'@timestamp': dashed_name: timestamp description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.' example: '2016-05-23T08:05:34.853Z' flat_name: '@timestamp' level: core name: '@timestamp' normalize: [] required: true short: Date/time when the event originated. type: date agent.ephemeral_id: dashed_name: agent-ephemeral-id description: 'Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not.' example: 8a4f500f flat_name: agent.ephemeral_id ignore_above: 1024 level: extended name: ephemeral_id normalize: [] short: Ephemeral identifier of this agent. type: keyword agent.id: dashed_name: agent-id description: 'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.' example: 8a4f500d flat_name: agent.id ignore_above: 1024 level: core name: id normalize: [] short: Unique identifier of this agent. type: keyword agent.name: dashed_name: agent-name description: 'Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from.' example: foo flat_name: agent.name ignore_above: 1024 level: core name: name normalize: [] short: Custom name of the agent. type: keyword agent.type: dashed_name: agent-type description: 'Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.' example: filebeat flat_name: agent.type ignore_above: 1024 level: core name: type normalize: [] short: Type of the agent. type: keyword agent.version: dashed_name: agent-version description: Version of the agent. example: 6.0.0-rc2 flat_name: agent.version ignore_above: 1024 level: core name: version normalize: [] short: Version of the agent. type: keyword cloud.account.id: dashed_name: cloud-account-id description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' example: 666777888999 flat_name: cloud.account.id ignore_above: 1024 level: extended name: account.id normalize: [] short: The cloud account or organization id. type: keyword cloud.instance.name: dashed_name: cloud-instance-name description: Instance name of the host machine. flat_name: cloud.instance.name ignore_above: 1024 level: extended name: instance.name normalize: [] short: Instance name of the host machine. type: keyword cloud.project.id: dashed_name: cloud-project-id description: 'The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.' example: my-project flat_name: cloud.project.id ignore_above: 1024 level: extended name: project.id normalize: [] short: The cloud project id. type: keyword cloud.provider: dashed_name: cloud-provider description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. example: aws flat_name: cloud.provider ignore_above: 1024 level: extended name: provider normalize: [] short: Name of the cloud provider. type: keyword cloud.region: dashed_name: cloud-region description: Region in which this host, resource, or service is located. example: us-east-1 flat_name: cloud.region ignore_above: 1024 level: extended name: region normalize: [] short: Region in which this host, resource, or service is located. type: keyword container.id: dashed_name: container-id description: Unique container id. flat_name: container.id ignore_above: 1024 level: core name: id normalize: [] short: Unique container id. type: keyword container.image.hash.all: dashed_name: container-image-hash-all description: 'An array of digests of the image the container was built on. Each digest consists of the hash algorithm and value in this format: `algorithm:value`. Algorithm names should align with the field names in the ECS hash field set.' example: '[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26]' flat_name: container.image.hash.all ignore_above: 1024 level: extended name: image.hash.all normalize: - array short: An array of digests of the image the container was built on. type: keyword container.image.name: dashed_name: container-image-name description: Name of the image the container was built on. flat_name: container.image.name ignore_above: 1024 level: extended name: image.name normalize: [] short: Name of the image the container was built on. type: keyword container.image.tag: dashed_name: container-image-tag description: Container image tags. flat_name: container.image.tag ignore_above: 1024 level: extended name: image.tag normalize: - array short: Container image tags. type: keyword container.name: dashed_name: container-name description: Container name. flat_name: container.name ignore_above: 1024 level: extended name: name normalize: [] short: Container name. type: keyword data_stream.dataset: dashed_name: data-stream-dataset description: Data stream dataset name. example: nginx.access flat_name: data_stream.dataset level: custom name: dataset normalize: [] short: The field can contain anything that makes sense to signify the source of the data. type: constant_keyword data_stream.namespace: dashed_name: data-stream-namespace description: Data stream namespace. example: production flat_name: data_stream.namespace level: custom name: namespace normalize: [] short: A user defined namespace. Namespaces are useful to allow grouping of data. type: constant_keyword data_stream.type: dashed_name: data-stream-type description: Data stream type. example: logs flat_name: data_stream.type level: custom name: type normalize: [] short: An overarching type for the data stream. type: constant_keyword group.id: dashed_name: group-id description: Unique identifier for the group on the system/platform. flat_name: group.id ignore_above: 1024 level: extended name: id normalize: [] short: Unique identifier for the group on the system/platform. type: keyword group.name: dashed_name: group-name description: Name of the group. flat_name: group.name ignore_above: 1024 level: extended name: name normalize: [] short: Name of the group. type: keyword host.boot.id: beta: This field is beta and subject to change. dashed_name: host-boot-id description: Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the boot_id value from /proc may or may not be the same in containers as on the host. Some container runtimes will bind mount a new boot_id value onto the proc file in each container. example: 88a1f0ed-5ae5-41ee-af6b-41921c311872 flat_name: host.boot.id ignore_above: 1024 level: extended name: boot.id normalize: [] short: Linux boot uuid taken from /proc/sys/kernel/random/boot_id type: keyword host.pid_ns_ino: beta: This field is beta and subject to change. dashed_name: host-pid-ns-ino description: This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h. example: 256383 flat_name: host.pid_ns_ino ignore_above: 1024 level: extended name: pid_ns_ino normalize: [] short: Pid namespace inode type: keyword message: dashed_name: message description: 'For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.' example: Hello World flat_name: message level: core name: message normalize: [] short: Log message optimized for viewing in a log viewer. type: match_only_text orchestrator.cluster.id: dashed_name: orchestrator-cluster-id description: Unique ID of the cluster. flat_name: orchestrator.cluster.id ignore_above: 1024 level: extended name: cluster.id normalize: [] short: Unique ID of the cluster. type: keyword orchestrator.cluster.name: dashed_name: orchestrator-cluster-name description: Name of the cluster. flat_name: orchestrator.cluster.name ignore_above: 1024 level: extended name: cluster.name normalize: [] short: Name of the cluster. type: keyword orchestrator.namespace: dashed_name: orchestrator-namespace description: Namespace in which the action is taking place. example: kube-system flat_name: orchestrator.namespace ignore_above: 1024 level: extended name: namespace normalize: [] short: Namespace in which the action is taking place. type: keyword orchestrator.resource.ip: dashed_name: orchestrator-resource-ip description: 'IP address assigned to the resource associated with the event being observed. In the case of a Kubernetes Pod, this array would contain only one element: the IP of the Pod (as opposed to the Node on which the Pod is running).' flat_name: orchestrator.resource.ip level: extended name: resource.ip normalize: - array short: IP address assigned to the resource associated with the event being observed. type: ip orchestrator.resource.name: dashed_name: orchestrator-resource-name description: Name of the resource being acted upon. example: test-pod-cdcws flat_name: orchestrator.resource.name ignore_above: 1024 level: extended name: resource.name normalize: [] short: Name of the resource being acted upon. type: keyword orchestrator.resource.parent.type: dashed_name: orchestrator-resource-parent-type description: Type or kind of the parent resource associated with the event being observed. In Kubernetes, this will be the name of a built-in workload resource (e.g., Deployment, StatefulSet, DaemonSet). example: DaemonSet flat_name: orchestrator.resource.parent.type ignore_above: 1024 level: extended name: resource.parent.type normalize: [] short: Type or kind of the parent resource associated with the event being observed. type: keyword orchestrator.resource.type: dashed_name: orchestrator-resource-type description: Type of resource being acted upon. example: service flat_name: orchestrator.resource.type ignore_above: 1024 level: extended name: resource.type normalize: [] short: Type of resource being acted upon. type: keyword process.args: dashed_name: process-args description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' flat_name: process.args ignore_above: 1024 level: extended name: args normalize: - array short: Array of process arguments. type: keyword process.args_count: dashed_name: process-args-count description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 flat_name: process.args_count level: extended name: args_count normalize: [] short: Length of the process.args array. type: long process.command_line: dashed_name: process-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 flat_name: process.command_line level: extended multi_fields: - flat_name: process.command_line.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.command_line.text name: text norms: false type: text name: command_line normalize: [] short: Full command line that started the process. type: wildcard process.entity_id: dashed_name: process-entity-id description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d flat_name: process.entity_id ignore_above: 1024 level: extended name: entity_id normalize: [] short: Unique identifier for the process. type: keyword process.entry_leader.args: dashed_name: process-entry-leader-args description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' flat_name: process.entry_leader.args ignore_above: 1024 level: extended name: args normalize: - array original_fieldset: process short: Array of process arguments. type: keyword process.entry_leader.args_count: dashed_name: process-entry-leader-args-count description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 flat_name: process.entry_leader.args_count level: extended name: args_count normalize: [] original_fieldset: process short: Length of the process.args array. type: long process.entry_leader.attested_groups.name: dashed_name: process-entry-leader-attested-groups-name description: Name of the group. flat_name: process.entry_leader.attested_groups.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: group short: Name of the group. type: keyword process.entry_leader.attested_user.id: dashed_name: process-entry-leader-attested-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: process.entry_leader.attested_user.id ignore_above: 1024 level: core name: id normalize: [] original_fieldset: user short: Unique identifier of the user. type: keyword process.entry_leader.attested_user.name: dashed_name: process-entry-leader-attested-user-name description: Short name or login of the user. example: a.einstein flat_name: process.entry_leader.attested_user.name ignore_above: 1024 level: core multi_fields: - flat_name: process.entry_leader.attested_user.name.text name: text type: match_only_text name: name normalize: [] original_fieldset: user short: Short name or login of the user. type: keyword process.entry_leader.command_line: dashed_name: process-entry-leader-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 flat_name: process.entry_leader.command_line level: extended multi_fields: - flat_name: process.entry_leader.command_line.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.entry_leader.command_line.text name: text norms: false type: text name: command_line normalize: [] original_fieldset: process short: Full command line that started the process. type: wildcard process.entry_leader.entity_id: dashed_name: process-entry-leader-entity-id description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d flat_name: process.entry_leader.entity_id ignore_above: 1024 level: extended name: entity_id normalize: [] original_fieldset: process short: Unique identifier for the process. type: keyword process.entry_leader.entry_meta.source.ip: dashed_name: process-entry-leader-entry-meta-source-ip description: IP address of the source (IPv4 or IPv6). flat_name: process.entry_leader.entry_meta.source.ip level: core name: ip normalize: [] original_fieldset: source short: IP address of the source. type: ip process.entry_leader.entry_meta.type: dashed_name: process-entry-leader-entry-meta-type description: 'The entry type for the entry session leader. Values include: init(e.g systemd), sshd, ssm, kubelet, teleport, terminal, console Note: This field is only set on process.session_leader.' flat_name: process.entry_leader.entry_meta.type ignore_above: 1024 level: extended name: entry_meta.type normalize: [] original_fieldset: process short: The entry type for the entry session leader. type: keyword process.entry_leader.executable: dashed_name: process-entry-leader-executable description: Absolute path to the process executable. example: /usr/bin/ssh flat_name: process.entry_leader.executable ignore_above: 1024 level: extended multi_fields: - flat_name: process.entry_leader.executable.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.entry_leader.executable.text name: text norms: false type: text name: executable normalize: [] original_fieldset: process short: Absolute path to the process executable. type: keyword process.entry_leader.group.id: dashed_name: process-entry-leader-group-id description: Unique identifier for the group on the system/platform. flat_name: process.entry_leader.group.id ignore_above: 1024 level: extended name: id normalize: [] original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword process.entry_leader.group.name: dashed_name: process-entry-leader-group-name description: Name of the group. flat_name: process.entry_leader.group.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: group short: Name of the group. type: keyword process.entry_leader.interactive: dashed_name: process-entry-leader-interactive description: 'Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.' example: true flat_name: process.entry_leader.interactive level: extended name: interactive normalize: [] original_fieldset: process short: Whether the process is connected to an interactive shell. type: boolean process.entry_leader.name: dashed_name: process-entry-leader-name description: 'Process name. Sometimes called program name or similar.' example: ssh flat_name: process.entry_leader.name ignore_above: 1024 level: extended multi_fields: - flat_name: process.entry_leader.name.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.entry_leader.name.text name: text norms: false type: text name: name normalize: [] original_fieldset: process short: Process name. type: keyword process.entry_leader.parent.entity_id: dashed_name: process-entry-leader-parent-entity-id description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d flat_name: process.entry_leader.parent.entity_id ignore_above: 1024 level: extended name: entity_id normalize: [] original_fieldset: process short: Unique identifier for the process. type: keyword process.entry_leader.parent.pid: dashed_name: process-entry-leader-parent-pid description: Process id. example: 4242 flat_name: process.entry_leader.parent.pid format: string level: core name: pid normalize: [] original_fieldset: process short: Process id. type: long process.entry_leader.parent.session_leader.entity_id: dashed_name: process-entry-leader-parent-session-leader-entity-id description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d flat_name: process.entry_leader.parent.session_leader.entity_id ignore_above: 1024 level: extended name: entity_id normalize: [] original_fieldset: process short: Unique identifier for the process. type: keyword process.entry_leader.parent.session_leader.pid: dashed_name: process-entry-leader-parent-session-leader-pid description: Process id. example: 4242 flat_name: process.entry_leader.parent.session_leader.pid format: string level: core name: pid normalize: [] original_fieldset: process short: Process id. type: long process.entry_leader.parent.session_leader.start: dashed_name: process-entry-leader-parent-session-leader-start description: The time the process started. example: '2016-05-23T08:05:34.853Z' flat_name: process.entry_leader.parent.session_leader.start level: extended name: start normalize: [] original_fieldset: process short: The time the process started. type: date process.entry_leader.parent.start: dashed_name: process-entry-leader-parent-start description: The time the process started. example: '2016-05-23T08:05:34.853Z' flat_name: process.entry_leader.parent.start level: extended name: start normalize: [] original_fieldset: process short: The time the process started. type: date process.entry_leader.pid: dashed_name: process-entry-leader-pid description: Process id. example: 4242 flat_name: process.entry_leader.pid format: string level: core name: pid normalize: [] original_fieldset: process short: Process id. type: long process.entry_leader.real_group.id: dashed_name: process-entry-leader-real-group-id description: Unique identifier for the group on the system/platform. flat_name: process.entry_leader.real_group.id ignore_above: 1024 level: extended name: id normalize: [] original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword process.entry_leader.real_group.name: dashed_name: process-entry-leader-real-group-name description: Name of the group. flat_name: process.entry_leader.real_group.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: group short: Name of the group. type: keyword process.entry_leader.real_user.id: dashed_name: process-entry-leader-real-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: process.entry_leader.real_user.id ignore_above: 1024 level: core name: id normalize: [] original_fieldset: user short: Unique identifier of the user. type: keyword process.entry_leader.real_user.name: dashed_name: process-entry-leader-real-user-name description: Short name or login of the user. example: a.einstein flat_name: process.entry_leader.real_user.name ignore_above: 1024 level: core multi_fields: - flat_name: process.entry_leader.real_user.name.text name: text type: match_only_text name: name normalize: [] original_fieldset: user short: Short name or login of the user. type: keyword process.entry_leader.same_as_process: dashed_name: process-entry-leader-same-as-process description: 'This boolean is used to identify if a leader process is the same as the top level process. For example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`. This field exists to the benefit of EQL and other rule engines since it''s not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader) Instead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true` Note: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`.' example: true flat_name: process.entry_leader.same_as_process level: extended name: same_as_process normalize: [] original_fieldset: process short: This boolean is used to identify if a leader process is the same as the top level process. type: boolean process.entry_leader.saved_group.id: dashed_name: process-entry-leader-saved-group-id description: Unique identifier for the group on the system/platform. flat_name: process.entry_leader.saved_group.id ignore_above: 1024 level: extended name: id normalize: [] original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword process.entry_leader.saved_group.name: dashed_name: process-entry-leader-saved-group-name description: Name of the group. flat_name: process.entry_leader.saved_group.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: group short: Name of the group. type: keyword process.entry_leader.saved_user.id: dashed_name: process-entry-leader-saved-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: process.entry_leader.saved_user.id ignore_above: 1024 level: core name: id normalize: [] original_fieldset: user short: Unique identifier of the user. type: keyword process.entry_leader.saved_user.name: dashed_name: process-entry-leader-saved-user-name description: Short name or login of the user. example: a.einstein flat_name: process.entry_leader.saved_user.name ignore_above: 1024 level: core multi_fields: - flat_name: process.entry_leader.saved_user.name.text name: text type: match_only_text name: name normalize: [] original_fieldset: user short: Short name or login of the user. type: keyword process.entry_leader.start: dashed_name: process-entry-leader-start description: The time the process started. example: '2016-05-23T08:05:34.853Z' flat_name: process.entry_leader.start level: extended name: start normalize: [] original_fieldset: process short: The time the process started. type: date process.entry_leader.supplemental_groups.id: dashed_name: process-entry-leader-supplemental-groups-id description: Unique identifier for the group on the system/platform. flat_name: process.entry_leader.supplemental_groups.id ignore_above: 1024 level: extended name: id normalize: [] original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword process.entry_leader.supplemental_groups.name: dashed_name: process-entry-leader-supplemental-groups-name description: Name of the group. flat_name: process.entry_leader.supplemental_groups.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: group short: Name of the group. type: keyword process.entry_leader.tty: dashed_name: process-entry-leader-tty description: Information about the controlling TTY device. If set, the process belongs to an interactive session. flat_name: process.entry_leader.tty level: extended name: tty normalize: [] original_fieldset: process short: Information about the controlling TTY device. type: object process.entry_leader.tty.char_device.major: dashed_name: process-entry-leader-tty-char-device-major description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. example: 4 flat_name: process.entry_leader.tty.char_device.major level: extended name: tty.char_device.major normalize: [] original_fieldset: process short: The TTY character device's major number. type: long process.entry_leader.tty.char_device.minor: dashed_name: process-entry-leader-tty-char-device-minor description: "The minor number is used only by the driver specified by the major\ \ number; other parts of the kernel don\u2019t use it, and merely pass it along\ \ to the driver. It is common for a driver to control several devices; the minor\ \ number provides a way for the driver to differentiate among them." example: 1 flat_name: process.entry_leader.tty.char_device.minor level: extended name: tty.char_device.minor normalize: [] original_fieldset: process short: The TTY character device's minor number. type: long process.entry_leader.user.id: dashed_name: process-entry-leader-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: process.entry_leader.user.id ignore_above: 1024 level: core name: id normalize: [] original_fieldset: user short: Unique identifier of the user. type: keyword process.entry_leader.user.name: dashed_name: process-entry-leader-user-name description: Short name or login of the user. example: a.einstein flat_name: process.entry_leader.user.name ignore_above: 1024 level: core multi_fields: - flat_name: process.entry_leader.user.name.text name: text type: match_only_text name: name normalize: [] original_fieldset: user short: Short name or login of the user. type: keyword process.entry_leader.working_directory: dashed_name: process-entry-leader-working-directory description: The working directory of the process. example: /home/alice flat_name: process.entry_leader.working_directory ignore_above: 1024 level: extended multi_fields: - flat_name: process.entry_leader.working_directory.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.entry_leader.working_directory.text name: text norms: false type: text name: working_directory normalize: [] original_fieldset: process short: The working directory of the process. type: keyword process.env_vars: beta: This field is beta and subject to change. dashed_name: process-env-vars description: 'Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution. May be filtered to protect sensitive information.' example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' flat_name: process.env_vars ignore_above: 1024 level: extended name: env_vars normalize: - array short: Array of environment variable bindings. type: keyword process.executable: dashed_name: process-executable description: Absolute path to the process executable. example: /usr/bin/ssh flat_name: process.executable ignore_above: 1024 level: extended multi_fields: - flat_name: process.executable.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.executable.text name: text norms: false type: text name: executable normalize: [] short: Absolute path to the process executable. type: keyword process.group_leader.args: dashed_name: process-group-leader-args description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' flat_name: process.group_leader.args ignore_above: 1024 level: extended name: args normalize: - array original_fieldset: process short: Array of process arguments. type: keyword process.group_leader.args_count: dashed_name: process-group-leader-args-count description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 flat_name: process.group_leader.args_count level: extended name: args_count normalize: [] original_fieldset: process short: Length of the process.args array. type: long process.group_leader.command_line: dashed_name: process-group-leader-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 flat_name: process.group_leader.command_line level: extended multi_fields: - flat_name: process.group_leader.command_line.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.group_leader.command_line.text name: text norms: false type: text name: command_line normalize: [] original_fieldset: process short: Full command line that started the process. type: wildcard process.group_leader.entity_id: dashed_name: process-group-leader-entity-id description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d flat_name: process.group_leader.entity_id ignore_above: 1024 level: extended name: entity_id normalize: [] original_fieldset: process short: Unique identifier for the process. type: keyword process.group_leader.executable: dashed_name: process-group-leader-executable description: Absolute path to the process executable. example: /usr/bin/ssh flat_name: process.group_leader.executable ignore_above: 1024 level: extended multi_fields: - flat_name: process.group_leader.executable.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.group_leader.executable.text name: text norms: false type: text name: executable normalize: [] original_fieldset: process short: Absolute path to the process executable. type: keyword process.group_leader.group.id: dashed_name: process-group-leader-group-id description: Unique identifier for the group on the system/platform. flat_name: process.group_leader.group.id ignore_above: 1024 level: extended name: id normalize: [] original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword process.group_leader.group.name: dashed_name: process-group-leader-group-name description: Name of the group. flat_name: process.group_leader.group.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: group short: Name of the group. type: keyword process.group_leader.interactive: dashed_name: process-group-leader-interactive description: 'Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.' example: true flat_name: process.group_leader.interactive level: extended name: interactive normalize: [] original_fieldset: process short: Whether the process is connected to an interactive shell. type: boolean process.group_leader.name: dashed_name: process-group-leader-name description: 'Process name. Sometimes called program name or similar.' example: ssh flat_name: process.group_leader.name ignore_above: 1024 level: extended multi_fields: - flat_name: process.group_leader.name.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.group_leader.name.text name: text norms: false type: text name: name normalize: [] original_fieldset: process short: Process name. type: keyword process.group_leader.pid: dashed_name: process-group-leader-pid description: Process id. example: 4242 flat_name: process.group_leader.pid format: string level: core name: pid normalize: [] original_fieldset: process short: Process id. type: long process.group_leader.real_group.id: dashed_name: process-group-leader-real-group-id description: Unique identifier for the group on the system/platform. flat_name: process.group_leader.real_group.id ignore_above: 1024 level: extended name: id normalize: [] original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword process.group_leader.real_group.name: dashed_name: process-group-leader-real-group-name description: Name of the group. flat_name: process.group_leader.real_group.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: group short: Name of the group. type: keyword process.group_leader.real_user.id: dashed_name: process-group-leader-real-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: process.group_leader.real_user.id ignore_above: 1024 level: core name: id normalize: [] original_fieldset: user short: Unique identifier of the user. type: keyword process.group_leader.real_user.name: dashed_name: process-group-leader-real-user-name description: Short name or login of the user. example: a.einstein flat_name: process.group_leader.real_user.name ignore_above: 1024 level: core multi_fields: - flat_name: process.group_leader.real_user.name.text name: text type: match_only_text name: name normalize: [] original_fieldset: user short: Short name or login of the user. type: keyword process.group_leader.same_as_process: dashed_name: process-group-leader-same-as-process description: 'This boolean is used to identify if a leader process is the same as the top level process. For example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`. This field exists to the benefit of EQL and other rule engines since it''s not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader) Instead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true` Note: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`.' example: true flat_name: process.group_leader.same_as_process level: extended name: same_as_process normalize: [] original_fieldset: process short: This boolean is used to identify if a leader process is the same as the top level process. type: boolean process.group_leader.saved_group.id: dashed_name: process-group-leader-saved-group-id description: Unique identifier for the group on the system/platform. flat_name: process.group_leader.saved_group.id ignore_above: 1024 level: extended name: id normalize: [] original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword process.group_leader.saved_group.name: dashed_name: process-group-leader-saved-group-name description: Name of the group. flat_name: process.group_leader.saved_group.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: group short: Name of the group. type: keyword process.group_leader.saved_user.id: dashed_name: process-group-leader-saved-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: process.group_leader.saved_user.id ignore_above: 1024 level: core name: id normalize: [] original_fieldset: user short: Unique identifier of the user. type: keyword process.group_leader.saved_user.name: dashed_name: process-group-leader-saved-user-name description: Short name or login of the user. example: a.einstein flat_name: process.group_leader.saved_user.name ignore_above: 1024 level: core multi_fields: - flat_name: process.group_leader.saved_user.name.text name: text type: match_only_text name: name normalize: [] original_fieldset: user short: Short name or login of the user. type: keyword process.group_leader.start: dashed_name: process-group-leader-start description: The time the process started. example: '2016-05-23T08:05:34.853Z' flat_name: process.group_leader.start level: extended name: start normalize: [] original_fieldset: process short: The time the process started. type: date process.group_leader.supplemental_groups.id: dashed_name: process-group-leader-supplemental-groups-id description: Unique identifier for the group on the system/platform. flat_name: process.group_leader.supplemental_groups.id ignore_above: 1024 level: extended name: id normalize: [] original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword process.group_leader.supplemental_groups.name: dashed_name: process-group-leader-supplemental-groups-name description: Name of the group. flat_name: process.group_leader.supplemental_groups.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: group short: Name of the group. type: keyword process.group_leader.tty: dashed_name: process-group-leader-tty description: Information about the controlling TTY device. If set, the process belongs to an interactive session. flat_name: process.group_leader.tty level: extended name: tty normalize: [] original_fieldset: process short: Information about the controlling TTY device. type: object process.group_leader.tty.char_device.major: dashed_name: process-group-leader-tty-char-device-major description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. example: 4 flat_name: process.group_leader.tty.char_device.major level: extended name: tty.char_device.major normalize: [] original_fieldset: process short: The TTY character device's major number. type: long process.group_leader.tty.char_device.minor: dashed_name: process-group-leader-tty-char-device-minor description: "The minor number is used only by the driver specified by the major\ \ number; other parts of the kernel don\u2019t use it, and merely pass it along\ \ to the driver. It is common for a driver to control several devices; the minor\ \ number provides a way for the driver to differentiate among them." example: 1 flat_name: process.group_leader.tty.char_device.minor level: extended name: tty.char_device.minor normalize: [] original_fieldset: process short: The TTY character device's minor number. type: long process.group_leader.user.id: dashed_name: process-group-leader-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: process.group_leader.user.id ignore_above: 1024 level: core name: id normalize: [] original_fieldset: user short: Unique identifier of the user. type: keyword process.group_leader.user.name: dashed_name: process-group-leader-user-name description: Short name or login of the user. example: a.einstein flat_name: process.group_leader.user.name ignore_above: 1024 level: core multi_fields: - flat_name: process.group_leader.user.name.text name: text type: match_only_text name: name normalize: [] original_fieldset: user short: Short name or login of the user. type: keyword process.group_leader.working_directory: dashed_name: process-group-leader-working-directory description: The working directory of the process. example: /home/alice flat_name: process.group_leader.working_directory ignore_above: 1024 level: extended multi_fields: - flat_name: process.group_leader.working_directory.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.group_leader.working_directory.text name: text norms: false type: text name: working_directory normalize: [] original_fieldset: process short: The working directory of the process. type: keyword process.interactive: dashed_name: process-interactive description: 'Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.' example: true flat_name: process.interactive level: extended name: interactive normalize: [] short: Whether the process is connected to an interactive shell. type: boolean process.io: beta: This field is beta and subject to change. dashed_name: process-io description: 'A chunk of input or output (IO) from a single process. This field only appears on the top level process object, which is the process that wrote the output or read the input.' flat_name: process.io level: extended name: io normalize: [] short: A chunk of input or output (IO) from a single process. type: object process.io.max_bytes_per_process_exceeded: beta: This field is beta and subject to change. dashed_name: process-io-max-bytes-per-process-exceeded description: If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting. flat_name: process.io.max_bytes_per_process_exceeded level: extended name: io.max_bytes_per_process_exceeded normalize: [] short: If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting. type: boolean process.io.text: beta: This field is beta and subject to change. dashed_name: process-io-text description: 'A chunk of output or input sanitized to UTF-8. Best efforts are made to ensure complete lines are captured in these events. Assumptions should NOT be made that multiple lines will appear in the same event. TTY output may contain terminal control codes such as for cursor movement, so some string queries may not match due to terminal codes inserted between characters of a word.' flat_name: process.io.text level: extended name: io.text normalize: [] short: A chunk of output or input sanitized to UTF-8. type: wildcard process.io.total_bytes_captured: beta: This field is beta and subject to change. dashed_name: process-io-total-bytes-captured description: The total number of bytes captured in this event. flat_name: process.io.total_bytes_captured level: extended name: io.total_bytes_captured normalize: [] short: The total number of bytes captured in this event. type: long process.io.total_bytes_skipped: beta: This field is beta and subject to change. dashed_name: process-io-total-bytes-skipped description: The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero flat_name: process.io.total_bytes_skipped level: extended name: io.total_bytes_skipped normalize: [] short: The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. type: long process.name: dashed_name: process-name description: 'Process name. Sometimes called program name or similar.' example: ssh flat_name: process.name ignore_above: 1024 level: extended multi_fields: - flat_name: process.name.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.name.text name: text norms: false type: text name: name normalize: [] short: Process name. type: keyword process.parent.args: dashed_name: process-parent-args description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' flat_name: process.parent.args ignore_above: 1024 level: extended name: args normalize: - array original_fieldset: process short: Array of process arguments. type: keyword process.parent.args_count: dashed_name: process-parent-args-count description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 flat_name: process.parent.args_count level: extended name: args_count normalize: [] original_fieldset: process short: Length of the process.args array. type: long process.parent.command_line: dashed_name: process-parent-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 flat_name: process.parent.command_line level: extended multi_fields: - flat_name: process.parent.command_line.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.parent.command_line.text name: text norms: false type: text name: command_line normalize: [] original_fieldset: process short: Full command line that started the process. type: wildcard process.parent.entity_id: dashed_name: process-parent-entity-id description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d flat_name: process.parent.entity_id ignore_above: 1024 level: extended name: entity_id normalize: [] original_fieldset: process short: Unique identifier for the process. type: keyword process.parent.executable: dashed_name: process-parent-executable description: Absolute path to the process executable. example: /usr/bin/ssh flat_name: process.parent.executable ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.executable.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.parent.executable.text name: text norms: false type: text name: executable normalize: [] original_fieldset: process short: Absolute path to the process executable. type: keyword process.parent.group.id: dashed_name: process-parent-group-id description: Unique identifier for the group on the system/platform. flat_name: process.parent.group.id ignore_above: 1024 level: extended name: id normalize: [] original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword process.parent.group.name: dashed_name: process-parent-group-name description: Name of the group. flat_name: process.parent.group.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: group short: Name of the group. type: keyword process.parent.group_leader.entity_id: dashed_name: process-parent-group-leader-entity-id description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d flat_name: process.parent.group_leader.entity_id ignore_above: 1024 level: extended name: entity_id normalize: [] original_fieldset: process short: Unique identifier for the process. type: keyword process.parent.group_leader.pid: dashed_name: process-parent-group-leader-pid description: Process id. example: 4242 flat_name: process.parent.group_leader.pid format: string level: core name: pid normalize: [] original_fieldset: process short: Process id. type: long process.parent.group_leader.start: dashed_name: process-parent-group-leader-start description: The time the process started. example: '2016-05-23T08:05:34.853Z' flat_name: process.parent.group_leader.start level: extended name: start normalize: [] original_fieldset: process short: The time the process started. type: date process.parent.interactive: dashed_name: process-parent-interactive description: 'Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.' example: true flat_name: process.parent.interactive level: extended name: interactive normalize: [] original_fieldset: process short: Whether the process is connected to an interactive shell. type: boolean process.parent.name: dashed_name: process-parent-name description: 'Process name. Sometimes called program name or similar.' example: ssh flat_name: process.parent.name ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.name.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.parent.name.text name: text norms: false type: text name: name normalize: [] original_fieldset: process short: Process name. type: keyword process.parent.pid: dashed_name: process-parent-pid description: Process id. example: 4242 flat_name: process.parent.pid format: string level: core name: pid normalize: [] original_fieldset: process short: Process id. type: long process.parent.real_group.id: dashed_name: process-parent-real-group-id description: Unique identifier for the group on the system/platform. flat_name: process.parent.real_group.id ignore_above: 1024 level: extended name: id normalize: [] original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword process.parent.real_group.name: dashed_name: process-parent-real-group-name description: Name of the group. flat_name: process.parent.real_group.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: group short: Name of the group. type: keyword process.parent.real_user.id: dashed_name: process-parent-real-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: process.parent.real_user.id ignore_above: 1024 level: core name: id normalize: [] original_fieldset: user short: Unique identifier of the user. type: keyword process.parent.real_user.name: dashed_name: process-parent-real-user-name description: Short name or login of the user. example: a.einstein flat_name: process.parent.real_user.name ignore_above: 1024 level: core multi_fields: - flat_name: process.parent.real_user.name.text name: text type: match_only_text name: name normalize: [] original_fieldset: user short: Short name or login of the user. type: keyword process.parent.saved_group.id: dashed_name: process-parent-saved-group-id description: Unique identifier for the group on the system/platform. flat_name: process.parent.saved_group.id ignore_above: 1024 level: extended name: id normalize: [] original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword process.parent.saved_group.name: dashed_name: process-parent-saved-group-name description: Name of the group. flat_name: process.parent.saved_group.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: group short: Name of the group. type: keyword process.parent.saved_user.id: dashed_name: process-parent-saved-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: process.parent.saved_user.id ignore_above: 1024 level: core name: id normalize: [] original_fieldset: user short: Unique identifier of the user. type: keyword process.parent.saved_user.name: dashed_name: process-parent-saved-user-name description: Short name or login of the user. example: a.einstein flat_name: process.parent.saved_user.name ignore_above: 1024 level: core multi_fields: - flat_name: process.parent.saved_user.name.text name: text type: match_only_text name: name normalize: [] original_fieldset: user short: Short name or login of the user. type: keyword process.parent.start: dashed_name: process-parent-start description: The time the process started. example: '2016-05-23T08:05:34.853Z' flat_name: process.parent.start level: extended name: start normalize: [] original_fieldset: process short: The time the process started. type: date process.parent.supplemental_groups.id: dashed_name: process-parent-supplemental-groups-id description: Unique identifier for the group on the system/platform. flat_name: process.parent.supplemental_groups.id ignore_above: 1024 level: extended name: id normalize: [] original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword process.parent.supplemental_groups.name: dashed_name: process-parent-supplemental-groups-name description: Name of the group. flat_name: process.parent.supplemental_groups.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: group short: Name of the group. type: keyword process.parent.tty: dashed_name: process-parent-tty description: Information about the controlling TTY device. If set, the process belongs to an interactive session. flat_name: process.parent.tty level: extended name: tty normalize: [] original_fieldset: process short: Information about the controlling TTY device. type: object process.parent.tty.char_device.major: dashed_name: process-parent-tty-char-device-major description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. example: 4 flat_name: process.parent.tty.char_device.major level: extended name: tty.char_device.major normalize: [] original_fieldset: process short: The TTY character device's major number. type: long process.parent.tty.char_device.minor: dashed_name: process-parent-tty-char-device-minor description: "The minor number is used only by the driver specified by the major\ \ number; other parts of the kernel don\u2019t use it, and merely pass it along\ \ to the driver. It is common for a driver to control several devices; the minor\ \ number provides a way for the driver to differentiate among them." example: 1 flat_name: process.parent.tty.char_device.minor level: extended name: tty.char_device.minor normalize: [] original_fieldset: process short: The TTY character device's minor number. type: long process.parent.user.id: dashed_name: process-parent-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: process.parent.user.id ignore_above: 1024 level: core name: id normalize: [] original_fieldset: user short: Unique identifier of the user. type: keyword process.parent.user.name: dashed_name: process-parent-user-name description: Short name or login of the user. example: a.einstein flat_name: process.parent.user.name ignore_above: 1024 level: core multi_fields: - flat_name: process.parent.user.name.text name: text type: match_only_text name: name normalize: [] original_fieldset: user short: Short name or login of the user. type: keyword process.parent.working_directory: dashed_name: process-parent-working-directory description: The working directory of the process. example: /home/alice flat_name: process.parent.working_directory ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.working_directory.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.parent.working_directory.text name: text norms: false type: text name: working_directory normalize: [] original_fieldset: process short: The working directory of the process. type: keyword process.pid: dashed_name: process-pid description: Process id. example: 4242 flat_name: process.pid format: string level: core name: pid normalize: [] short: Process id. type: long process.previous.args: dashed_name: process-previous-args description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' flat_name: process.previous.args ignore_above: 1024 level: extended name: args normalize: - array original_fieldset: process short: Array of process arguments. type: keyword process.previous.args_count: dashed_name: process-previous-args-count description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 flat_name: process.previous.args_count level: extended name: args_count normalize: [] original_fieldset: process short: Length of the process.args array. type: long process.previous.executable: dashed_name: process-previous-executable description: Absolute path to the process executable. example: /usr/bin/ssh flat_name: process.previous.executable ignore_above: 1024 level: extended multi_fields: - flat_name: process.previous.executable.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.previous.executable.text name: text norms: false type: text name: executable normalize: [] original_fieldset: process short: Absolute path to the process executable. type: keyword process.real_group.id: dashed_name: process-real-group-id description: Unique identifier for the group on the system/platform. flat_name: process.real_group.id ignore_above: 1024 level: extended name: id normalize: [] original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword process.real_group.name: dashed_name: process-real-group-name description: Name of the group. flat_name: process.real_group.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: group short: Name of the group. type: keyword process.real_user.id: dashed_name: process-real-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: process.real_user.id ignore_above: 1024 level: core name: id normalize: [] original_fieldset: user short: Unique identifier of the user. type: keyword process.real_user.name: dashed_name: process-real-user-name description: Short name or login of the user. example: a.einstein flat_name: process.real_user.name ignore_above: 1024 level: core multi_fields: - flat_name: process.real_user.name.text name: text type: match_only_text name: name normalize: [] original_fieldset: user short: Short name or login of the user. type: keyword process.saved_group.id: dashed_name: process-saved-group-id description: Unique identifier for the group on the system/platform. flat_name: process.saved_group.id ignore_above: 1024 level: extended name: id normalize: [] original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword process.saved_group.name: dashed_name: process-saved-group-name description: Name of the group. flat_name: process.saved_group.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: group short: Name of the group. type: keyword process.saved_user.id: dashed_name: process-saved-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: process.saved_user.id ignore_above: 1024 level: core name: id normalize: [] original_fieldset: user short: Unique identifier of the user. type: keyword process.saved_user.name: dashed_name: process-saved-user-name description: Short name or login of the user. example: a.einstein flat_name: process.saved_user.name ignore_above: 1024 level: core multi_fields: - flat_name: process.saved_user.name.text name: text type: match_only_text name: name normalize: [] original_fieldset: user short: Short name or login of the user. type: keyword process.session_leader.args: dashed_name: process-session-leader-args description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' flat_name: process.session_leader.args ignore_above: 1024 level: extended name: args normalize: - array original_fieldset: process short: Array of process arguments. type: keyword process.session_leader.args_count: dashed_name: process-session-leader-args-count description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 flat_name: process.session_leader.args_count level: extended name: args_count normalize: [] original_fieldset: process short: Length of the process.args array. type: long process.session_leader.command_line: dashed_name: process-session-leader-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 flat_name: process.session_leader.command_line level: extended multi_fields: - flat_name: process.session_leader.command_line.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.session_leader.command_line.text name: text norms: false type: text name: command_line normalize: [] original_fieldset: process short: Full command line that started the process. type: wildcard process.session_leader.entity_id: dashed_name: process-session-leader-entity-id description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d flat_name: process.session_leader.entity_id ignore_above: 1024 level: extended name: entity_id normalize: [] original_fieldset: process short: Unique identifier for the process. type: keyword process.session_leader.executable: dashed_name: process-session-leader-executable description: Absolute path to the process executable. example: /usr/bin/ssh flat_name: process.session_leader.executable ignore_above: 1024 level: extended multi_fields: - flat_name: process.session_leader.executable.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.session_leader.executable.text name: text norms: false type: text name: executable normalize: [] original_fieldset: process short: Absolute path to the process executable. type: keyword process.session_leader.group.id: dashed_name: process-session-leader-group-id description: Unique identifier for the group on the system/platform. flat_name: process.session_leader.group.id ignore_above: 1024 level: extended name: id normalize: [] original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword process.session_leader.group.name: dashed_name: process-session-leader-group-name description: Name of the group. flat_name: process.session_leader.group.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: group short: Name of the group. type: keyword process.session_leader.interactive: dashed_name: process-session-leader-interactive description: 'Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.' example: true flat_name: process.session_leader.interactive level: extended name: interactive normalize: [] original_fieldset: process short: Whether the process is connected to an interactive shell. type: boolean process.session_leader.name: dashed_name: process-session-leader-name description: 'Process name. Sometimes called program name or similar.' example: ssh flat_name: process.session_leader.name ignore_above: 1024 level: extended multi_fields: - flat_name: process.session_leader.name.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.session_leader.name.text name: text norms: false type: text name: name normalize: [] original_fieldset: process short: Process name. type: keyword process.session_leader.parent.entity_id: dashed_name: process-session-leader-parent-entity-id description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d flat_name: process.session_leader.parent.entity_id ignore_above: 1024 level: extended name: entity_id normalize: [] original_fieldset: process short: Unique identifier for the process. type: keyword process.session_leader.parent.pid: dashed_name: process-session-leader-parent-pid description: Process id. example: 4242 flat_name: process.session_leader.parent.pid format: string level: core name: pid normalize: [] original_fieldset: process short: Process id. type: long process.session_leader.parent.session_leader.entity_id: dashed_name: process-session-leader-parent-session-leader-entity-id description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d flat_name: process.session_leader.parent.session_leader.entity_id ignore_above: 1024 level: extended name: entity_id normalize: [] original_fieldset: process short: Unique identifier for the process. type: keyword process.session_leader.parent.session_leader.pid: dashed_name: process-session-leader-parent-session-leader-pid description: Process id. example: 4242 flat_name: process.session_leader.parent.session_leader.pid format: string level: core name: pid normalize: [] original_fieldset: process short: Process id. type: long process.session_leader.parent.session_leader.start: dashed_name: process-session-leader-parent-session-leader-start description: The time the process started. example: '2016-05-23T08:05:34.853Z' flat_name: process.session_leader.parent.session_leader.start level: extended name: start normalize: [] original_fieldset: process short: The time the process started. type: date process.session_leader.parent.start: dashed_name: process-session-leader-parent-start description: The time the process started. example: '2016-05-23T08:05:34.853Z' flat_name: process.session_leader.parent.start level: extended name: start normalize: [] original_fieldset: process short: The time the process started. type: date process.session_leader.pid: dashed_name: process-session-leader-pid description: Process id. example: 4242 flat_name: process.session_leader.pid format: string level: core name: pid normalize: [] original_fieldset: process short: Process id. type: long process.session_leader.real_group.id: dashed_name: process-session-leader-real-group-id description: Unique identifier for the group on the system/platform. flat_name: process.session_leader.real_group.id ignore_above: 1024 level: extended name: id normalize: [] original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword process.session_leader.real_group.name: dashed_name: process-session-leader-real-group-name description: Name of the group. flat_name: process.session_leader.real_group.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: group short: Name of the group. type: keyword process.session_leader.real_user.id: dashed_name: process-session-leader-real-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: process.session_leader.real_user.id ignore_above: 1024 level: core name: id normalize: [] original_fieldset: user short: Unique identifier of the user. type: keyword process.session_leader.real_user.name: dashed_name: process-session-leader-real-user-name description: Short name or login of the user. example: a.einstein flat_name: process.session_leader.real_user.name ignore_above: 1024 level: core multi_fields: - flat_name: process.session_leader.real_user.name.text name: text type: match_only_text name: name normalize: [] original_fieldset: user short: Short name or login of the user. type: keyword process.session_leader.same_as_process: dashed_name: process-session-leader-same-as-process description: 'This boolean is used to identify if a leader process is the same as the top level process. For example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`. This field exists to the benefit of EQL and other rule engines since it''s not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader) Instead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true` Note: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`.' example: true flat_name: process.session_leader.same_as_process level: extended name: same_as_process normalize: [] original_fieldset: process short: This boolean is used to identify if a leader process is the same as the top level process. type: boolean process.session_leader.saved_group.id: dashed_name: process-session-leader-saved-group-id description: Unique identifier for the group on the system/platform. flat_name: process.session_leader.saved_group.id ignore_above: 1024 level: extended name: id normalize: [] original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword process.session_leader.saved_group.name: dashed_name: process-session-leader-saved-group-name description: Name of the group. flat_name: process.session_leader.saved_group.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: group short: Name of the group. type: keyword process.session_leader.saved_user.id: dashed_name: process-session-leader-saved-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: process.session_leader.saved_user.id ignore_above: 1024 level: core name: id normalize: [] original_fieldset: user short: Unique identifier of the user. type: keyword process.session_leader.saved_user.name: dashed_name: process-session-leader-saved-user-name description: Short name or login of the user. example: a.einstein flat_name: process.session_leader.saved_user.name ignore_above: 1024 level: core multi_fields: - flat_name: process.session_leader.saved_user.name.text name: text type: match_only_text name: name normalize: [] original_fieldset: user short: Short name or login of the user. type: keyword process.session_leader.start: dashed_name: process-session-leader-start description: The time the process started. example: '2016-05-23T08:05:34.853Z' flat_name: process.session_leader.start level: extended name: start normalize: [] original_fieldset: process short: The time the process started. type: date process.session_leader.supplemental_groups.id: dashed_name: process-session-leader-supplemental-groups-id description: Unique identifier for the group on the system/platform. flat_name: process.session_leader.supplemental_groups.id ignore_above: 1024 level: extended name: id normalize: [] original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword process.session_leader.supplemental_groups.name: dashed_name: process-session-leader-supplemental-groups-name description: Name of the group. flat_name: process.session_leader.supplemental_groups.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: group short: Name of the group. type: keyword process.session_leader.tty: dashed_name: process-session-leader-tty description: Information about the controlling TTY device. If set, the process belongs to an interactive session. flat_name: process.session_leader.tty level: extended name: tty normalize: [] original_fieldset: process short: Information about the controlling TTY device. type: object process.session_leader.tty.char_device.major: dashed_name: process-session-leader-tty-char-device-major description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. example: 4 flat_name: process.session_leader.tty.char_device.major level: extended name: tty.char_device.major normalize: [] original_fieldset: process short: The TTY character device's major number. type: long process.session_leader.tty.char_device.minor: dashed_name: process-session-leader-tty-char-device-minor description: "The minor number is used only by the driver specified by the major\ \ number; other parts of the kernel don\u2019t use it, and merely pass it along\ \ to the driver. It is common for a driver to control several devices; the minor\ \ number provides a way for the driver to differentiate among them." example: 1 flat_name: process.session_leader.tty.char_device.minor level: extended name: tty.char_device.minor normalize: [] original_fieldset: process short: The TTY character device's minor number. type: long process.session_leader.user.id: dashed_name: process-session-leader-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: process.session_leader.user.id ignore_above: 1024 level: core name: id normalize: [] original_fieldset: user short: Unique identifier of the user. type: keyword process.session_leader.user.name: dashed_name: process-session-leader-user-name description: Short name or login of the user. example: a.einstein flat_name: process.session_leader.user.name ignore_above: 1024 level: core multi_fields: - flat_name: process.session_leader.user.name.text name: text type: match_only_text name: name normalize: [] original_fieldset: user short: Short name or login of the user. type: keyword process.session_leader.working_directory: dashed_name: process-session-leader-working-directory description: The working directory of the process. example: /home/alice flat_name: process.session_leader.working_directory ignore_above: 1024 level: extended multi_fields: - flat_name: process.session_leader.working_directory.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.session_leader.working_directory.text name: text norms: false type: text name: working_directory normalize: [] original_fieldset: process short: The working directory of the process. type: keyword process.start: dashed_name: process-start description: The time the process started. example: '2016-05-23T08:05:34.853Z' flat_name: process.start level: extended name: start normalize: [] short: The time the process started. type: date process.supplemental_groups.id: dashed_name: process-supplemental-groups-id description: Unique identifier for the group on the system/platform. flat_name: process.supplemental_groups.id ignore_above: 1024 level: extended name: id normalize: [] original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword process.supplemental_groups.name: dashed_name: process-supplemental-groups-name description: Name of the group. flat_name: process.supplemental_groups.name ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: group short: Name of the group. type: keyword process.tty: dashed_name: process-tty description: Information about the controlling TTY device. If set, the process belongs to an interactive session. flat_name: process.tty level: extended name: tty normalize: [] short: Information about the controlling TTY device. type: object process.tty.char_device.major: dashed_name: process-tty-char-device-major description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. example: 4 flat_name: process.tty.char_device.major level: extended name: tty.char_device.major normalize: [] short: The TTY character device's major number. type: long process.tty.char_device.minor: dashed_name: process-tty-char-device-minor description: "The minor number is used only by the driver specified by the major\ \ number; other parts of the kernel don\u2019t use it, and merely pass it along\ \ to the driver. It is common for a driver to control several devices; the minor\ \ number provides a way for the driver to differentiate among them." example: 1 flat_name: process.tty.char_device.minor level: extended name: tty.char_device.minor normalize: [] short: The TTY character device's minor number. type: long process.tty.columns: beta: This field is beta and subject to change. dashed_name: process-tty-columns description: 'The number of character columns per line. e.g terminal width Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = ''text_output''' example: 80 flat_name: process.tty.columns level: extended name: tty.columns normalize: [] short: The number of character columns per line. e.g terminal width type: long process.tty.rows: beta: This field is beta and subject to change. dashed_name: process-tty-rows description: 'The number of character rows in the terminal. e.g terminal height Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = ''text_output''' example: 24 flat_name: process.tty.rows level: extended name: tty.rows normalize: [] short: The number of character rows in the terminal. e.g terminal height type: long process.user.id: dashed_name: process-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: process.user.id ignore_above: 1024 level: core name: id normalize: [] original_fieldset: user short: Unique identifier of the user. type: keyword process.user.name: dashed_name: process-user-name description: Short name or login of the user. example: a.einstein flat_name: process.user.name ignore_above: 1024 level: core multi_fields: - flat_name: process.user.name.text name: text type: match_only_text name: name normalize: [] original_fieldset: user short: Short name or login of the user. type: keyword process.working_directory: dashed_name: process-working-directory description: The working directory of the process. example: /home/alice flat_name: process.working_directory ignore_above: 1024 level: extended multi_fields: - flat_name: process.working_directory.caseless ignore_above: 1024 name: caseless normalizer: lowercase type: keyword - flat_name: process.working_directory.text name: text norms: false type: text name: working_directory normalize: [] short: The working directory of the process. type: keyword user.id: dashed_name: user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: user.id ignore_above: 1024 level: core name: id normalize: [] short: Unique identifier of the user. type: keyword user.name: dashed_name: user-name description: Short name or login of the user. example: a.einstein flat_name: user.name ignore_above: 1024 level: core multi_fields: - flat_name: user.name.text name: text type: match_only_text name: name normalize: [] short: Short name or login of the user. type: keyword