'@timestamp': dashed_name: timestamp description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.' example: '2016-05-23T08:05:34.853Z' flat_name: '@timestamp' level: core name: '@timestamp' normalize: [] required: true short: Date/time when the event originated. type: date Endpoint.metrics: dashed_name: Endpoint-metrics description: Metrics fields hold the endpoint and system's performance metrics flat_name: Endpoint.metrics level: custom name: metrics normalize: [] short: Metrics fields hold the endpoint and system's performance metrics type: object Endpoint.metrics.cpu: dashed_name: Endpoint-metrics-cpu description: CPU statistics flat_name: Endpoint.metrics.cpu level: custom name: metrics.cpu normalize: [] short: CPU statistics type: object Endpoint.metrics.cpu.endpoint: dashed_name: Endpoint-metrics-cpu-endpoint description: CPU metrics for the endpoint flat_name: Endpoint.metrics.cpu.endpoint level: custom name: metrics.cpu.endpoint normalize: [] short: CPU metrics for the endpoint type: object Endpoint.metrics.cpu.endpoint.histogram: dashed_name: Endpoint-metrics-cpu-endpoint-histogram description: This field defines an elasticsearch histogram field (https://www.elastic.co/guide/en/elasticsearch/reference/current/histogram.html#histogram) The values field includes 20 buckets (each bucket is 5%) representing the cpu usage The counts field includes 20 buckets of how many times the endpoint's cpu usage fell into each bucket flat_name: Endpoint.metrics.cpu.endpoint.histogram level: custom name: metrics.cpu.endpoint.histogram normalize: [] short: CPU histogram type: histogram Endpoint.metrics.cpu.endpoint.latest: dashed_name: Endpoint-metrics-cpu-endpoint-latest description: Average CPU over the last sample interval flat_name: Endpoint.metrics.cpu.endpoint.latest level: custom name: metrics.cpu.endpoint.latest normalize: [] short: Average CPU over the last sample interval type: half_float Endpoint.metrics.cpu.endpoint.mean: dashed_name: Endpoint-metrics-cpu-endpoint-mean description: Average CPU load used by the endpoint flat_name: Endpoint.metrics.cpu.endpoint.mean level: custom name: metrics.cpu.endpoint.mean normalize: [] short: Average CPU load used by the endpoint type: half_float Endpoint.metrics.disks: dashed_name: Endpoint-metrics-disks description: An array of disk information for the host enabled: false flat_name: Endpoint.metrics.disks level: custom name: metrics.disks normalize: [] short: An array of disk information for the host type: object Endpoint.metrics.disks.device: dashed_name: Endpoint-metrics-disks-device description: Device name flat_name: Endpoint.metrics.disks.device ignore_above: 1024 level: custom name: metrics.disks.device normalize: [] short: Device name type: keyword Endpoint.metrics.disks.endpoint_drive: dashed_name: Endpoint-metrics-disks-endpoint-drive description: This field will be present and set to true only for the drive that holds the installed endpoint flat_name: Endpoint.metrics.disks.endpoint_drive level: custom name: metrics.disks.endpoint_drive normalize: [] short: This field will be present and set to true only for the drive that holds the installed endpoint type: boolean Endpoint.metrics.disks.free: dashed_name: Endpoint-metrics-disks-free description: The number of bytes marked as free on the disk flat_name: Endpoint.metrics.disks.free level: custom name: metrics.disks.free normalize: [] short: The number of bytes marked as free on the disk type: long Endpoint.metrics.disks.fstype: dashed_name: Endpoint-metrics-disks-fstype description: The file system type for the drive flat_name: Endpoint.metrics.disks.fstype ignore_above: 1024 level: custom name: metrics.disks.fstype normalize: [] short: The file system type for the drive type: keyword Endpoint.metrics.disks.mount: dashed_name: Endpoint-metrics-disks-mount description: The disks mount location flat_name: Endpoint.metrics.disks.mount ignore_above: 1024 level: custom name: metrics.disks.mount normalize: [] short: The disks mount location type: keyword Endpoint.metrics.disks.total: dashed_name: Endpoint-metrics-disks-total description: The size of the disk in bytes flat_name: Endpoint.metrics.disks.total level: custom name: metrics.disks.total normalize: [] short: The size of the disk in bytes type: long Endpoint.metrics.documents_volume: dashed_name: Endpoint-metrics-documents-volume description: Statistics about sent documents flat_name: Endpoint.metrics.documents_volume level: custom name: metrics.documents_volume normalize: [] short: Statistics about sent documents type: object Endpoint.metrics.documents_volume.alerts.sent_bytes: dashed_name: Endpoint-metrics-documents-volume-alerts-sent-bytes description: Total size of sent documents flat_name: Endpoint.metrics.documents_volume.alerts.sent_bytes level: custom name: metrics.documents_volume.alerts.sent_bytes normalize: [] short: Total size of sent documents type: long Endpoint.metrics.documents_volume.alerts.sent_count: dashed_name: Endpoint-metrics-documents-volume-alerts-sent-count description: Number of sent documents flat_name: Endpoint.metrics.documents_volume.alerts.sent_count level: custom name: metrics.documents_volume.alerts.sent_count normalize: [] short: Number of sent documents type: long Endpoint.metrics.documents_volume.alerts.suppressed_bytes: dashed_name: Endpoint-metrics-documents-volume-alerts-suppressed-bytes description: Total size of suppressed documents flat_name: Endpoint.metrics.documents_volume.alerts.suppressed_bytes level: custom name: metrics.documents_volume.alerts.suppressed_bytes normalize: [] short: Total size of suppressed documents type: long Endpoint.metrics.documents_volume.alerts.suppressed_count: dashed_name: Endpoint-metrics-documents-volume-alerts-suppressed-count description: Number of suppressed documents flat_name: Endpoint.metrics.documents_volume.alerts.suppressed_count level: custom name: metrics.documents_volume.alerts.suppressed_count normalize: [] short: Number of suppressed documents type: long Endpoint.metrics.documents_volume.api_events.sent_bytes: dashed_name: Endpoint-metrics-documents-volume-api-events-sent-bytes description: Total size of API Event sent documents flat_name: Endpoint.metrics.documents_volume.api_events.sent_bytes level: custom name: metrics.documents_volume.api_events.sent_bytes normalize: [] short: Total size of API Event sent documents type: long Endpoint.metrics.documents_volume.api_events.sent_count: dashed_name: Endpoint-metrics-documents-volume-api-events-sent-count description: Number of sent API Event documents flat_name: Endpoint.metrics.documents_volume.api_events.sent_count level: custom name: metrics.documents_volume.api_events.sent_count normalize: [] short: Number of sent API Event documents type: long Endpoint.metrics.documents_volume.api_events.sources: dashed_name: Endpoint-metrics-documents-volume-api-events-sources description: An array of API Event document statistics per source flat_name: Endpoint.metrics.documents_volume.api_events.sources level: custom name: metrics.documents_volume.api_events.sources normalize: [] short: An array of API Event document statistics per source type: object Endpoint.metrics.documents_volume.api_events.sources.sent_bytes: dashed_name: Endpoint-metrics-documents-volume-api-events-sources-sent-bytes description: Total size of API Event sent documents from source flat_name: Endpoint.metrics.documents_volume.api_events.sources.sent_bytes level: custom name: metrics.documents_volume.api_events.sources.sent_bytes normalize: [] short: Total size of API Event sent documents from source type: long Endpoint.metrics.documents_volume.api_events.sources.sent_count: dashed_name: Endpoint-metrics-documents-volume-api-events-sources-sent-count description: Number of sent API Event documents from source flat_name: Endpoint.metrics.documents_volume.api_events.sources.sent_count level: custom name: metrics.documents_volume.api_events.sources.sent_count normalize: [] short: Number of sent API Event documents from source type: long Endpoint.metrics.documents_volume.api_events.sources.source: dashed_name: Endpoint-metrics-documents-volume-api-events-sources-source description: API Event document source name flat_name: Endpoint.metrics.documents_volume.api_events.sources.source ignore_above: 1024 level: custom name: metrics.documents_volume.api_events.sources.source normalize: [] short: API Event document source name type: keyword Endpoint.metrics.documents_volume.api_events.sources.suppressed_bytes: dashed_name: Endpoint-metrics-documents-volume-api-events-sources-suppressed-bytes description: Total size of suppressed API Event documents from source flat_name: Endpoint.metrics.documents_volume.api_events.sources.suppressed_bytes level: custom name: metrics.documents_volume.api_events.sources.suppressed_bytes normalize: [] short: Total size of suppressed API Event documents from source type: long Endpoint.metrics.documents_volume.api_events.sources.suppressed_count: dashed_name: Endpoint-metrics-documents-volume-api-events-sources-suppressed-count description: Number of suppressed API Event documents from source flat_name: Endpoint.metrics.documents_volume.api_events.sources.suppressed_count level: custom name: metrics.documents_volume.api_events.sources.suppressed_count normalize: [] short: Number of suppressed API Event documents from source type: long Endpoint.metrics.documents_volume.api_events.suppressed_bytes: dashed_name: Endpoint-metrics-documents-volume-api-events-suppressed-bytes description: Total size of suppressed API Event documents flat_name: Endpoint.metrics.documents_volume.api_events.suppressed_bytes level: custom name: metrics.documents_volume.api_events.suppressed_bytes normalize: [] short: Total size of suppressed API Event documents type: long Endpoint.metrics.documents_volume.api_events.suppressed_count: dashed_name: Endpoint-metrics-documents-volume-api-events-suppressed-count description: Number of suppressed API Event documents flat_name: Endpoint.metrics.documents_volume.api_events.suppressed_count level: custom name: metrics.documents_volume.api_events.suppressed_count normalize: [] short: Number of suppressed API Event documents type: long Endpoint.metrics.documents_volume.diagnostic_alerts.sent_bytes: dashed_name: Endpoint-metrics-documents-volume-diagnostic-alerts-sent-bytes description: Total size of sent documents flat_name: Endpoint.metrics.documents_volume.diagnostic_alerts.sent_bytes level: custom name: metrics.documents_volume.diagnostic_alerts.sent_bytes normalize: [] short: Total size of sent documents type: long Endpoint.metrics.documents_volume.diagnostic_alerts.sent_count: dashed_name: Endpoint-metrics-documents-volume-diagnostic-alerts-sent-count description: Number of sent documents flat_name: Endpoint.metrics.documents_volume.diagnostic_alerts.sent_count level: custom name: metrics.documents_volume.diagnostic_alerts.sent_count normalize: [] short: Number of sent documents type: long Endpoint.metrics.documents_volume.diagnostic_alerts.suppressed_bytes: dashed_name: Endpoint-metrics-documents-volume-diagnostic-alerts-suppressed-bytes description: Total size of suppressed documents flat_name: Endpoint.metrics.documents_volume.diagnostic_alerts.suppressed_bytes level: custom name: metrics.documents_volume.diagnostic_alerts.suppressed_bytes normalize: [] short: Total size of suppressed documents type: long Endpoint.metrics.documents_volume.diagnostic_alerts.suppressed_count: dashed_name: Endpoint-metrics-documents-volume-diagnostic-alerts-suppressed-count description: Number of suppressed documents flat_name: Endpoint.metrics.documents_volume.diagnostic_alerts.suppressed_count level: custom name: metrics.documents_volume.diagnostic_alerts.suppressed_count normalize: [] short: Number of suppressed documents type: long Endpoint.metrics.documents_volume.dns_events.sent_bytes: dashed_name: Endpoint-metrics-documents-volume-dns-events-sent-bytes description: Total size of sent documents flat_name: Endpoint.metrics.documents_volume.dns_events.sent_bytes level: custom name: metrics.documents_volume.dns_events.sent_bytes normalize: [] short: Total size of sent documents type: long Endpoint.metrics.documents_volume.dns_events.sent_count: dashed_name: Endpoint-metrics-documents-volume-dns-events-sent-count description: Number of sent documents flat_name: Endpoint.metrics.documents_volume.dns_events.sent_count level: custom name: metrics.documents_volume.dns_events.sent_count normalize: [] short: Number of sent documents type: long Endpoint.metrics.documents_volume.dns_events.suppressed_bytes: dashed_name: Endpoint-metrics-documents-volume-dns-events-suppressed-bytes description: Total size of suppressed documents flat_name: Endpoint.metrics.documents_volume.dns_events.suppressed_bytes level: custom name: metrics.documents_volume.dns_events.suppressed_bytes normalize: [] short: Total size of suppressed documents type: long Endpoint.metrics.documents_volume.dns_events.suppressed_count: dashed_name: Endpoint-metrics-documents-volume-dns-events-suppressed-count description: Number of suppressed documents flat_name: Endpoint.metrics.documents_volume.dns_events.suppressed_count level: custom name: metrics.documents_volume.dns_events.suppressed_count normalize: [] short: Number of suppressed documents type: long Endpoint.metrics.documents_volume.file_events.sent_bytes: dashed_name: Endpoint-metrics-documents-volume-file-events-sent-bytes description: Total size of sent documents flat_name: Endpoint.metrics.documents_volume.file_events.sent_bytes level: custom name: metrics.documents_volume.file_events.sent_bytes normalize: [] short: Total size of sent documents type: long Endpoint.metrics.documents_volume.file_events.sent_count: dashed_name: Endpoint-metrics-documents-volume-file-events-sent-count description: Number of sent documents flat_name: Endpoint.metrics.documents_volume.file_events.sent_count level: custom name: metrics.documents_volume.file_events.sent_count normalize: [] short: Number of sent documents type: long Endpoint.metrics.documents_volume.file_events.suppressed_bytes: dashed_name: Endpoint-metrics-documents-volume-file-events-suppressed-bytes description: Total size of suppressed documents flat_name: Endpoint.metrics.documents_volume.file_events.suppressed_bytes level: custom name: metrics.documents_volume.file_events.suppressed_bytes normalize: [] short: Total size of suppressed documents type: long Endpoint.metrics.documents_volume.file_events.suppressed_count: dashed_name: Endpoint-metrics-documents-volume-file-events-suppressed-count description: Number of suppressed documents flat_name: Endpoint.metrics.documents_volume.file_events.suppressed_count level: custom name: metrics.documents_volume.file_events.suppressed_count normalize: [] short: Number of suppressed documents type: long Endpoint.metrics.documents_volume.library_events.sent_bytes: dashed_name: Endpoint-metrics-documents-volume-library-events-sent-bytes description: Total size of sent documents flat_name: Endpoint.metrics.documents_volume.library_events.sent_bytes level: custom name: metrics.documents_volume.library_events.sent_bytes normalize: [] short: Total size of sent documents type: long Endpoint.metrics.documents_volume.library_events.sent_count: dashed_name: Endpoint-metrics-documents-volume-library-events-sent-count description: Number of sent documents flat_name: Endpoint.metrics.documents_volume.library_events.sent_count level: custom name: metrics.documents_volume.library_events.sent_count normalize: [] short: Number of sent documents type: long Endpoint.metrics.documents_volume.library_events.suppressed_bytes: dashed_name: Endpoint-metrics-documents-volume-library-events-suppressed-bytes description: Total size of suppressed documents flat_name: Endpoint.metrics.documents_volume.library_events.suppressed_bytes level: custom name: metrics.documents_volume.library_events.suppressed_bytes normalize: [] short: Total size of suppressed documents type: long Endpoint.metrics.documents_volume.library_events.suppressed_count: dashed_name: Endpoint-metrics-documents-volume-library-events-suppressed-count description: Number of suppressed documents flat_name: Endpoint.metrics.documents_volume.library_events.suppressed_count level: custom name: metrics.documents_volume.library_events.suppressed_count normalize: [] short: Number of suppressed documents type: long Endpoint.metrics.documents_volume.network_events.sent_bytes: dashed_name: Endpoint-metrics-documents-volume-network-events-sent-bytes description: Total size of sent documents flat_name: Endpoint.metrics.documents_volume.network_events.sent_bytes level: custom name: metrics.documents_volume.network_events.sent_bytes normalize: [] short: Total size of sent documents type: long Endpoint.metrics.documents_volume.network_events.sent_count: dashed_name: Endpoint-metrics-documents-volume-network-events-sent-count description: Number of sent documents flat_name: Endpoint.metrics.documents_volume.network_events.sent_count level: custom name: metrics.documents_volume.network_events.sent_count normalize: [] short: Number of sent documents type: long Endpoint.metrics.documents_volume.network_events.suppressed_bytes: dashed_name: Endpoint-metrics-documents-volume-network-events-suppressed-bytes description: Total size of suppressed documents flat_name: Endpoint.metrics.documents_volume.network_events.suppressed_bytes level: custom name: metrics.documents_volume.network_events.suppressed_bytes normalize: [] short: Total size of suppressed documents type: long Endpoint.metrics.documents_volume.network_events.suppressed_count: dashed_name: Endpoint-metrics-documents-volume-network-events-suppressed-count description: Number of suppressed documents flat_name: Endpoint.metrics.documents_volume.network_events.suppressed_count level: custom name: metrics.documents_volume.network_events.suppressed_count normalize: [] short: Number of suppressed documents type: long Endpoint.metrics.documents_volume.overall.sent_bytes: dashed_name: Endpoint-metrics-documents-volume-overall-sent-bytes description: Total size of sent documents flat_name: Endpoint.metrics.documents_volume.overall.sent_bytes level: custom name: metrics.documents_volume.overall.sent_bytes normalize: [] short: Total size of sent documents type: long Endpoint.metrics.documents_volume.overall.sent_count: dashed_name: Endpoint-metrics-documents-volume-overall-sent-count description: Number of sent documents flat_name: Endpoint.metrics.documents_volume.overall.sent_count level: custom name: metrics.documents_volume.overall.sent_count normalize: [] short: Number of sent documents type: long Endpoint.metrics.documents_volume.overall.suppressed_bytes: dashed_name: Endpoint-metrics-documents-volume-overall-suppressed-bytes description: Total size of suppressed documents flat_name: Endpoint.metrics.documents_volume.overall.suppressed_bytes level: custom name: metrics.documents_volume.overall.suppressed_bytes normalize: [] short: Total size of suppressed documents type: long Endpoint.metrics.documents_volume.overall.suppressed_count: dashed_name: Endpoint-metrics-documents-volume-overall-suppressed-count description: Number of suppressed documents flat_name: Endpoint.metrics.documents_volume.overall.suppressed_count level: custom name: metrics.documents_volume.overall.suppressed_count normalize: [] short: Number of suppressed documents type: long Endpoint.metrics.documents_volume.process_events.sent_bytes: dashed_name: Endpoint-metrics-documents-volume-process-events-sent-bytes description: Total size of sent documents flat_name: Endpoint.metrics.documents_volume.process_events.sent_bytes level: custom name: metrics.documents_volume.process_events.sent_bytes normalize: [] short: Total size of sent documents type: long Endpoint.metrics.documents_volume.process_events.sent_count: dashed_name: Endpoint-metrics-documents-volume-process-events-sent-count description: Number of sent documents flat_name: Endpoint.metrics.documents_volume.process_events.sent_count level: custom name: metrics.documents_volume.process_events.sent_count normalize: [] short: Number of sent documents type: long Endpoint.metrics.documents_volume.process_events.suppressed_bytes: dashed_name: Endpoint-metrics-documents-volume-process-events-suppressed-bytes description: Total size of suppressed documents flat_name: Endpoint.metrics.documents_volume.process_events.suppressed_bytes level: custom name: metrics.documents_volume.process_events.suppressed_bytes normalize: [] short: Total size of suppressed documents type: long Endpoint.metrics.documents_volume.process_events.suppressed_count: dashed_name: Endpoint-metrics-documents-volume-process-events-suppressed-count description: Number of suppressed documents flat_name: Endpoint.metrics.documents_volume.process_events.suppressed_count level: custom name: metrics.documents_volume.process_events.suppressed_count normalize: [] short: Number of suppressed documents type: long Endpoint.metrics.documents_volume.registry_events.sent_bytes: dashed_name: Endpoint-metrics-documents-volume-registry-events-sent-bytes description: Total size of sent documents flat_name: Endpoint.metrics.documents_volume.registry_events.sent_bytes level: custom name: metrics.documents_volume.registry_events.sent_bytes normalize: [] short: Total size of sent documents type: long Endpoint.metrics.documents_volume.registry_events.sent_count: dashed_name: Endpoint-metrics-documents-volume-registry-events-sent-count description: Number of sent documents flat_name: Endpoint.metrics.documents_volume.registry_events.sent_count level: custom name: metrics.documents_volume.registry_events.sent_count normalize: [] short: Number of sent documents type: long Endpoint.metrics.documents_volume.registry_events.suppressed_bytes: dashed_name: Endpoint-metrics-documents-volume-registry-events-suppressed-bytes description: Total size of suppressed documents flat_name: Endpoint.metrics.documents_volume.registry_events.suppressed_bytes level: custom name: metrics.documents_volume.registry_events.suppressed_bytes normalize: [] short: Total size of suppressed documents type: long Endpoint.metrics.documents_volume.registry_events.suppressed_count: dashed_name: Endpoint-metrics-documents-volume-registry-events-suppressed-count description: Number of suppressed documents flat_name: Endpoint.metrics.documents_volume.registry_events.suppressed_count level: custom name: metrics.documents_volume.registry_events.suppressed_count normalize: [] short: Number of suppressed documents type: long Endpoint.metrics.documents_volume.security_events.sent_bytes: dashed_name: Endpoint-metrics-documents-volume-security-events-sent-bytes description: Total size of sent documents flat_name: Endpoint.metrics.documents_volume.security_events.sent_bytes level: custom name: metrics.documents_volume.security_events.sent_bytes normalize: [] short: Total size of sent documents type: long Endpoint.metrics.documents_volume.security_events.sent_count: dashed_name: Endpoint-metrics-documents-volume-security-events-sent-count description: Number of sent documents flat_name: Endpoint.metrics.documents_volume.security_events.sent_count level: custom name: metrics.documents_volume.security_events.sent_count normalize: [] short: Number of sent documents type: long Endpoint.metrics.documents_volume.security_events.suppressed_bytes: dashed_name: Endpoint-metrics-documents-volume-security-events-suppressed-bytes description: Total size of suppressed documents flat_name: Endpoint.metrics.documents_volume.security_events.suppressed_bytes level: custom name: metrics.documents_volume.security_events.suppressed_bytes normalize: [] short: Total size of suppressed documents type: long Endpoint.metrics.documents_volume.security_events.suppressed_count: dashed_name: Endpoint-metrics-documents-volume-security-events-suppressed-count description: Number of suppressed documents flat_name: Endpoint.metrics.documents_volume.security_events.suppressed_count level: custom name: metrics.documents_volume.security_events.suppressed_count normalize: [] short: Number of suppressed documents type: long Endpoint.metrics.event_filter.active_global_count: dashed_name: Endpoint-metrics-event-filter-active-global-count description: The number of active global event filters doc_values: false flat_name: Endpoint.metrics.event_filter.active_global_count index: false level: custom name: metrics.event_filter.active_global_count normalize: [] short: The number of active global event filters type: long Endpoint.metrics.event_filter.active_user_count: dashed_name: Endpoint-metrics-event-filter-active-user-count description: The number of active user event filters doc_values: false flat_name: Endpoint.metrics.event_filter.active_user_count index: false level: custom name: metrics.event_filter.active_user_count normalize: [] short: The number of active user event filters type: long Endpoint.metrics.malicious_behavior_rules: dashed_name: Endpoint-metrics-malicious-behavior-rules description: An array of performance information about each malicious behavior rule enabled: false flat_name: Endpoint.metrics.malicious_behavior_rules level: custom name: metrics.malicious_behavior_rules normalize: [] short: An array of performance information about each malicious behavior rule type: object Endpoint.metrics.malicious_behavior_rules.endpoint_uptime_percent: dashed_name: Endpoint-metrics-malicious-behavior-rules-endpoint-uptime-percent description: Perfect of Endpoint's update spent running the rule doc_values: false flat_name: Endpoint.metrics.malicious_behavior_rules.endpoint_uptime_percent index: false level: custom name: metrics.malicious_behavior_rules.endpoint_uptime_percent normalize: [] short: Perfect of Endpoint's update spent running the rule type: double Endpoint.metrics.malicious_behavior_rules.id: dashed_name: Endpoint-metrics-malicious-behavior-rules-id description: The rule id doc_values: false flat_name: Endpoint.metrics.malicious_behavior_rules.id index: false level: custom name: metrics.malicious_behavior_rules.id normalize: [] short: The rule id type: keyword Endpoint.metrics.memory: dashed_name: Endpoint-metrics-memory description: Memory statistics flat_name: Endpoint.metrics.memory level: custom name: metrics.memory normalize: [] short: Memory statistics type: object Endpoint.metrics.memory.endpoint: dashed_name: Endpoint-metrics-memory-endpoint description: Endpoint memory utilization flat_name: Endpoint.metrics.memory.endpoint level: custom name: metrics.memory.endpoint normalize: [] short: Endpoint memory utilization type: object Endpoint.metrics.memory.endpoint.private: dashed_name: Endpoint-metrics-memory-endpoint-private description: The memory private to the endpoint flat_name: Endpoint.metrics.memory.endpoint.private level: custom name: metrics.memory.endpoint.private normalize: [] short: The memory private to the endpoint type: object Endpoint.metrics.memory.endpoint.private.latest: dashed_name: Endpoint-metrics-memory-endpoint-private-latest description: The memory usage by the endpoint for the last sample interval flat_name: Endpoint.metrics.memory.endpoint.private.latest level: custom name: metrics.memory.endpoint.private.latest normalize: [] short: The memory usage by the endpoint for the last sample interval type: long Endpoint.metrics.memory.endpoint.private.mean: dashed_name: Endpoint-metrics-memory-endpoint-private-mean description: Average memory usage by the endpoint since its start flat_name: Endpoint.metrics.memory.endpoint.private.mean level: custom name: metrics.memory.endpoint.private.mean normalize: [] short: Average memory usage by the endpoint since its start type: long Endpoint.metrics.system_impact: dashed_name: Endpoint-metrics-system-impact description: An array of system impact information doc_values: false enabled: false flat_name: Endpoint.metrics.system_impact index: false level: custom name: metrics.system_impact normalize: [] short: An array of system impact information type: object Endpoint.metrics.system_impact.authentication_events.week_idle_ms: dashed_name: Endpoint-metrics-system-impact-authentication-events-week-idle-ms description: The total milliseconds spent queueing authentication events for the process over the last week doc_values: false flat_name: Endpoint.metrics.system_impact.authentication_events.week_idle_ms index: false level: custom name: metrics.system_impact.authentication_events.week_idle_ms normalize: [] short: The total milliseconds spent queueing authentication events for the process over the last week type: unsigned_long Endpoint.metrics.system_impact.authentication_events.week_ms: dashed_name: Endpoint-metrics-system-impact-authentication-events-week-ms description: The total milliseconds spent on authentication events for the process over the last week doc_values: false flat_name: Endpoint.metrics.system_impact.authentication_events.week_ms index: false level: custom name: metrics.system_impact.authentication_events.week_ms normalize: [] short: The total milliseconds spent on authentication events for the process over the last week type: unsigned_long Endpoint.metrics.system_impact.dns_events.week_idle_ms: dashed_name: Endpoint-metrics-system-impact-dns-events-week-idle-ms description: The total milliseconds spent queueing DNS events for the process over the last week doc_values: false flat_name: Endpoint.metrics.system_impact.dns_events.week_idle_ms index: false level: custom name: metrics.system_impact.dns_events.week_idle_ms normalize: [] short: The total milliseconds spent queueing DNS events for the process over the last week type: unsigned_long Endpoint.metrics.system_impact.dns_events.week_ms: dashed_name: Endpoint-metrics-system-impact-dns-events-week-ms description: The total milliseconds spent on DNS events for the process over the last week doc_values: false flat_name: Endpoint.metrics.system_impact.dns_events.week_ms index: false level: custom name: metrics.system_impact.dns_events.week_ms normalize: [] short: The total milliseconds spent on DNS events for the process over the last week type: unsigned_long Endpoint.metrics.system_impact.file_events.week_idle_ms: dashed_name: Endpoint-metrics-system-impact-file-events-week-idle-ms description: The total milliseconds spent queueing file events for the process over the last week doc_values: false flat_name: Endpoint.metrics.system_impact.file_events.week_idle_ms index: false level: custom name: metrics.system_impact.file_events.week_idle_ms normalize: [] short: The total milliseconds spent queueing file events for the process over the last week type: unsigned_long Endpoint.metrics.system_impact.file_events.week_ms: dashed_name: Endpoint-metrics-system-impact-file-events-week-ms description: The total milliseconds spent on file events for the process over the last week doc_values: false flat_name: Endpoint.metrics.system_impact.file_events.week_ms index: false level: custom name: metrics.system_impact.file_events.week_ms normalize: [] short: The total milliseconds spent on file events for the process over the last week type: unsigned_long Endpoint.metrics.system_impact.library_load_events.week_idle_ms: dashed_name: Endpoint-metrics-system-impact-library-load-events-week-idle-ms description: The total milliseconds spent queueing library load events for the process over the last week doc_values: false flat_name: Endpoint.metrics.system_impact.library_load_events.week_idle_ms index: false level: custom name: metrics.system_impact.library_load_events.week_idle_ms normalize: [] short: The total milliseconds spent queueing library load events for the process over the last week type: unsigned_long Endpoint.metrics.system_impact.library_load_events.week_ms: dashed_name: Endpoint-metrics-system-impact-library-load-events-week-ms description: The total milliseconds spent on library load events for the process over the last week doc_values: false flat_name: Endpoint.metrics.system_impact.library_load_events.week_ms index: false level: custom name: metrics.system_impact.library_load_events.week_ms normalize: [] short: The total milliseconds spent on library load events for the process over the last week type: unsigned_long Endpoint.metrics.system_impact.malware.week_idle_ms: dashed_name: Endpoint-metrics-system-impact-malware-week-idle-ms description: The total milliseconds spent queueing malware scanning due to the process over the last week doc_values: false flat_name: Endpoint.metrics.system_impact.malware.week_idle_ms index: false level: custom name: metrics.system_impact.malware.week_idle_ms normalize: [] short: The total milliseconds spent queueing malware scanning due to the process over the last week type: unsigned_long Endpoint.metrics.system_impact.malware.week_ms: dashed_name: Endpoint-metrics-system-impact-malware-week-ms description: The total milliseconds spent on malware scanning due to the process over the last week doc_values: false flat_name: Endpoint.metrics.system_impact.malware.week_ms index: false level: custom name: metrics.system_impact.malware.week_ms normalize: [] short: The total milliseconds spent on malware scanning due to the process over the last week type: unsigned_long Endpoint.metrics.system_impact.network_events.week_idle_ms: dashed_name: Endpoint-metrics-system-impact-network-events-week-idle-ms description: The total milliseconds spent queueing network events for the process over the last week doc_values: false flat_name: Endpoint.metrics.system_impact.network_events.week_idle_ms index: false level: custom name: metrics.system_impact.network_events.week_idle_ms normalize: [] short: The total milliseconds spent queueing network events for the process over the last week type: unsigned_long Endpoint.metrics.system_impact.network_events.week_ms: dashed_name: Endpoint-metrics-system-impact-network-events-week-ms description: The total milliseconds spent on network events for the process over the last week doc_values: false flat_name: Endpoint.metrics.system_impact.network_events.week_ms index: false level: custom name: metrics.system_impact.network_events.week_ms normalize: [] short: The total milliseconds spent on network events for the process over the last week type: unsigned_long Endpoint.metrics.system_impact.overall.week_idle_ms: dashed_name: Endpoint-metrics-system-impact-overall-week-idle-ms description: The total milliseconds spent queueing activity for the process over the last week doc_values: false flat_name: Endpoint.metrics.system_impact.overall.week_idle_ms index: false level: custom name: metrics.system_impact.overall.week_idle_ms normalize: [] short: The total milliseconds spent queueing activity for the process over the last week type: unsigned_long Endpoint.metrics.system_impact.overall.week_ms: dashed_name: Endpoint-metrics-system-impact-overall-week-ms description: The total milliseconds spent monitoring the process over the last week doc_values: false flat_name: Endpoint.metrics.system_impact.overall.week_ms index: false level: custom name: metrics.system_impact.overall.week_ms normalize: [] short: The total milliseconds spent monitoring the process over the last week type: unsigned_long Endpoint.metrics.system_impact.process.code_signature: dashed_name: Endpoint-metrics-system-impact-process-code-signature description: Code signature of the process doc_values: false flat_name: Endpoint.metrics.system_impact.process.code_signature index: false level: custom name: metrics.system_impact.process.code_signature normalize: [] short: Code signature of the process type: nested Endpoint.metrics.system_impact.process.code_signature.exists: dashed_name: Endpoint-metrics-system-impact-process-code-signature-exists description: Boolean to capture if a signature is present. doc_values: false example: 'true' flat_name: Endpoint.metrics.system_impact.process.code_signature.exists index: false level: custom name: metrics.system_impact.process.code_signature.exists normalize: [] short: Boolean to capture if a signature is present. type: boolean Endpoint.metrics.system_impact.process.code_signature.signing_id: dashed_name: Endpoint-metrics-system-impact-process-code-signature-signing-id description: '''The identifier used to sign the binary. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.''' doc_values: false example: com.apple.xpc.proxy flat_name: Endpoint.metrics.system_impact.process.code_signature.signing_id index: false level: extended name: metrics.system_impact.process.code_signature.signing_id normalize: [] short: The identifier used to sign the binary. type: keyword Endpoint.metrics.system_impact.process.code_signature.status: dashed_name: Endpoint-metrics-system-impact-process-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' doc_values: false example: ERROR_UNTRUSTED_ROOT flat_name: Endpoint.metrics.system_impact.process.code_signature.status index: false level: custom name: metrics.system_impact.process.code_signature.status normalize: [] short: Additional information about the certificate status. type: keyword Endpoint.metrics.system_impact.process.code_signature.subject_name: dashed_name: Endpoint-metrics-system-impact-process-code-signature-subject-name description: Subject name of the code signer doc_values: false example: Microsoft Corporation flat_name: Endpoint.metrics.system_impact.process.code_signature.subject_name index: false level: custom name: metrics.system_impact.process.code_signature.subject_name normalize: [] short: Subject name of the code signer type: keyword Endpoint.metrics.system_impact.process.code_signature.team_id: dashed_name: Endpoint-metrics-system-impact-process-code-signature-team-id description: '''The team identifier used to sign the binary. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.''' doc_values: false example: EQHXZ8M8AV flat_name: Endpoint.metrics.system_impact.process.code_signature.team_id index: false level: extended name: metrics.system_impact.process.code_signature.team_id normalize: [] short: The team identifier used to sign the binary. type: keyword Endpoint.metrics.system_impact.process.code_signature.trusted: dashed_name: Endpoint-metrics-system-impact-process-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' doc_values: false example: 'true' flat_name: Endpoint.metrics.system_impact.process.code_signature.trusted index: false level: custom name: metrics.system_impact.process.code_signature.trusted normalize: [] short: Stores the trust status of the certificate chain. type: boolean Endpoint.metrics.system_impact.process.code_signature.valid: dashed_name: Endpoint-metrics-system-impact-process-code-signature-valid description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' doc_values: false example: 'true' flat_name: Endpoint.metrics.system_impact.process.code_signature.valid index: false level: custom name: metrics.system_impact.process.code_signature.valid normalize: [] short: Boolean to capture if the digital signature is verified against the binary content. type: boolean Endpoint.metrics.system_impact.process.executable: dashed_name: Endpoint-metrics-system-impact-process-executable description: Path to the process executable for the impact entry doc_values: false flat_name: Endpoint.metrics.system_impact.process.executable index: false level: custom name: metrics.system_impact.process.executable normalize: [] short: Path to the process executable for the impact entry type: unsigned_long Endpoint.metrics.system_impact.process_events.week_idle_ms: dashed_name: Endpoint-metrics-system-impact-process-events-week-idle-ms description: The total milliseconds spent queueing process events for the process over the last week doc_values: false flat_name: Endpoint.metrics.system_impact.process_events.week_idle_ms index: false level: custom name: metrics.system_impact.process_events.week_idle_ms normalize: [] short: The total milliseconds spent queueing process events for the process over the last week type: unsigned_long Endpoint.metrics.system_impact.process_events.week_ms: dashed_name: Endpoint-metrics-system-impact-process-events-week-ms description: The total milliseconds spent on process events for the process over the last week doc_values: false flat_name: Endpoint.metrics.system_impact.process_events.week_ms index: false level: custom name: metrics.system_impact.process_events.week_ms normalize: [] short: The total milliseconds spent on process events for the process over the last week type: unsigned_long Endpoint.metrics.system_impact.registry_events.week_idle_ms: dashed_name: Endpoint-metrics-system-impact-registry-events-week-idle-ms description: The total milliseconds spent queueing registry events for the process over the last week doc_values: false flat_name: Endpoint.metrics.system_impact.registry_events.week_idle_ms index: false level: custom name: metrics.system_impact.registry_events.week_idle_ms normalize: [] short: The total milliseconds spent queueing registry events for the process over the last week type: unsigned_long Endpoint.metrics.system_impact.registry_events.week_ms: dashed_name: Endpoint-metrics-system-impact-registry-events-week-ms description: The total milliseconds spent on registry events for the process over the last week doc_values: false flat_name: Endpoint.metrics.system_impact.registry_events.week_ms index: false level: custom name: metrics.system_impact.registry_events.week_ms normalize: [] short: The total milliseconds spent on registry events for the process over the last week type: unsigned_long Endpoint.metrics.system_impact.threat_intelligence_events.week_idle_ms: dashed_name: Endpoint-metrics-system-impact-threat-intelligence-events-week-idle-ms description: The total milliseconds spent queueing ETW Threat-Intelligence events for the process over the last week doc_values: false flat_name: Endpoint.metrics.system_impact.threat_intelligence_events.week_idle_ms index: false level: custom name: metrics.system_impact.threat_intelligence_events.week_idle_ms normalize: [] short: The total milliseconds spent queueing ETW Threat-Intelligence events for the process over the last week type: unsigned_long Endpoint.metrics.system_impact.threat_intelligence_events.week_ms: dashed_name: Endpoint-metrics-system-impact-threat-intelligence-events-week-ms description: The total milliseconds spent on ETW Threat-Intelligence events for the process over the last week doc_values: false flat_name: Endpoint.metrics.system_impact.threat_intelligence_events.week_ms index: false level: custom name: metrics.system_impact.threat_intelligence_events.week_ms normalize: [] short: The total milliseconds spent on ETW Threat-Intelligence events for the process over the last week type: unsigned_long Endpoint.metrics.system_impact.win32k_events.week_idle_ms: dashed_name: Endpoint-metrics-system-impact-win32k-events-week-idle-ms description: The total milliseconds spent queueing ETW Win32k events (currently, only keylogging events) for the process over the last week doc_values: false flat_name: Endpoint.metrics.system_impact.win32k_events.week_idle_ms index: false level: custom name: metrics.system_impact.win32k_events.week_idle_ms normalize: [] short: The total milliseconds spent queueing ETW Win32k events for the process over the last week type: unsigned_long Endpoint.metrics.system_impact.win32k_events.week_ms: dashed_name: Endpoint-metrics-system-impact-win32k-events-week-ms description: The total milliseconds spent on ETW Win32k events (currently, only keylogging events) for the process over the last week doc_values: false flat_name: Endpoint.metrics.system_impact.win32k_events.week_ms index: false level: custom name: metrics.system_impact.win32k_events.week_ms normalize: [] short: The total milliseconds spent on ETW Win32k events for the process over the last week type: unsigned_long Endpoint.metrics.threads: dashed_name: Endpoint-metrics-threads description: Statistics about the individual Endpoint threads (array) enabled: false flat_name: Endpoint.metrics.threads level: custom name: metrics.threads normalize: [] short: Statistics about the individual Endpoint threads (array) type: object Endpoint.metrics.threads.cpu.mean: dashed_name: Endpoint-metrics-threads-cpu-mean description: The thread's average CPU use doc_values: false flat_name: Endpoint.metrics.threads.cpu.mean index: false level: custom name: metrics.threads.cpu.mean normalize: [] short: The thread's average CPU use type: double Endpoint.metrics.threads.name: dashed_name: Endpoint-metrics-threads-name description: The thread name doc_values: false flat_name: Endpoint.metrics.threads.name index: false level: custom name: metrics.threads.name normalize: [] short: The thread name type: keyword Endpoint.metrics.uptime: dashed_name: Endpoint-metrics-uptime description: Number of seconds since boot flat_name: Endpoint.metrics.uptime level: custom name: metrics.uptime normalize: [] short: Number of seconds since boot type: object Endpoint.metrics.uptime.endpoint: dashed_name: Endpoint-metrics-uptime-endpoint description: Number of seconds since the endpoint was started flat_name: Endpoint.metrics.uptime.endpoint level: custom name: metrics.uptime.endpoint normalize: [] short: Number of seconds since the endpoint was started type: long Endpoint.metrics.uptime.system: dashed_name: Endpoint-metrics-uptime-system description: Number of seconds since the system was started flat_name: Endpoint.metrics.uptime.system level: custom name: metrics.uptime.system normalize: [] short: Number of seconds since the system was started type: long agent.id: dashed_name: agent-id description: 'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.' example: 8a4f500d flat_name: agent.id ignore_above: 1024 level: core name: id normalize: [] short: Unique identifier of this agent. type: keyword agent.type: dashed_name: agent-type description: 'Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.' example: filebeat flat_name: agent.type ignore_above: 1024 level: core name: type normalize: [] short: Type of the agent. type: keyword agent.version: dashed_name: agent-version description: Version of the agent. example: 6.0.0-rc2 flat_name: agent.version ignore_above: 1024 level: core name: version normalize: [] short: Version of the agent. type: keyword data_stream.dataset: dashed_name: data-stream-dataset description: Data stream dataset name. example: nginx.access flat_name: data_stream.dataset level: custom name: dataset normalize: [] short: The field can contain anything that makes sense to signify the source of the data. type: constant_keyword data_stream.namespace: dashed_name: data-stream-namespace description: Data stream namespace. example: production flat_name: data_stream.namespace level: custom name: namespace normalize: [] short: A user defined namespace. Namespaces are useful to allow grouping of data. type: constant_keyword data_stream.type: dashed_name: data-stream-type description: Data stream type. example: logs flat_name: data_stream.type level: custom name: type normalize: [] short: An overarching type for the data stream. type: constant_keyword ecs.version: dashed_name: ecs-version description: 'ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.' example: 1.0.0 flat_name: ecs.version ignore_above: 1024 level: core name: version normalize: [] required: true short: ECS version this event conforms to. type: keyword event.action: dashed_name: event-action description: 'The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.' example: user-password-change flat_name: event.action ignore_above: 1024 level: core name: action normalize: [] short: The action captured by the event. type: keyword event.category: allowed_values: - description: Events in this category annotate API calls that occured on a system. Typical sources for those events could be from the Operating System level through the native libraries (for example Windows Win32, Linux libc, etc.), or managed sources of events (such as ETW, syslog), but can also include network protocols (such as SOAP, RPC, Websocket, REST, etc.) expected_event_types: - access - admin - allowed - change - creation - deletion - denied - end - info - start - user name: api - description: Events in this category are related to the challenge and response process in which credentials are supplied and verified to allow the creation of a session. Common sources for these logs are Windows event logs and ssh logs. Visualize and analyze events in this category to look for failed logins, and other authentication-related activity. expected_event_types: - start - end - info name: authentication - description: 'Events in the configuration category have to deal with creating, modifying, or deleting the settings or parameters of an application, process, or system. Example sources include security policy change logs, configuration auditing logging, and system integrity monitoring.' expected_event_types: - access - change - creation - deletion - info name: configuration - description: The database category denotes events and metrics relating to a data storage and retrieval system. Note that use of this category is not limited to relational database systems. Examples include event logs from MS SQL, MySQL, Elasticsearch, MongoDB, etc. Use this category to visualize and analyze database activity such as accesses and changes. expected_event_types: - access - change - info - error name: database - description: 'Events in the driver category have to do with operating system device drivers and similar software entities such as Windows drivers, kernel extensions, kernel modules, etc. Use events and metrics in this category to visualize and analyze driver-related activity and status on hosts.' expected_event_types: - change - end - info - start name: driver - description: 'This category is used for events relating to email messages, email attachments, and email network or protocol activity. Emails events can be produced by email security gateways, mail transfer agents, email cloud service providers, or mail server monitoring applications.' expected_event_types: - info name: email - description: Relating to a set of information that has been created on, or has existed on a filesystem. Use this category of events to visualize and analyze the creation, access, and deletions of files. Events in this category can come from both host-based and network-based sources. An example source of a network-based detection of a file transfer would be the Zeek file.log. expected_event_types: - access - change - creation - deletion - info name: file - description: 'Use this category to visualize and analyze information such as host inventory or host lifecycle events. Most of the events in this category can usually be observed from the outside, such as from a hypervisor or a control plane''s point of view. Some can also be seen from within, such as "start" or "end". Note that this category is for information about hosts themselves; it is not meant to capture activity "happening on a host".' expected_event_types: - access - change - end - info - start name: host - description: Identity and access management (IAM) events relating to users, groups, and administration. Use this category to visualize and analyze IAM-related logs and data from active directory, LDAP, Okta, Duo, and other IAM systems. expected_event_types: - admin - change - creation - deletion - group - info - user name: iam - description: Relating to intrusion detections from IDS/IPS systems and functions, both network and host-based. Use this category to visualize and analyze intrusion detection alerts from systems such as Snort, Suricata, and Palo Alto threat detections. expected_event_types: - allowed - denied - info name: intrusion_detection - description: Events in this category refer to the loading of a library, such as (dll / so / dynlib), into a process. Use this category to visualize and analyze library loading related activity on hosts. Keep in mind that driver related activity will be captured under the "driver" category above. expected_event_types: - start name: library - description: Malware detection events and alerts. Use this category to visualize and analyze malware detections from EDR/EPP systems such as Elastic Endpoint Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems such as Suricata, or other sources of malware-related events such as Palo Alto Networks threat logs and Wildfire logs. expected_event_types: - info name: malware - description: Relating to all network activity, including network connection lifecycle, network traffic, and essentially any event that includes an IP address. Many events containing decoded network protocol transactions fit into this category. Use events in this category to visualize or analyze counts of network ports, protocols, addresses, geolocation information, etc. expected_event_types: - access - allowed - connection - denied - end - info - protocol - start name: network - description: Relating to software packages installed on hosts. Use this category to visualize and analyze inventory of software installed on various hosts, or to determine host vulnerability in the absence of vulnerability scan data. expected_event_types: - access - change - deletion - info - installation - start name: package - description: Use this category of events to visualize and analyze process-specific information such as lifecycle events or process ancestry. expected_event_types: - access - change - end - info - start name: process - description: Having to do with settings and assets stored in the Windows registry. Use this category to visualize and analyze activity such as registry access and modifications. expected_event_types: - access - change - creation - deletion name: registry - description: The session category is applied to events and metrics regarding logical persistent connections to hosts and services. Use this category to visualize and analyze interactive or automated persistent connections between assets. Data for this category may come from Windows Event logs, SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc. expected_event_types: - start - end - info name: session - description: Use this category to visualize and analyze events describing threat actors' targets, motives, or behaviors. expected_event_types: - indicator name: threat - description: Relating to vulnerability scan results. Use this category to analyze vulnerabilities detected by Tenable, Qualys, internal scanners, and other vulnerability management sources. expected_event_types: - info name: vulnerability - description: 'Relating to web server access. Use this category to create a dashboard of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: events from network observers such as Zeek http log may also be included in this category.' expected_event_types: - access - error - info name: web dashed_name: event-category description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.' example: authentication flat_name: event.category ignore_above: 1024 level: core name: category normalize: - array short: Event category. The second categorization field in the hierarchy. type: keyword event.code: dashed_name: event-code description: 'Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.' example: 4648 flat_name: event.code ignore_above: 1024 level: extended name: code normalize: [] short: Identification code for this event. type: keyword event.created: dashed_name: event-created description: '`event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent''s or pipeline''s ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used.' example: '2016-05-23T08:05:34.857Z' flat_name: event.created level: core name: created normalize: [] short: Time when the event was first read by an agent or by your pipeline. type: date event.dataset: dashed_name: event-dataset description: 'Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It''s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.' example: apache.access flat_name: event.dataset ignore_above: 1024 level: core name: dataset normalize: [] short: Name of the dataset. type: keyword event.end: dashed_name: event-end description: '`event.end` contains the date when the event ended or when the activity was last observed.' flat_name: event.end level: extended name: end normalize: [] short: '`event.end` contains the date when the event ended or when the activity was last observed.' type: date event.hash: dashed_name: event-hash description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. example: 123456789012345678901234567890ABCD flat_name: event.hash ignore_above: 1024 level: extended name: hash normalize: [] short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. type: keyword event.id: dashed_name: event-id description: Unique ID to describe the event. example: 8a4f500d flat_name: event.id ignore_above: 1024 level: core name: id normalize: [] short: Unique ID to describe the event. type: keyword event.ingested: dashed_name: event-ingested description: 'Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It''s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' example: '2016-05-23T08:05:35.101Z' flat_name: event.ingested level: core name: ingested normalize: [] short: Timestamp when an event arrived in the central data store. type: date event.kind: allowed_values: - description: 'This value indicates an event such as an alert or notable event, triggered by a detection rule executing externally to the Elastic Stack. `event.kind:alert` is often populated for events coming from firewalls, intrusion detection systems, endpoint detection and response systems, and so on. This value is not used by Elastic solutions for alert documents that are created by rules executing within the Kibana alerting framework.' name: alert - beta: This event categorization value is beta and subject to change. description: 'This value indicates events whose primary purpose is to store an inventory of assets/entities and their attributes. Assets/entities are objects (such as users and hosts) that are expected to be subjects of detailed analysis within the system. Examples include lists of user identities or accounts ingested from directory services such as Active Directory (AD), inventory of hosts pulled from configuration management databases (CMDB), and lists of cloud storage buckets pulled from cloud provider APIs. This value is used by Elastic Security for asset management solutions. `event.kind: asset` is not used for normal system events or logs that are coming from an asset/entity, nor is it used for system events or logs coming from a directory or CMDB system.' name: asset - description: 'The `enrichment` value indicates an event collected to provide additional context, often to other events. An example is collecting indicators of compromise (IOCs) from a threat intelligence provider with the intent to use those values to enrich other events. The IOC events from the intelligence provider should be categorized as `event.kind:enrichment`.' name: enrichment - description: This value is the most general and most common value for this field. It is used to represent events that indicate that something happened. name: event - description: 'This value is used to indicate that this event describes a numeric measurement taken at given point in time. Examples include CPU utilization, memory usage, or device temperature. Metric events are often collected on a predictable frequency, such as once every few seconds, or once a minute, but can also be used to describe ad-hoc numeric metric queries.' name: metric - description: 'The state value is similar to metric, indicating that this event describes a measurement taken at given point in time, except that the measurement does not result in a numeric value, but rather one of a fixed set of categorical values that represent conditions or states. Examples include periodic events reporting Elasticsearch cluster state (green/yellow/red), the state of a TCP connection (open, closed, fin_wait, etc.), the state of a host with respect to a software vulnerability (vulnerable, not vulnerable), and the state of a system regarding compliance with a regulatory standard (compliant, not compliant). Note that an event that describes a change of state would not use `event.kind:state`, but instead would use ''event.kind:event'' since a state change fits the more general event definition of something that happened. State events are often collected on a predictable frequency, such as once every few seconds, once a minute, once an hour, or once a day, but can also be used to describe ad-hoc state queries.' name: state - description: This value indicates that an error occurred during the ingestion of this event, and that event data may be missing, inconsistent, or incorrect. `event.kind:pipeline_error` is often associated with parsing errors. name: pipeline_error - description: 'This value is used by Elastic solutions (e.g., Security, Observability) for alert documents that are created by rules executing within the Kibana alerting framework. Usage of this value is reserved, and data ingestion pipelines must not populate `event.kind` with the value "signal".' name: signal dashed_name: event-kind description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not.' example: alert flat_name: event.kind ignore_above: 1024 level: core name: kind normalize: [] short: The kind of the event. The highest categorization field in the hierarchy. type: keyword event.module: dashed_name: event-module description: 'Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.' example: apache flat_name: event.module ignore_above: 1024 level: core name: module normalize: [] short: Name of the module this data is coming from. type: keyword event.outcome: allowed_values: - description: Indicates that this event describes a failed result. A common example is `event.category:file AND event.type:access AND event.outcome:failure` to indicate that a file access was attempted, but was not successful. name: failure - description: Indicates that this event describes a successful result. A common example is `event.category:file AND event.type:create AND event.outcome:success` to indicate that a file was successfully created. name: success - description: Indicates that this event describes only an attempt for which the result is unknown from the perspective of the event producer. For example, if the event contains information only about the request side of a transaction that results in a response, populating `event.outcome:unknown` in the request event is appropriate. The unknown value should not be used when an outcome doesn't make logical sense for the event. In such cases `event.outcome` should not be populated. name: unknown dashed_name: event-outcome description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.' example: success flat_name: event.outcome ignore_above: 1024 level: core name: outcome normalize: [] short: The outcome of the event. The lowest level categorization field in the hierarchy. type: keyword event.provider: dashed_name: event-provider description: 'Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).' example: kernel flat_name: event.provider ignore_above: 1024 level: extended name: provider normalize: [] short: Source of the event. type: keyword event.sequence: dashed_name: event-sequence description: 'Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.' flat_name: event.sequence format: string level: extended name: sequence normalize: [] short: Sequence number of the event. type: long event.severity: dashed_name: event-severity description: 'The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It''s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.' example: 7 flat_name: event.severity format: string level: core name: severity normalize: [] short: Numeric severity of the event. type: long event.start: dashed_name: event-start description: '`event.start` contains the date when the event started or when the activity was first observed.' flat_name: event.start level: extended name: start normalize: [] short: '`event.start` contains the date when the event started or when the activity was first observed.' type: date event.type: allowed_values: - description: The access event type is used for the subset of events within a category that indicate that something was accessed. Common examples include `event.category:database AND event.type:access`, or `event.category:file AND event.type:access`. Note for file access, both directory listings and file opens should be included in this subcategory. You can further distinguish access operations using the ECS `event.action` field. name: access - description: 'The admin event type is used for the subset of events within a category that are related to admin objects. For example, administrative changes within an IAM framework that do not specifically affect a user or group (e.g., adding new applications to a federation solution or connecting discrete forests in Active Directory) would fall into this subcategory. Common example: `event.category:iam AND event.type:change AND event.type:admin`. You can further distinguish admin operations using the ECS `event.action` field.' name: admin - description: The allowed event type is used for the subset of events within a category that indicate that something was allowed. Common examples include `event.category:network AND event.type:connection AND event.type:allowed` (to indicate a network firewall event for which the firewall disposition was to allow the connection to complete) and `event.category:intrusion_detection AND event.type:allowed` (to indicate a network intrusion prevention system event for which the IPS disposition was to allow the connection to complete). You can further distinguish allowed operations using the ECS `event.action` field, populating with values of your choosing, such as "allow", "detect", or "pass". name: allowed - description: The change event type is used for the subset of events within a category that indicate that something has changed. If semantics best describe an event as modified, then include them in this subcategory. Common examples include `event.category:process AND event.type:change`, and `event.category:file AND event.type:change`. You can further distinguish change operations using the ECS `event.action` field. name: change - description: Used primarily with `event.category:network` this value is used for the subset of network traffic that includes sufficient information for the event to be included in flow or connection analysis. Events in this subcategory will contain at least source and destination IP addresses, source and destination TCP/UDP ports, and will usually contain counts of bytes and/or packets transferred. Events in this subcategory may contain unidirectional or bidirectional information, including summary information. Use this subcategory to visualize and analyze network connections. Flow analysis, including Netflow, IPFIX, and other flow-related events fit in this subcategory. Note that firewall events from many Next-Generation Firewall (NGFW) devices will also fit into this subcategory. A common filter for flow/connection information would be `event.category:network AND event.type:connection AND event.type:end` (to view or analyze all completed network connections, ignoring mid-flow reports). You can further distinguish connection events using the ECS `event.action` field, populating with values of your choosing, such as "timeout", or "reset". name: connection - description: The "creation" event type is used for the subset of events within a category that indicate that something was created. A common example is `event.category:file AND event.type:creation`. name: creation - description: The deletion event type is used for the subset of events within a category that indicate that something was deleted. A common example is `event.category:file AND event.type:deletion` to indicate that a file has been deleted. name: deletion - description: The denied event type is used for the subset of events within a category that indicate that something was denied. Common examples include `event.category:network AND event.type:denied` (to indicate a network firewall event for which the firewall disposition was to deny the connection) and `event.category:intrusion_detection AND event.type:denied` (to indicate a network intrusion prevention system event for which the IPS disposition was to deny the connection to complete). You can further distinguish denied operations using the ECS `event.action` field, populating with values of your choosing, such as "blocked", "dropped", or "quarantined". name: denied - description: The end event type is used for the subset of events within a category that indicate something has ended. A common example is `event.category:process AND event.type:end`. name: end - description: The error event type is used for the subset of events within a category that indicate or describe an error. A common example is `event.category:database AND event.type:error`. Note that pipeline errors that occur during the event ingestion process should not use this `event.type` value. Instead, they should use `event.kind:pipeline_error`. name: error - description: 'The group event type is used for the subset of events within a category that are related to group objects. Common example: `event.category:iam AND event.type:creation AND event.type:group`. You can further distinguish group operations using the ECS `event.action` field.' name: group - description: 'The indicator event type is used for the subset of events within a category that contain details about indicators of compromise (IOCs). A common example is `event.category:threat AND event.type:indicator`.' name: indicator - description: The info event type is used for the subset of events within a category that indicate that they are purely informational, and don't report a state change, or any type of action. For example, an initial run of a file integrity monitoring system (FIM), where an agent reports all files under management, would fall into the "info" subcategory. Similarly, an event containing a dump of all currently running processes (as opposed to reporting that a process started/ended) would fall into the "info" subcategory. An additional common examples is `event.category:intrusion_detection AND event.type:info`. name: info - description: The installation event type is used for the subset of events within a category that indicate that something was installed. A common example is `event.category:package` AND `event.type:installation`. name: installation - description: The protocol event type is used for the subset of events within a category that indicate that they contain protocol details or analysis, beyond simply identifying the protocol. Generally, network events that contain specific protocol details will fall into this subcategory. A common example is `event.category:network AND event.type:protocol AND event.type:connection AND event.type:end` (to indicate that the event is a network connection event sent at the end of a connection that also includes a protocol detail breakdown). Note that events that only indicate the name or id of the protocol should not use the protocol value. Further note that when the protocol subcategory is used, the identified protocol is populated in the ECS `network.protocol` field. name: protocol - description: The start event type is used for the subset of events within a category that indicate something has started. A common example is `event.category:process AND event.type:start`. name: start - description: 'The user event type is used for the subset of events within a category that are related to user objects. Common example: `event.category:iam AND event.type:deletion AND event.type:user`. You can further distinguish user operations using the ECS `event.action` field.' name: user dashed_name: event-type description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.' flat_name: event.type ignore_above: 1024 level: core name: type normalize: - array short: Event type. The third categorization field in the hierarchy. type: keyword host.architecture: dashed_name: host-architecture description: Operating system architecture. example: x86_64 flat_name: host.architecture ignore_above: 1024 level: core name: architecture normalize: [] short: Operating system architecture. type: keyword host.domain: dashed_name: host-domain description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO flat_name: host.domain ignore_above: 1024 level: extended name: domain normalize: [] short: Name of the directory the group is a member of. type: keyword host.hostname: dashed_name: host-hostname description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' flat_name: host.hostname ignore_above: 1024 level: core name: hostname normalize: [] short: Hostname of the host. type: keyword host.id: dashed_name: host-id description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' flat_name: host.id ignore_above: 1024 level: core name: id normalize: [] short: Unique host id. type: keyword host.ip: dashed_name: host-ip description: Host ip addresses. flat_name: host.ip level: core name: ip normalize: - array short: Host ip addresses. type: ip host.mac: dashed_name: host-mac description: 'Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.' example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' flat_name: host.mac ignore_above: 1024 level: core name: mac normalize: - array pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ short: Host MAC addresses. type: keyword host.name: dashed_name: host-name description: 'Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.' flat_name: host.name ignore_above: 1024 level: core name: name normalize: [] short: Name of the host. type: keyword host.os.Ext: dashed_name: host-os-Ext description: Object for all custom defined fields to live in. flat_name: host.os.Ext level: custom name: Ext normalize: [] original_fieldset: os short: Object for all custom defined fields to live in. type: object host.os.Ext.variant: dashed_name: host-os-Ext-variant description: A string value or phrase that further aid to classify or qualify the operating system (OS). For example the distribution for a Linux OS will be entered in this field. example: Ubuntu flat_name: host.os.Ext.variant ignore_above: 1024 level: custom name: Ext.variant normalize: [] original_fieldset: os short: A string value or phrase that further aid to classify or qualify the operating system (OS). type: keyword host.os.family: dashed_name: host-os-family description: OS family (such as redhat, debian, freebsd, windows). example: debian flat_name: host.os.family ignore_above: 1024 level: extended name: family normalize: [] original_fieldset: os short: OS family (such as redhat, debian, freebsd, windows). type: keyword host.os.full: dashed_name: host-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave flat_name: host.os.full ignore_above: 1024 level: extended multi_fields: - flat_name: host.os.full.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: host.os.full.text name: text norms: false type: text name: full normalize: [] original_fieldset: os short: Operating system name, including the version or code name. type: keyword host.os.kernel: dashed_name: host-os-kernel description: Operating system kernel version as a raw string. example: 4.4.0-112-generic flat_name: host.os.kernel ignore_above: 1024 level: extended name: kernel normalize: [] original_fieldset: os short: Operating system kernel version as a raw string. type: keyword host.os.name: dashed_name: host-os-name description: Operating system name, without the version. example: Mac OS X flat_name: host.os.name ignore_above: 1024 level: extended multi_fields: - flat_name: host.os.name.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: host.os.name.text name: text norms: false type: text name: name normalize: [] original_fieldset: os short: Operating system name, without the version. type: keyword host.os.platform: dashed_name: host-os-platform description: Operating system platform (such centos, ubuntu, windows). example: darwin flat_name: host.os.platform ignore_above: 1024 level: extended name: platform normalize: [] original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword host.os.type: dashed_name: host-os-type description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos expected_values: - linux - macos - unix - windows - ios - android flat_name: host.os.type ignore_above: 1024 level: extended name: type normalize: [] original_fieldset: os short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or android).' type: keyword host.os.version: dashed_name: host-os-version description: Operating system version as a raw string. example: 10.14.1 flat_name: host.os.version ignore_above: 1024 level: extended name: version normalize: [] original_fieldset: os short: Operating system version as a raw string. type: keyword host.type: dashed_name: host-type description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' flat_name: host.type ignore_above: 1024 level: core name: type normalize: [] short: Type of host. type: keyword host.uptime: dashed_name: host-uptime description: Seconds the host has been up. example: 1325 flat_name: host.uptime level: extended name: uptime normalize: [] short: Seconds the host has been up. type: long message: dashed_name: message description: 'For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.' example: Hello World flat_name: message level: core name: message normalize: [] short: Log message optimized for viewing in a log viewer. type: match_only_text