashed_name: process-thread-Ext-call-stack-instruction-pointer description: The return address of this stack frame. flat_name: process.thread.Ext.call_stack.instruction_pointer ignore_above: 1024 level: custom name: instruction_pointer normalize: [] original_fieldset: call_stack short: The return address of this stack frame. type: keyword process.thread.Ext.call_stack.module_path: dashed_name: process-thread-Ext-call-stack-module-path description: The path to the DLL/module containing `instruction_pointer`. flat_name: process.thread.Ext.call_stack.module_path ignore_above: 1024 level: custom name: module_path normalize: [] original_fieldset: call_stack short: The path to the DLL/module containing `instruction_pointer`. type: keyword process.thread.Ext.call_stack.protection: dashed_name: process-thread-Ext-call-stack-protection description: Protection of the page containing this instruction. This is `R-X' by default if omitted. flat_name: process.thread.Ext.call_stack.protection ignore_above: 1024 level: custom name: protection normalize: [] original_fieldset: call_stack short: Protection of the page containing this instruction. This is `R-X' by default if omitted. type: keyword process.thread.Ext.call_stack.protection_provenance: dashed_name: process-thread-Ext-call-stack-protection-provenance description: The name of the memory region that last modified the protection of this page. "Unbacked" can indicate shellcode. flat_name: process.thread.Ext.call_stack.protection_provenance ignore_above: 1024 level: custom name: protection_provenance normalize: [] original_fieldset: call_stack short: The name of the memory region that last modified the protection of this page. "Unbacked" can indicate shellcode. type: keyword process.thread.Ext.call_stack.symbol_info: dashed_name: process-thread-Ext-call-stack-symbol-info description: The nearest symbol for `instruction_pointer`. flat_name: process.thread.Ext.call_stack.symbol_info ignore_above: 1024 level: custom name: symbol_info normalize: [] original_fieldset: call_stack short: The nearest symbol for `instruction_pointer`. type: keyword process.thread.Ext.call_stack_contains_unbacked: dashed_name: process-thread-Ext-call-stack-contains-unbacked description: Indicates whether the creating thread's stack contains frames pointing outside any known executable image. flat_name: process.thread.Ext.call_stack_contains_unbacked level: custom name: thread.Ext.call_stack_contains_unbacked normalize: [] short: Indicates whether the creating thread's stack contains frames pointing outside any known executable image. type: boolean process.thread.Ext.call_stack_final_hook_module: dashed_name: process-thread-Ext-call-stack-final-hook-module description: The module that installed the final API hook in the call stack. flat_name: process.thread.Ext.call_stack_final_hook_module level: custom name: thread.Ext.call_stack_final_hook_module normalize: [] short: The module that installed the final API hook in the call stack. type: nested process.thread.Ext.call_stack_final_hook_module.code_signature: dashed_name: process-thread-Ext-call-stack-final-hook-module-code-signature description: Code signature of the call_stack_final_hook_module. flat_name: process.thread.Ext.call_stack_final_hook_module.code_signature level: custom name: thread.Ext.call_stack_final_hook_module.code_signature normalize: [] short: Code signature of the call_stack_final_hook_module. type: nested process.thread.Ext.call_stack_final_hook_module.code_signature.exists: dashed_name: process-thread-Ext-call-stack-final-hook-module-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' flat_name: process.thread.Ext.call_stack_final_hook_module.code_signature.exists level: custom name: thread.Ext.call_stack_final_hook_module.code_signature.exists normalize: [] short: Boolean to capture if a signature is present. type: boolean process.thread.Ext.call_stack_final_hook_module.code_signature.status: dashed_name: process-thread-Ext-call-stack-final-hook-module-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: process.thread.Ext.call_stack_final_hook_module.code_signature.status ignore_above: 1024 level: custom name: thread.Ext.call_stack_final_hook_module.code_signature.status normalize: [] short: Additional information about the certificate status. type: keyword process.thread.Ext.call_stack_final_hook_module.code_signature.subject_name: dashed_name: process-thread-Ext-call-stack-final-hook-module-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation flat_name: process.thread.Ext.call_stack_final_hook_module.code_signature.subject_name ignore_above: 1024 level: custom name: thread.Ext.call_stack_final_hook_module.code_signature.subject_name normalize: [] short: Subject name of the code signer type: keyword process.thread.Ext.call_stack_final_hook_module.code_signature.trusted: dashed_name: process-thread-Ext-call-stack-final-hook-module-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' flat_name: process.thread.Ext.call_stack_final_hook_module.code_signature.trusted level: custom name: thread.Ext.call_stack_final_hook_module.code_signature.trusted normalize: [] short: Stores the trust status of the certificate chain. type: boolean process.thread.Ext.call_stack_final_hook_module.hash: dashed_name: process-thread-Ext-call-stack-final-hook-module-hash description: Hashes of the call_stack_final_hook_module. flat_name: process.thread.Ext.call_stack_final_hook_module.hash level: custom name: thread.Ext.call_stack_final_hook_module.hash normalize: [] short: Hashes of the call_stack_final_hook_module. type: object process.thread.Ext.call_stack_final_hook_module.hash.sha256: dashed_name: process-thread-Ext-call-stack-final-hook-module-hash-sha256 description: The sha256 of the call_stack_final_hook_module. example: d25ff1e6c6460a7f9de39198d182058c1712726008d187e1953b83abe977e4a0 flat_name: process.thread.Ext.call_stack_final_hook_module.hash.sha256 ignore_above: 1024 level: custom name: thread.Ext.call_stack_final_hook_module.hash.sha256 normalize: [] short: The sha256 of the call_stack_final_hook_module. type: keyword process.thread.Ext.call_stack_final_hook_module.path: dashed_name: process-thread-Ext-call-stack-final-hook-module-path description: The file path of the call_stack_final_hook_module. example: C:\Program Files\Example\example.dll flat_name: process.thread.Ext.call_stack_final_hook_module.path ignore_above: 1024 level: custom name: thread.Ext.call_stack_final_hook_module.path normalize: [] short: The file path of the call_stack_final_hook_module. type: keyword process.thread.Ext.call_stack_final_user_module: dashed_name: process-thread-Ext-call-stack-final-user-module description: The final non-win32 module in the call stack. flat_name: process.thread.Ext.call_stack_final_user_module level: custom name: thread.Ext.call_stack_final_user_module normalize: [] short: The final non-win32 module in the call stack. type: nested process.thread.Ext.call_stack_final_user_module.allocation_private_bytes: dashed_name: process-thread-Ext-call-stack-final-user-module-allocation-private-bytes description: The number of bytes in this memory region that are both +X and non-shareable. Non-zero values can indicate code hooking, patching, or hollowing. flat_name: process.thread.Ext.call_stack_final_user_module.allocation_private_bytes level: custom name: thread.Ext.call_stack_final_user_module.allocation_private_bytes normalize: [] short: The number of bytes in this memory region that are both +X and non-shareable. type: unsigned_long process.thread.Ext.call_stack_final_user_module.code_signature: dashed_name: process-thread-Ext-call-stack-final-user-module-code-signature description: Code signature of the call_stack_final_user_module. flat_name: process.thread.Ext.call_stack_final_user_module.code_signature level: custom name: thread.Ext.call_stack_final_user_module.code_signature normalize: [] short: Code signature of the call_stack_final_user_module. type: nested process.thread.Ext.call_stack_final_user_module.code_signature.exists: dashed_name: process-thread-Ext-call-stack-final-user-module-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' flat_name: process.thread.Ext.call_stack_final_user_module.code_signature.exists level: custom name: thread.Ext.call_stack_final_user_module.code_signature.exists normalize: [] short: Boolean to capture if a signature is present. type: boolean process.thread.Ext.call_stack_final_user_module.code_signature.status: dashed_name: process-thread-Ext-call-stack-final-user-module-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: process.thread.Ext.call_stack_final_user_module.code_signature.status ignore_above: 1024 level: custom name: thread.Ext.call_stack_final_user_module.code_signature.status normalize: [] short: Additional information about the certificate status. type: keyword process.thread.Ext.call_stack_final_user_module.code_signature.subject_name: dashed_name: process-thread-Ext-call-stack-final-user-module-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation flat_name: process.thread.Ext.call_stack_final_user_module.code_signature.subject_name ignore_above: 1024 level: custom name: thread.Ext.call_stack_final_user_module.code_signature.subject_name normalize: [] short: Subject name of the code signer type: keyword process.thread.Ext.call_stack_final_user_module.code_signature.trusted: dashed_name: process-thread-Ext-call-stack-final-user-module-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' flat_name: process.thread.Ext.call_stack_final_user_module.code_signature.trusted level: custom name: thread.Ext.call_stack_final_user_module.code_signature.trusted normalize: [] short: Stores the trust status of the certificate chain. type: boolean process.thread.Ext.call_stack_final_user_module.code_signature.valid: dashed_name: process-thread-Ext-call-stack-final-user-module-code-signature-valid description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' flat_name: process.thread.Ext.call_stack_final_user_module.code_signature.valid level: custom name: thread.Ext.call_stack_final_user_module.code_signature.valid normalize: [] short: Boolean to capture if the digital signature is verified against the binary content. type: boolean process.thread.Ext.call_stack_final_user_module.hash: dashed_name: process-thread-Ext-call-stack-final-user-module-hash description: Hashes of the call_stack_final_user_module. flat_name: process.thread.Ext.call_stack_final_user_module.hash level: custom name: thread.Ext.call_stack_final_user_module.hash normalize: [] short: Hashes of the call_stack_final_user_module. type: object process.thread.Ext.call_stack_final_user_module.hash.sha256: dashed_name: process-thread-Ext-call-stack-final-user-module-hash-sha256 description: The sha256 of the call_stack_final_user_module. example: d25ff1e6c6460a7f9de39198d182058c1712726008d187e1953b83abe977e4a0 flat_name: process.thread.Ext.call_stack_final_user_module.hash.sha256 ignore_above: 1024 level: custom name: thread.Ext.call_stack_final_user_module.hash.sha256 normalize: [] short: The sha256 of the call_stack_final_user_module. type: keyword process.thread.Ext.call_stack_final_user_module.name: dashed_name: process-thread-Ext-call-stack-final-user-module-name description: The file name of the call_stack_final_user_module. example: example.dll flat_name: process.thread.Ext.call_stack_final_user_module.name ignore_above: 1024 level: custom name: thread.Ext.call_stack_final_user_module.name normalize: [] short: The file name of the call_stack_final_user_module. type: keyword process.thread.Ext.call_stack_final_user_module.path: dashed_name: process-thread-Ext-call-stack-final-user-module-path description: The file path of the call_stack_final_user_module. example: C:\Program Files\Example\example.dll flat_name: process.thread.Ext.call_stack_final_user_module.path ignore_above: 1024 level: custom name: thread.Ext.call_stack_final_user_module.path normalize: [] short: The file path of the call_stack_final_user_module. type: keyword process.thread.Ext.call_stack_final_user_module.protection: dashed_name: process-thread-Ext-call-stack-final-user-module-protection description: The memory protection for the acting region of pages. Corresponds to `MEMORY_BASIC_INFORMATION.Protect` example: RWX flat_name: process.thread.Ext.call_stack_final_user_module.protection ignore_above: 1024 level: custom name: thread.Ext.call_stack_final_user_module.protection normalize: [] short: The memory protection for the acting region of pages. Corresponds to `MEMORY_BASIC_INFORMATION.Protect` type: keyword process.thread.Ext.call_stack_final_user_module.protection_provenance: dashed_name: process-thread-Ext-call-stack-final-user-module-protection-provenance description: The name of the memory region that caused the last modification of the protection of this page. "Unbacked" may indicate shellcode. example: third_party_hook.dll flat_name: process.thread.Ext.call_stack_final_user_module.protection_provenance ignore_above: 1024 level: custom name: thread.Ext.call_stack_final_user_module.protection_provenance normalize: [] short: The name of the memory region that caused the last modification of the protection of this page. type: keyword process.thread.Ext.call_stack_final_user_module.protection_provenance_path: dashed_name: process-thread-Ext-call-stack-final-user-module-protection-provenance-path description: The path of the module that caused the last modification the protection of this page. example: C:\Program Files\Hook Inc\third_party_hook.dll flat_name: process.thread.Ext.call_stack_final_user_module.protection_provenance_path ignore_above: 1024 level: custom name: thread.Ext.call_stack_final_user_module.protection_provenance_path normalize: [] short: The path of the module that caused the last modification the protection of this page. type: keyword process.thread.Ext.call_stack_final_user_module.reason: dashed_name: process-thread-Ext-call-stack-final-user-module-reason description: The unexpected call_stack_summary that led to an "Undetermined" protection_provenance. example: ntdll.dll|kernelbase.dll flat_name: process.thread.Ext.call_stack_final_user_module.reason ignore_above: 1024 level: custom name: thread.Ext.call_stack_final_user_module.reason normalize: [] short: The unexpected call_stack_summary that led to an "Undetermined" protection_provenance. type: keyword process.thread.Ext.call_stack_summary: dashed_name: process-thread-Ext-call-stack-summary description: Concatentation of the non-repeated modules in the call stack. example: ntdll.dll|example.exe|kernel32.dll|ntdll.dll flat_name: process.thread.Ext.call_stack_summary ignore_above: 1024 level: custom name: thread.Ext.call_stack_summary normalize: [] short: Concatentation of the non-repeated modules in the call stack. type: keyword process.thread.id: dashed_name: process-thread-id description: Thread ID. example: 4242 flat_name: process.thread.id format: string level: extended name: thread.id normalize: [] short: Thread ID. type: long user.domain: dashed_name: user-domain description: 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.' flat_name: user.domain ignore_above: 1024 level: extended name: domain normalize: [] short: Name of the directory the user is a member of. type: keyword user.hash: dashed_name: user-hash description: 'Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.' flat_name: user.hash ignore_above: 1024 level: extended name: hash normalize: [] short: Unique user hash to correlate information for a user in anonymized form. type: keyword user.id: dashed_name: user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: user.id ignore_above: 1024 level: core name: id normalize: [] short: Unique identifier of the user. type: keyword user.name: dashed_name: user-name description: Short name or login of the user. example: a.einstein flat_name: user.name ignore_above: 1024 level: core multi_fields: - flat_name: user.name.text name: text type: match_only_text name: name normalize: [] short: Short name or login of the user. type: keyword