search.elastic.co
Open in
urlscan Pro
76.76.21.22
Public Scan
Submitted URL: http://search.elastic.co/
Effective URL: https://search.elastic.co/de
Submission: On August 26 via manual from UA — Scanned from DE
Effective URL: https://search.elastic.co/de
Submission: On August 26 via manual from UA — Scanned from DE
Form analysis 1 forms found in the DOM
<form action="" novalidate="" role="search"><input autocapitalize="off" autocomplete="off" autocorrect="off" class="SearchInput_search__input__QfAlG" placeholder="Elastic durchsuchen" spellcheck="false" type="search" value="">
<div class="SearchInput_search__submit__FPtJ8"><svg class="icon" width="24" height="24" aria-hidden="true">
<use href="/icons/svg-sprite.svg#search-icon"></use>
</svg></div>
<div class="SearchInput_search__focus__VEc5A"></div>
</form>Text Content
DE
* Deutsch
* English
* Español
* Français
* 日本語
* 한국어
* 简体中文
* Português
Schließen
Anzeigen Filter
FilterClear
SORTIEREN NACH
Relevanz
ORT
* Documentation16991
* Blog4238
* Website889
* Videos677
* Press Releases252
* Search Labs237
* Security Labs163
* Observability Labs101
Zeige 1–20 von 23.551 Ergebnissen für
Bereitgestellt von ESREMehr erfahren
1. TRUST MANAGEMENT
https://www.elastic.co/guide/en/cloud-enterprise/current/ece-trust-management.html
Dokumentation
In order to establish a remote connection between two remote clusters, they
must both trust each other. Trust is bi-directional: If one of the clusters
doesn’t trust the other, the remote connection won’t be established. Mutual
trust between two clusters is required to enable cross-cluster search and
cross-cluster replication . Trust can be configured individually for each
deployment. Default trust with other clusters in the same ECE environment
By default, any deployment that you or your users create trusts all other
deployments in the same Elastic Cloud Enterprise environment. You can
change this behavior in the Cloud UI under Platform > Trust Management , so
that when a new deployment is created it does not trust any other
deployment.You can choose one of the following options: Trust all my
deployments - New deployments will by default trust any other deployment
from your ECE environment (even deployments that don’t exist when the
deployment is created). Trust no deployment - New deployments won’t trust
any other deployment when they are created. (This can be changed later in
the deployment trust settings ) Note the following behaviours with this
trust setting: Changing the trust settings affects only deployments that
you create in the future. The level of trust of existing deployments is not
modified by this setting. Deployments created before Elastic Cloud
Enterprise version 2.9.0 trust only themselves.You need to update the trust
setting for each deployment that you want to either use as a remote cluster
or configure to work with a remote cluster. Update the trust settings of a
deployment A deployment can be configured to trust all, specific, or no
deployments in the same ECE environment, other remote ECE environments,
Elastic Cloud, or self-managed environments. This can be done in the
Security page of your deployment: Log into the Cloud UI . On the
deployments page, select your deployment. Narrow the list by name, ID, or
choose from several other filters. To further define the list, use a
combination of filters. From the Security menu, find the Trust Management
section. The page shows a list of all the deployments that this deployment
trusts, grouped by environment. Initially only the Local Environment
appears, which represents the current ECE environment, but you can trust
deployments in other ECE environments , in Elastic Cloud , or any
self-managed environment . Configuring trust with clusters in the same ECE
environment Edit the Local Environment trust level (this represents the
current ECE environment). Choose one of following options to configure the
level of trust on each of your deployments: Trust all deployments - This
deployment trusts all other deployments in this ECE environment, including
new deployments when they are created. Trust specific deployments - Choose
which of the existing deployments from your ECE environment you want to
trust. Trust no deployment - No deployment in this ECE environment is
trusted. Using the API You can update a deployment using the appropriate
trust settings for the elasticsearch payload. The current trust settings
can be found in the path .resources.elasticsearch[0].info.settings.trust
when calling: curl -k -X GET -H "Authorization: ApiKey $ECE_API_KEY"
https://COORDINATOR_HOST:12443/api/v1/deployments/$DEPLOYMENT_ID?show_settings=true
For example: { "accounts": [ { "account_id":
"ec38dd0aa45f4a69909ca5c81c27138a", "trust_all": true } ]} The account_id
above represents the only account in an ECE environment, and therefore is
the one used to update the trust level with deployments in the current ECE
environment.For example, to update the trust level to trust only the
deployment with cluster ID cf659f7fe6164d9691b284ae36811be1 , the trust
settings in the body would look like this: { "trust":{ "accounts":[ {
"account_id":"ec38dd0aa45f4a69909ca5c81c27138a", "trust_all":false,
"trust_allowlist":[ "cf659f7fe6164d9691b284ae36811be1" ] } ] }} Configuring
trust with clusters in other remote ECE environments In order to configure
remote clusters in other ECE environments, you will first need to establish
a bi-directional trust relationship between both ECE environments: Download
the certificate and copy the environment ID from your first ECE environment
under Platform > Trust Management > Trust parameters Create a new trust
relationship in the other ECE environment under Platform > Trust Management
> Trusted environments using the certificate and environment ID from the
previous step Download the certificate and copy the environment ID from
your second ECE environment and create a new trust relationship with those
in the first ECE environment Now, deployments in those environments will be
able to configure trust with deployments in the other environment. Trust
must always be bi-directional (local cluster must trust remote cluster and
viceversa) and it can be configured in each deployment page, under Security
> Trust Management : Select Add trusted environment to configure trust with
deployments in another ECE environment whose trust relationship has been
created in the previous step. For each trusted ECE environment you can edit
the trust level to trust all deployments or just specific ones. For the
specific ones option, you can introduce a list of Elasticsearch cluster IDs
to trust from that ECE environment. The Elasticsearch Cluster ID can be
found in the deployment overview page under Applications . Using the API
You can update a deployment using the appropriate trust settings for the
elasticsearch payload. Establishing the trust between the two Elastic Cloud
Enterprise environments can be done using the trust relationships API .For
example, the list of trusted environments can be obtained calling the list
trust relationships endpoint : curl -k -X GET -H "Authorization: ApiKey
$ECE_API_KEY"
https://COORDINATOR_HOST:12443//api/v1/regions/ece-region/platform/configuration/trust-relationships?include_certificate=false
For each remote ECE environment, it will return something like this: {
"id":"83a7b03f2a4343fe99f09bd27ca3d9ec", "name":"ECE2",
"trust_by_default":false, "account_ids":[
"651598b101e54ccab1bfdcd8b6e3b8be" ], "local":false,
"last_modified":"2022-01-9T14:33:20.465Z"} In order to trust a deployment
with cluster id 123456789 in this environment named ECE2 , you need to
update the trust settings with an external trust relationship like this: {
"trust":{ "accounts":[ { "account_id":"ec38dd0aa45f4a69909ca5c81c27138a",
"trust_all":true } ], "external":[ {
"trust_relationship_id":"83a7b03f2a4343fe99f09bd27ca3d9ec",
"trust_all":false, "trust_allowlist":[ "123456789" ] } ] }} Configuring
trust with clusters in Elastic Cloud A deployment can be configured to
trust all or specific deployments from an organization in Elastic Cloud :
From the Security menu, select Trusted deployments > Add trusted
environment and select Elastic Cloud Organization . Enter the organization
ID (which can be found near the organization name). Upload the Certificate
Authorities of the deployments you want to trust. These can be downloaded
from the Security page of each deployment (not only the current CA, but
also future certificates in case they are expiring soon since they are
periodically rotated). Deployments from the same region are signed by the
same CA, so you will only need to upload one for each region. Choose one of
following options to configure the level of trust with the Organization:
All deployments - This deployment trusts all deployments in the
organization in the regions whose certificate authorities have been
uploaded, including new deployments when they are created. Specific
deployments - Specify which of the existing deployments you want to trust
from this organization. The full Elasticsearch cluster ID must be entered
for each remote cluster. The Elasticsearch Cluster ID can be found in the
deployment overview page under Applications . Configure the deployment in
Elastic Cloud to trust this deployment , so that both deployments are
configured to trust each other. Note that the organization ID and cluster
IDs must be entered fully and correctly. For security reasons, no
verification of the IDs is possible. If cross-environment trust does not
appear to be working, double-checking the IDs is a good place to start.
Using the API You can update a deployment using the appropriate trust
settings for the elasticsearch payload. In order to trust a deployment with
cluster id cf659f7fe6164d9691b284ae36811be1 in an organization with
organization ID 803289842 , you need to update the trust settings with an
additional direct trust relationship like this: { "trust":{ "accounts":[ {
"account_id":"ec38dd0aa45f4a69909ca5c81c27138a", "trust_all":true } ],
"direct": [ { "type" : "ESS", "name" : "My Organization", "scope_id" :
"803289842", "certificates" : [ { "pem" : "-----BEGIN
CERTIFICATE-----\nMIIDTzCCA...H0=\n-----END CERTIFICATE-----" } ],
"trust_all":false, "trust_allowlist":[ "cf659f7fe6164d9691b284ae36811be1" ]
} ] }} Configuring trust with clusters in a self-managed environment A
deployment can be configured to trust all or specific deployments in any
environment: From the Security menu, select Trusted deployments > Add
trusted environment and select Self managed Elasticsearch . Upload the
public certificate for the Certificate Authority of the self-managed
environment (the one used to sign all the cluster certificates). The
certificate needs to be in PEM format and should not contain the private
key. If you only have the key in p12 format, then you can create the
necessary file like this: openssl pkcs12 -in elastic-stack-ca.p12 -out
newfile.crt.pem -clcerts -nokeys Select the clusters to trust. There are
two options here depending on the subject name of the certificates
presented by the nodes in your self managed cluster: Following the Elastic
Cloud pattern. In Elastic Cloud, the certificates of all Elasticsearch
nodes follow this convention: CN =
{node_id}.node.{cluster_id}.cluster.{scope_id} . If you follow the same
convention in your self-managed environment, then choose this option and
you will be able to select all or specific clusters to trust. If your
clusters don’t follow the previous convention for the certificates subject
name of your nodes, you can still specify the node name of each of the
nodes that should be trusted by this deployment. (Keep in mind that
following this convention will simplify the management of this cluster
since otherwise this configuration will need to be updated every time the
topology of your self-managed cluster changes along with the trust
restriction file. For this reason, it is recommended migrating your cluster
certificates to follow the previous convention). Trust management will not
work properly in clusters without an otherName value specified, as is the
case by default in an out-of-the-box Elasticsearch installation . To have
the Elasticsearch certutil generate new certificates with the otherName
attribute, use the file input with the cn attribute as in the example
below. Configure the self-managed cluster to trust this deployment, so that
both deployments are configured to trust each other: Download the
Certificate Authority used to sign the certificates of your deployment
nodes (it can be found in the Security page of your deployment) Trust this
CA either using the setting
xpack.security.transport.ssl.certificate_authorities in elasticsearch.yml
or by adding it to the trust store . Generate certificates with an
otherName attribute using the Elasticsearch certutil. Create a file called
instances.yaml with all the details of the nodes in your on-premise cluster
like below. The dns and ip settings are optional, but cn is mandatory for
use with the trust_restrictions path setting in the next step. Next, run
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 -in
instances.yaml to create new certificates for all the nodes at once. You
can then copy the resulting files into each node. instances: - name:
"node1" dns: ["node1.mydomain.com"] ip: ["192.168.1.1"] cn:
["node1.node.1234567abcd.cluster.myscope.account"] - name: "node2" dns:
["node2.mydomain.com"] ip: ["192.168.1.2"] cn:
["node2.node.1234567abcd.cluster.myscope.account"] Restrict the trusted
clusters to allow only the ones which your self-managed cluster should
trust. All the clusters in your Elastic Cloud Enterprise environment are
signed by the same certificate authority. Therefore, adding this CA would
make the self-managed cluster trust all your clusters in your ECE
environment. This should be limited using the setting
xpack.security.transport.ssl.trust_restrictions.path in elasticsearch.yml ,
which points to a file that limits the certificates to trust based on their
otherName -attribute. For example, the following file would trust: two
specific clusters with cluster ids aaaabbbbaaaabbbb <1> and
xxxxyyyyxxxxyyyy <2> in an ECE environment with Environment ID 1053523734 :
<3> any cluster from an ECE environment with Environment ID 83988631 : <4>
The nodes from its own cluster (whose certificates follow a different
convention: CN = node1.example.com , CN = node2.example.com and CN =
node3.example.com ) trust.subject_name: -
*.node.aaaabbbbaaaabbbb.cluster.1053523734.account -
*.node.xxxxyyyyxxxxyyyy.cluster.1053523734.account -
*.node.*.cluster.83988631.account - node*.example.com Generate new node
certificates for an entire cluster using the file input mode of the
certutil. Using the API You can update a deployment using the appropriate
trust settings for the elasticsearch payload. In order to trust a cluster
whose nodes present certificates with the subject names: "CN =
node1.example.com", "CN = node2.example.com" and "CN = node3.example.com"
in a self-managed environment, you could update the trust settings with an
additional direct trust relationship like this: { "trust":{ "accounts":[ {
"account_id":"ec38dd0aa45f4a69909ca5c81c27138a", "trust_all":true } ],
"direct": [ { "type" : "generic", "name" : "My Self-managed environment",
"additional_node_names" : ["node1.example.com", "node2.example.com",
"node3.example.com",], "certificates" : [ { "pem" : "-----BEGIN
CERTIFICATE-----\nMIIDTzCCA...H0=\n-----END CERTIFICATE-----" } ],
"trust_all":false } ] }}
2. EXPORT SAVED OBJECTS
https://www.elastic.co/docs/api/doc/serverless/operation/operation-exportsavedobjects
Dokumentation
Export saved objects POST /s/{spaceId}/api/saved_objects/_export Serverless
saved objects api key auth Retrieves sets of saved objects that you want to
import into Kibana.You must include type or objects in the request body.
NOTE: The savedObjects.maxImportExportSize configuration setting limits the
number of saved objects which may be exported. This functionality is in
technical preview and may be changed or removed in a future release.
Elastic will work to fix any issues, but features in technical preview are
not subject to the support SLA of official GA features. Headers kbn-xsrf
string Required Cross-site request forgery protection Path parameters
spaceId string Required An identifier for the space. If /s/ and the
identifier are omitted from the path, the default space is used.
application/json Body Required excludeExportDetails boolean Do not add
export details entry at the end of the stream. Default value is false .
includeReferencesDeep boolean Includes all of the referenced objects in the
exported objects. objects array[object] A list of objects to export. type
string | array[string] The saved object types to include in the export. Use
* to export all the types. One of: string-1 string array-2 array[string]
Responses 200 application/x-ndjson Indicates a successful call. Hide
response attribute Show response attribute object Additional properties are
allowed 400 application/json Bad request. Hide response attributes Show
response attributes object error string Required Value is Bad Request .
message string Required statusCode integer Required Value is 400 . POST
/s/{spaceId}/api/saved_objects/_export curl \ -X POST
https://localhost:5601/s/default/api/saved_objects/_export \ -H
"Authorization: $API_KEY" \ -H "Content-Type: application/json" \ -H
"kbn-xsrf: string" \ -d
'{"objects":[{"id":"de71f4f0-1902-11e9-919b-ffe5949a18d2","type":"map"}],"excludeExportDetails":true,"includeReferencesDeep":false}'
Request example { "objects": [ { "id":
"de71f4f0-1902-11e9-919b-ffe5949a18d2", "type": "map" } ],
"excludeExportDetails": true, "includeReferencesDeep": false} Response
examples (200) { "id": "de71f4f0-1902-11e9-919b-ffe5949a18d2", "type":
"map", "managed": false, "version": "WzEzLDFd", "attributes": { "title":
"[Logs] Total Requests and Bytes", "description": "", "uiStateJSON":
"{\"isDarkMode\":false}", "mapStateJSON":
"{\"zoom\":3.64,\"center\":{\"lon\":-88.92107,\"lat\":42.16337},\"timeFilters\":{\"from\":\"now-7d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"settings\":{\"autoFitToDataBounds\":false}}",
"layerListJSON":
"[{\"id\":\"0hmz5\",\"alpha\":1,\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true,\"lightModeDefault\":\"road_map_desaturated\"},\"visible\":true,\"style\":{},\"type\":\"EMS_VECTOR_TILE\",\"minZoom\":0,\"maxZoom\":24},{\"id\":\"edh66\",\"label\":\"Total
Requests by
Destination\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.5,\"sourceDescriptor\":{\"type\":\"EMS_FILE\",\"id\":\"world_countries\",\"tooltipProperties\":[\"name\",\"iso2\"]},\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e\",\"origin\":\"join\"},\"color\":\"Greys\",\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":10}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}}}},\"type\":\"GEOJSON_VECTOR\",\"joins\":[{\"leftField\":\"iso2\",\"right\":{\"type\":\"ES_TERM_SOURCE\",\"id\":\"673ff994-fc75-4c67-909b-69fcb0e1060e\",\"indexPatternTitle\":\"kibana_sample_data_logs\",\"term\":\"geo.dest\",\"indexPatternRefName\":\"layer_1_join_0_index_pattern\",\"metrics\":[{\"type\":\"count\",\"label\":\"web
logs
count\"}],\"applyGlobalQuery\":true}}]},{\"id\":\"gaxya\",\"label\":\"Actual
Requests\",\"minZoom\":9,\"maxZoom\":24,\"alpha\":1,\"sourceDescriptor\":{\"id\":\"b7486535-171b-4d3b-bb2e-33c1a0a2854c\",\"type\":\"ES_SEARCH\",\"geoField\":\"geo.coordinates\",\"limit\":2048,\"filterByMapBounds\":true,\"tooltipProperties\":[\"clientip\",\"timestamp\",\"host\",\"request\",\"response\",\"machine.os\",\"agent\",\"bytes\"],\"indexPatternRefName\":\"layer_2_source_index_pattern\",\"applyGlobalQuery\":true,\"scalingType\":\"LIMIT\"},\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#2200ff\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":2}},\"iconSize\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"bytes\",\"origin\":\"source\"},\"minSize\":1,\"maxSize\":23,\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}}}},\"type\":\"GEOJSON_VECTOR\"},{\"id\":\"tfi3f\",\"label\":\"Total
Requests and
Bytes\",\"minZoom\":0,\"maxZoom\":9,\"alpha\":1,\"sourceDescriptor\":{\"type\":\"ES_GEO_GRID\",\"resolution\":\"COARSE\",\"id\":\"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b\",\"geoField\":\"geo.coordinates\",\"requestType\":\"point\",\"metrics\":[{\"type\":\"count\",\"label\":\"web
logs
count\"},{\"type\":\"sum\",\"field\":\"bytes\"}],\"indexPatternRefName\":\"layer_3_source_index_pattern\",\"applyGlobalQuery\":true},\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"color\":\"Blues\",\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#cccccc\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"sum_of_bytes\",\"origin\":\"source\"},\"minSize\":7,\"maxSize\":25,\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"labelText\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"labelSize\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"minSize\":12,\"maxSize\":24,\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}}}},\"type\":\"GEOJSON_VECTOR\"}]"
}, "created_at": "2023-08-23T20:03:32.204Z", "references": [ { "id":
"90943e30-9a47-11e8-b64d-95841ca0b247", "name":
"layer_1_join_0_index_pattern", "type": "index-pattern" }, { "id":
"90943e30-9a47-11e8-b64d-95841ca0b247", "name":
"layer_2_source_index_pattern", "type": "index-pattern" }, { "id":
"90943e30-9a47-11e8-b64d-95841ca0b247", "name":
"layer_3_source_index_pattern", "type": "index-pattern" } ], "updated_at":
"2023-08-23T20:03:32.204Z", "coreMigrationVersion": "8.8.0",
"typeMigrationVersion": "8.4.0"} Response examples (400) { "error": "Bad
Request", "message": "string", "statusCode": 400}
3. GRANT ACCESS USING API KEYS
https://www.elastic.co/guide/en/beats/winlogbeat/current/beats-api-keys.html
Dokumentation
Instead of using usernames and passwords, you can use API keys to
grantaccess to Elasticsearch resources. You can set API keys to expire at a
certain time,and you can explicitly invalidate them. Any user with the
manage_api_key or manage_own_api_key cluster privilege can create API keys.
Winlogbeat instances typically send both collected data and
monitoringinformation to Elasticsearch. If you are sending both to the same
cluster, you can use the sameAPI key. For different clusters, you need to
use an API key per cluster. For security reasons, we recommend using a
unique API key per Winlogbeat instance.You can create as many API keys per
user as necessary. Review Grant users access to secured resources before
creating API keys for Winlogbeat. Create an API key for publishing To
create an API key to use for writing data to Elasticsearch, use the Create
API key API , for example: POST /_security/api_key{ "name":
"winlogbeat_host001", "role_descriptors": { "winlogbeat_writer": {
"cluster": ["monitor", "read_ilm", "read_pipeline"], "index": [ { "names":
["winlogbeat-*"], "privileges": ["view_index_metadata", "create_doc",
"auto_configure"] } ] } }} See Create a publishing user for the list of
privileges required to publish events. The return value will look something
like this: { "id":"TiNAGG4BaaMdaH1tRfuU", "name":"winlogbeat_host001",
"api_key":"KnR6yE41RrSowb0kQ0HWoA" } You can now use this API key in your
winlogbeat.yml configuration file like this: output.elasticsearch: api_key:
TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA Create an API key for
monitoring To create an API key to use for sending monitoring data to
Elasticsearch, use the Create API key API , for example: POST
/_security/api_key{ "name": "winlogbeat_host001", "role_descriptors": {
"winlogbeat_monitoring": { "cluster": ["monitor"], "index": [ { "names":
[".monitoring-beats-*"], "privileges": ["create_index", "create"] } ] } }}
See Create a monitoring user for the list of privileges required to send
monitoring data. The return value will look something like this: {
"id":"TiNAGG4BaaMdaH1tRfuU", "name":"winlogbeat_host001",
"api_key":"KnR6yE41RrSowb0kQ0HWoA" } You can now use this API key in your
winlogbeat.yml configuration file like this: monitoring.elasticsearch:
api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA Learn more about API
keys See the Elasticsearch API key documentation for more information:
Create API key Get API key information Invalidate API key
4. CONFIGURE WINLOGBEAT
https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-winlogbeat-options.html
Dokumentation
The winlogbeat section of the winlogbeat.yml config file specifies all
options that are specific to Winlogbeat.Most importantly, it contains the
list of event logs to monitor. Here is a sample configuration:
winlogbeat.event_logs: - name: Application ignore_older: 72h - name:
Security - name: System Configuration options You can specify the following
options in the winlogbeat section of the winlogbeat.yml config file:
registry_file The name of the file where Winlogbeat stores information that
it uses to resumemonitoring after a restart. By default the file is stored
as .winlogbeat.yml in the directory where the Beat was started. When you
run the process as aWindows service, it’s recommended that you set the
value to C:/ProgramData/winlogbeat/.winlogbeat.yml .
winlogbeat.registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml The
forward slashes (/) in the path are automatically changed tobackslashes (\)
for Windows compatibility. You can use either forward orbackslashes.
Forward slashes are easier to work with in YAML because there is noneed to
escape them. registry_flush The timeout value that controls when registry
entries are written to disk(flushed). When an unwritten update exceeds this
value, it triggers a writeto disk. When flush is set to 0s, the registry is
written to disk after eachbatch of events has been published successfully.
The default value is 5s. Valid time units are ns , us , ms , s , m , h .
winlogbeat.registry_flush: 5s shutdown_timeout The amount of time to wait
for all events to be published when shutting down.By default there is no
shutdown timeout so Winlogbeat will stop without waiting.When you restart
it will resume from the last successfully published event ineach event log.
In some use cases you do want to wait for the publishing queue to drain
beforeexiting and that’s when you would use this option. Valid time units
are ns , us , ms , s , m , h . winlogbeat.shutdown_timeout: 30s event_logs
A list of entries (called dictionaries in YAML) that specify which event
logsto monitor. Each entry in the list defines an event log to monitor as
well asany information to be associated with the event log (filter, tags,
and so on). winlogbeat.event_logs: - name: Application
event_logs.batch_read_size The maximum number of event log records to read
from the Windows API in a singlebatch. The default batch size is 100. Most
Windows versions return an error ifthe value is larger than 1024. This
option is only available on operating systems supporting the Windows Event
Log API (Microsoft Windows Vista and newer). Winlogbeat starts a goroutine
(a lightweight thread) to read from eachindividual event log. The goroutine
reads a batch of event log records using theWindows API, applies any
processors to the events, publishes them to theconfigured outputs, and
waits for an acknowledgement from the outputs beforereading additional
event log records. event_logs.name The name of the event log to monitor.
Each dictionary under event_logs musthave a name field, except for those
which use a custom XML query.A channel is a named stream of events that
transports events from an eventsource to an event log. Most channels are
tied to specific event publishers.You can get a list of available event
logs by using the PowerShell Get-WinEvent cmdleton Windows Vista or newer.
Here is a sample of the output from the command: PS C:\> Get-WinEvent
-ListLog * | Format-List -Property LogNameLogName : ApplicationLogName :
HardwareEventsLogName : Internet ExplorerLogName : Key Management
ServiceLogName : SecurityLogName : SystemLogName : Windows
PowerShellLogName : ForwardedEventsLogName :
Microsoft-Management-UI/AdminLogName : Microsoft-Rdms-UI/AdminLogName :
Microsoft-Rdms-UI/OperationalLogName : Microsoft-Windows-Windows Firewall
With Advanced Security/Firewall... If Get-WinEvent is not available, the
Get-EventLog cmdlet can be used in itsplace. PS C:\Users\vagrant>
Get-EventLog * Max(K) Retain OverflowAction Entries Log ------ ------
-------------- ------- --- 20,480 0 OverwriteAsNeeded 75 Application 20,480
0 OverwriteAsNeeded 0 HardwareEvents 512 7 OverwriteOlder 0 Internet
Explorer 20,480 0 OverwriteAsNeeded 0 Key Management Service 20,480 0
OverwriteAsNeeded 1,609 Security 20,480 0 OverwriteAsNeeded 1,184 System
15,360 0 OverwriteAsNeeded 464 Windows PowerShell You must specify the full
name of the channel in the configuration file. winlogbeat.event_logs: -
name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall To
read events from an archived .evtx file you can specify the name as
theabsolute path (it cannot be relative) to the file. There’s a complete
exampleof how to read from an .evtx file in the FAQ .
winlogbeat.event_logs: - name: 'C:\backup\sysmon-2019.08.evtx' The name key
must not be used with custom XML queries. event_logs.id A unique identifier
for the event log. This key is required when using a customXML query. It is
used to uniquely identify the event log reader in the registry file. This
isuseful if multiple event logs are being set up to watch the same channel
or file. If anID is not given, the event_logs.name value will be used. This
value must be unique. winlogbeat.event_logs: - name: Application id:
application-logs ignore_older: 168h event_logs.ignore_older If this option
is specified, Winlogbeat filters events that are older than thespecified
amount of time. Valid time units are "ns", "us" (or "µs"), "ms", "s","m",
"h". This option is useful when you are beginning to monitor an event
logthat contains older records that you would like to ignore. This field
isoptional. winlogbeat.event_logs: - name: Application ignore_older: 168h
event_logs.forwarded A boolean flag to indicate that the log contains only
events collected fromremote hosts using the Windows Event Collector. The
value defaults to true forthe ForwardedEvents log and false for any other
log. This option is only available on operating systems supporting the
Windows Event Log API (Microsoft Windows Vista and newer). This settings
allows Winlogbeat to optimize reads for forwarded events that arealready
rendered. When the value is true Winlogbeat does not attempt to renderthe
event using message files from the host computer. The Windows
EventCollector subscription should be configured to use the "RenderedText"
format(this is the default) to ensure that the events are distributed with
messagesand descriptions. event_logs.event_id A whitelist and blacklist of
event IDs. The value is a comma-separated list. Theaccepted values are
single event IDs to include (e.g. 4624), a range of eventIDs to include
(e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). This option
is only available on operating systems supporting the Windows Event Log API
(Microsoft Windows Vista and newer). winlogbeat.event_logs: - name:
Security event_id: 4624, 4625, 4700-4800, -4735 If you specify more than 22
query conditions (event IDs or event ID ranges), someversions of Windows
will prevent Winlogbeat from reading the event log due tolimits in the
query system. If this occurs a similar warning as shown below willbe logged
by Winlogbeat, and it will continue processing data from other eventlogs.
WARN EventLog[Application] Open() error. No events will be read from
thissource. The specified query is invalid. In some cases, the limit may be
lower than 22 conditions. For instance, using amixture of ranges and single
event IDs, along with an additional parameter suchas ignore older , results
in a limit of 21 conditions. If you have more than 22 conditions, you can
workaround this Windows limitationby using a drop_event[drop-event]
processor to do the filtering afterWinlogbeat has received the events from
Windows. The filter shown below isequivalent to event_id: 903, 1024, 4624
but can be expanded beyond 22event IDs. winlogbeat.event_logs: - name:
Security processors: - drop_event.when.not.or: - equals.winlog.event_id:
903 - equals.winlog.event_id: 1024 - equals.winlog.event_id: 4624
event_logs.language The language ID the events will be rendered in. The
language will be forced regardlessof the system language. A complete list
of language IDs can be found here .It defaults to 0 , which indicates to
use the system language. winlogbeat.event_logs: - name: Security event_id:
4624, 4625, 4700-4800, -4735 language: 0x0409 # en-US event_logs.level A
list of event levels to include. The value is a comma-separated list
oflevels. This option is only available on operating systems supporting the
Windows Event Log API (Microsoft Windows Vista and newer).
winlogbeat.event_logs: - name: Security level: critical, error, warning
event_logs.provider A list of providers (source names) to include. The
value is a YAML list. This option is only available on operating systems
supporting the Windows Event Log API (Microsoft Windows Vista and newer).
winlogbeat.event_logs: - name: Application provider: - Application Error -
Application Hang - Windows Error Reporting - EMET You can obtain a list of
providers associated with a log by using PowerShell.Here is an example
showing the providers associated with the Security log. PS C:\>
(Get-WinEvent -ListLog Security).ProviderNamesDSLSASC
ManagerSecuritySecurity Account ManagerServiceModel
4.0.0.0SpoolerTCP/IPVSSAuditMicrosoft-Windows-Security-AuditingMicrosoft-Windows-Eventlog
event_logs.xml_query Provide a custom XML query. This option is mutually
exclusive with the name , event_id , ignore_older , level , and provider
options. These options should be included inthe XML query directly.
Furthermore, an id must be provided. Custom XML queriesprovide more
flexibility and advanced options than the simpler query options in
Winlogbeat. This option is only available on operating systems supporting
the Windows Event Log API (Microsoft Windows Vista and newer). Here is a
configuration which will collect DHCP server events from multiple channels:
winlogbeat.event_logs: - id: dhcp-server-logs xml_query: > <QueryList>
<Query Id="0" Path="DhcpAdminEvents"> <Select
Path="DhcpAdminEvents">*</Select> <Select
Path="Microsoft-Windows-Dhcp-Server/FilterNotifications">*</Select> <Select
Path="Microsoft-Windows-Dhcp-Server/Operational">*</Select> </Query>
</QueryList> XML queries may also be created in Windows Event Viewer using
custom views. The querycan be created using a graphical interface and the
corresponding XML can beretrieved from the XML tab. event_logs.include_xml
Boolean option that controls if the raw XML representation of an event
isincluded in the data sent by Winlogbeat. The default is false. This
option is only available on operating systems supporting the Windows Event
Log API (Microsoft Windows Vista and newer). The XML representation of the
event is useful for troubleshooting purposes. Thedata in the fields
reported by Winlogbeat can be compared to the data in the XMLto diagnose
problems. Example: winlogbeat.event_logs: - name: Microsoft-Windows-Windows
Defender/Operational include_xml: true event_logs.tags A list of tags that
the Beat includes in the tags field of each publishedevent. Tags make it
easy to select specific events in Kibana or applyconditional filtering in
Logstash. These tags will be appended to the list oftags specified in the
general configuration. Example: winlogbeat.event_logs: - name: CustomLog
tags: ["web"] event_logs.fields Optional fields that you can specify to add
additional information to theoutput. For example, you might add fields that
you can use for filtering eventdata. Fields can be scalar values, arrays,
dictionaries, or any nestedcombination of these. By default, the fields
that you specify here will begrouped under a fields sub-dictionary in the
output document. To store thecustom fields as top-level fields, set the
fields_under_root option to true.If a duplicate field is declared in the
general configuration, then its valuewill be overwritten by the value
declared here. winlogbeat.event_logs: - name: CustomLog fields:
customer_id: 51415432 event_logs.fields_under_root If this option is set to
true, the custom fields are stored as top-level fields in the output
document instead of being groupedunder a fields sub-dictionary. If the
custom field names conflict with otherfield names added by Winlogbeat, then
the custom fields overwrite the otherfields. event_logs.processors A list
of processors to apply to the data generated by the event log. See
Processors for information about specifyingprocessors in your config.
event_logs.index If present, this formatted string overrides the index for
events from thisevent log (for elasticsearch outputs), or sets the
raw_index field of the event’smetadata (for other outputs). This string can
only refer to the agent name andversion and the event timestamp; for access
to dynamic fields, use output.elasticsearch.index or a processor. Example
value: "%{[agent.name]}-myindex-%{+yyyy.MM.dd}" mightexpand to
"winlogbeat-myindex-2019.12.13" . event_logs.keep_null If this option is
set to true, fields with null values will be published inthe output
document. By default, keep_null is set to false . event_logs.no_more_events
The action that the event log reader should take when it receives a signal
fromWindows that there are no more events to read. It can either wait for
moreevents to be written (the default behavior) or it can stop . The
overallWinlogbeat process will stop when all of the individual event log
readers havestopped. This option is only available on operating systems
supporting the Windows Event Log API (Microsoft Windows Vista and newer).
Setting no_more_events to stop is useful when reading from archived
eventlog files where you want to read the whole file then exit. There’s a
completeexample of how to read from an .evtx file in the FAQ .
event_logs.api This selects the event log reader implementation that is
used to read eventsfrom the Windows APIs. You should only set this option
when testing experimentalfeatures. When the value is set to
wineventlog-experimental Winlogbeat willreplace the default event log
reader with the experimental implementation.We are evaluating this
implementation to see if it can provide increasedperformance and reduce CPU
usage. This option is only available on operating systems supporting the
Windows Event Log API (Microsoft Windows Vista and newer).
winlogbeat.event_logs: - name: ForwardedEvents api:
wineventlog-experimental There are a few notable differences in the events:
Events that contained data under winlog.user_data will now have it under
winlog.event_data . Setting include_xml: true has no effect.
overwrite_pipelines By default Ingest pipelines are not updated if a
pipeline with the same IDalready exists. If this option is enabled
Winlogbeat overwrites pipelinesevery time a new Elasticsearch connection is
established. The default value is false .
5. ECS FIELDS
https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-ecs.html
Dokumentation
This section defines Elastic Common Schema (ECS) fields—a common set of
fieldsto be used when storing event data in Elasticsearch. This is an
exhaustive list, and fields listed here are not necessarily used by
Winlogbeat.The goal of ECS is to enable and encourage users of
Elasticsearch to normalize their event data,so that they can better
analyze, visualize, and correlate the data represented in their events. See
the ECS reference for more information. @timestamp Date/time when the event
originated.This is the date/time extracted from the event, typically
representing when the event was generated by the source.If the event source
has no original timestamp, this value is typically populated by the first
time the event was received by the pipeline.Required field for all events.
type: date example: 2016-05-23T08:05:34.853Z required: True labels Custom
key/value pairs.Can be used to add meta information to events. Should not
contain nested objects. All values are stored as keyword.Example: docker
and k8s labels. type: object example: {"application": "foo-bar", "env":
"production"} message For log events the message field contains the log
message, optimized for viewing in a log viewer.For structured logs without
an original message field, other fields can be concatenated to form a
human-readable summary of the event.If multiple messages exist, they can be
combined into one message. type: match_only_text example: Hello World tags
List of keywords used to tag each event. type: keyword example:
["production", "env2"] agent The agent fields contain the data about the
software entity, if any, that collects, detects, or observes events on a
host, or takes measurements on a host.Examples include Beats. Agents may
also run on observers. ECS agent.* fields shall be populated with details
of the agent running on the host or observer where the event happened or
the measurement was taken. agent.build.original Extended build information
for the agent.This field is intended to contain any build information that
a data source may provide, no specific formatting is required. type:
keyword example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0
[6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000
UTC] agent.ephemeral_id Ephemeral identifier of this agent (if one
exists).This id normally changes across restarts, but agent.id does not.
type: keyword example: 8a4f500f agent.id Unique identifier of this agent
(if one exists).Example: For Beats this would be beat.id. type: keyword
example: 8a4f500d agent.name Custom name of the agent.This is a name that
can be given to an agent. This can be helpful if for example two Filebeat
instances are running on the same host but a human readable separation is
needed on which Filebeat instance data is coming from.If no name is given,
the name is often left empty. type: keyword example: foo agent.type Type of
the agent.The agent type always stays the same and should be given by the
agent used. In case of Filebeat the agent would always be Filebeat also if
two Filebeat instances are run on the same machine. type: keyword example:
filebeat agent.version Version of the agent. type: keyword example:
6.0.0-rc2 as An autonomous system (AS) is a collection of connected
Internet Protocol (IP) routing prefixes under the control of one or more
network operators on behalf of a single administrative entity or domain
that presents a common, clearly defined routing policy to the internet.
as.number Unique number allocated to the autonomous system. The autonomous
system number (ASN) uniquely identifies each network on the Internet. type:
long example: 15169 as.organization.name Organization name. type: keyword
example: Google LLC as.organization.name.text type: match_only_text client
A client is defined as the initiator of a network connection for events
regarding sessions, connections, or bidirectional flow records.For TCP
events, the client is the initiator of the TCP connection that sends the
SYN packet(s). For other protocols, the client is generally the initiator
or requestor in the network transaction. Some systems use the term
"originator" to refer the client in TCP connections. The client fields
describe details about the system acting as the client in the network
event. Client fields are usually populated in conjunction with server
fields. Client fields are generally not populated for packet-level
events.Client / server representations can add semantic context to an
exchange, which is helpful to visualize the data in certain situations. If
your context falls in that category, you should still ensure that source
and destination are filled appropriately. client.address Some event client
addresses are defined ambiguously. The event will sometimes list an IP, a
domain or a unix socket. You should always store the raw address in the
.address field.Then it should be duplicated to .ip or .domain , depending
on which one it is. type: keyword client.as.number Unique number allocated
to the autonomous system. The autonomous system number (ASN) uniquely
identifies each network on the Internet. type: long example: 15169
client.as.organization.name Organization name. type: keyword example:
Google LLC client.as.organization.name.text type: match_only_text
client.bytes Bytes sent from the client to the server. type: long example:
184 format: bytes client.domain The domain name of the client system.This
value may be a host name, a fully qualified domain name, or another host
naming format. The value may derive from the original event or be added
from enrichment. type: keyword example: foo.example.com
client.geo.city_name City name. type: keyword example: Montreal
client.geo.continent_code Two-letter code representing continent’s name.
type: keyword example: NA client.geo.continent_name Name of the continent.
type: keyword example: North America client.geo.country_iso_code Country
ISO code. type: keyword example: CA client.geo.country_name Country name.
type: keyword example: Canada client.geo.location Longitude and latitude.
type: geo_point example: { "lon": -73.614830, "lat": 45.505918 }
client.geo.name User-defined description of a location, at the level of
granularity they care about.Could be the name of their data centers, the
floor number, if this describes a local physical entity, city names.Not
typically used in automated geolocation. type: keyword example: boston-dc
client.geo.postal_code Postal code associated with the location.Values
appropriate for this field may also be known as a postcode or ZIP code and
will vary widely from country to country. type: keyword example: 94040
client.geo.region_iso_code Region ISO code. type: keyword example: CA-QC
client.geo.region_name Region name. type: keyword example: Quebec
client.geo.timezone The time zone of the location, such as IANA time zone
name. type: keyword example: America/Argentina/Buenos_Aires client.ip IP
address of the client (IPv4 or IPv6). type: ip client.mac MAC address of
the client.The notation format from RFC 7042 is suggested: Each octet (that
is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving
the value of the octet as an unsigned integer. Successive octets are
separated by a hyphen. type: keyword example: 00-00-5E-00-53-23
client.nat.ip Translated IP of source based NAT sessions (e.g. internal
client to internet).Typically connections traversing load balancers,
firewalls, or routers. type: ip client.nat.port Translated port of source
based NAT sessions (e.g. internal client to internet).Typically connections
traversing load balancers, firewalls, or routers. type: long format: string
client.packets Packets sent from the client to the server. type: long
example: 12 client.port Port of the client. type: long format: string
client.registered_domain The highest registered client domain, stripped of
the subdomain.For example, the registered domain for "foo.example.com" is
"example.com".This value can be determined precisely with a list like the
public suffix list ( http://publicsuffix.org ). Trying to approximate this
by simply taking the last two labels will not work well for TLDs such as
"co.uk". type: keyword example: example.com client.subdomain The subdomain
portion of a fully qualified domain name includes all of the names except
the host name under the registered_domain. In a partially qualified domain,
or if the the qualification level of the full name cannot be determined,
subdomain contains all of the names below the registered domain.For example
the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain
has multiple levels of subdomain, such as "sub2.sub1.example.com", the
subdomain field should contain "sub2.sub1", with no trailing period. type:
keyword example: east client.top_level_domain The effective top level
domain (eTLD), also known as the domain suffix, is the last part of the
domain name. For example, the top level domain for example.com is
"com".This value can be determined precisely with a list like the public
suffix list ( http://publicsuffix.org ). Trying to approximate this by
simply taking the last label will not work well for effective TLDs such as
"co.uk". type: keyword example: co.uk client.user.domain Name of the
directory the user is a member of.For example, an LDAP or Active Directory
domain name. type: keyword client.user.email User email address. type:
keyword client.user.full_name User’s full name, if available. type: keyword
example: Albert Einstein client.user.full_name.text type: match_only_text
client.user.group.domain Name of the directory the group is a member of.For
example, an LDAP or Active Directory domain name. type: keyword
client.user.group.id Unique identifier for the group on the
system/platform. type: keyword client.user.group.name Name of the group.
type: keyword client.user.hash Unique user hash to correlate information
for a user in anonymized form.Useful if user.id or user.name contain
confidential information and cannot be used. type: keyword client.user.id
Unique identifier of the user. type: keyword example:
S-1-5-21-202424912787-2692429404-2351956786-1000 client.user.name Short
name or login of the user. type: keyword example: a.einstein
client.user.name.text type: match_only_text client.user.roles Array of user
roles at the time of the event. type: keyword example: ["kibana_admin",
"reporting_user"] cloud Fields related to the cloud or infrastructure the
events are coming from. cloud.account.id The cloud account or organization
id used to identify different entities in a multi-tenant
environment.Examples: AWS account id, Google Cloud ORG Id, or other unique
identifier. type: keyword example: 666777888999 cloud.account.name The
cloud account name or alias used to identify different entities in a
multi-tenant environment.Examples: AWS account name, Google Cloud ORG
display name. type: keyword example: elastic-dev cloud.availability_zone
Availability zone in which this host, resource, or service is located.
type: keyword example: us-east-1c cloud.instance.id Instance ID of the host
machine. type: keyword example: i-1234567890abcdef0 cloud.instance.name
Instance name of the host machine. type: keyword cloud.machine.type Machine
type of the host machine. type: keyword example: t2.medium
cloud.origin.account.id The cloud account or organization id used to
identify different entities in a multi-tenant environment.Examples: AWS
account id, Google Cloud ORG Id, or other unique identifier. type: keyword
example: 666777888999 cloud.origin.account.name The cloud account name or
alias used to identify different entities in a multi-tenant
environment.Examples: AWS account name, Google Cloud ORG display name.
type: keyword example: elastic-dev cloud.origin.availability_zone
Availability zone in which this host, resource, or service is located.
type: keyword example: us-east-1c cloud.origin.instance.id Instance ID of
the host machine. type: keyword example: i-1234567890abcdef0
cloud.origin.instance.name Instance name of the host machine. type: keyword
cloud.origin.machine.type Machine type of the host machine. type: keyword
example: t2.medium cloud.origin.project.id The cloud project
identifier.Examples: Google Cloud Project id, Azure Project id. type:
keyword example: my-project cloud.origin.project.name The cloud project
name.Examples: Google Cloud Project name, Azure Project name. type: keyword
example: my project cloud.origin.provider Name of the cloud provider.
Example values are aws, azure, gcp, or digitalocean. type: keyword example:
aws cloud.origin.region Region in which this host, resource, or service is
located. type: keyword example: us-east-1 cloud.origin.service.name The
cloud service name is intended to distinguish services running on different
platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine,
Azure VM vs App Server.Examples: app engine, app service, cloud run,
fargate, lambda. type: keyword example: lambda cloud.project.id The cloud
project identifier.Examples: Google Cloud Project id, Azure Project id.
type: keyword example: my-project cloud.project.name The cloud project
name.Examples: Google Cloud Project name, Azure Project name. type: keyword
example: my project cloud.provider Name of the cloud provider. Example
values are aws, azure, gcp, or digitalocean. type: keyword example: aws
cloud.region Region in which this host, resource, or service is located.
type: keyword example: us-east-1 cloud.service.name The cloud service name
is intended to distinguish services running on different platforms within a
provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App
Server.Examples: app engine, app service, cloud run, fargate, lambda. type:
keyword example: lambda cloud.target.account.id The cloud account or
organization id used to identify different entities in a multi-tenant
environment.Examples: AWS account id, Google Cloud ORG Id, or other unique
identifier. type: keyword example: 666777888999 cloud.target.account.name
The cloud account name or alias used to identify different entities in a
multi-tenant environment.Examples: AWS account name, Google Cloud ORG
display name. type: keyword example: elastic-dev
cloud.target.availability_zone Availability zone in which this host,
resource, or service is located. type: keyword example: us-east-1c
cloud.target.instance.id Instance ID of the host machine. type: keyword
example: i-1234567890abcdef0 cloud.target.instance.name Instance name of
the host machine. type: keyword cloud.target.machine.type Machine type of
the host machine. type: keyword example: t2.medium cloud.target.project.id
The cloud project identifier.Examples: Google Cloud Project id, Azure
Project id. type: keyword example: my-project cloud.target.project.name The
cloud project name.Examples: Google Cloud Project name, Azure Project name.
type: keyword example: my project cloud.target.provider Name of the cloud
provider. Example values are aws, azure, gcp, or digitalocean. type:
keyword example: aws cloud.target.region Region in which this host,
resource, or service is located. type: keyword example: us-east-1
cloud.target.service.name The cloud service name is intended to distinguish
services running on different platforms within a provider, eg AWS EC2 vs
Lambda, GCP GCE vs App Engine, Azure VM vs App Server.Examples: app engine,
app service, cloud run, fargate, lambda. type: keyword example: lambda
code_signature These fields contain information about binary code
signatures. code_signature.digest_algorithm The hashing algorithm used to
sign the process.This value can distinguish signatures when a file is
signed multiple times by the same signer but with a different digest
algorithm. type: keyword example: sha256 code_signature.exists Boolean to
capture if a signature is present. type: boolean example: true
code_signature.signing_id The identifier used to sign the process.This is
used to identify the application manufactured by a software vendor. The
field is relevant to Apple *OS only. type: keyword example:
com.apple.xpc.proxy code_signature.status Additional information about the
certificate status.This is useful for logging cryptographic errors with the
certificate validity or trust status. Leave unpopulated if the validity or
trust of the certificate was unchecked. type: keyword example:
ERROR_UNTRUSTED_ROOT code_signature.subject_name Subject name of the code
signer type: keyword example: Microsoft Corporation code_signature.team_id
The team identifier used to sign the process.This is used to identify the
team or vendor of a software product. The field is relevant to Apple *OS
only. type: keyword example: EQHXZ8M8AV code_signature.timestamp Date and
time when the code signature was generated and signed. type: date example:
2021-01-01T12:10:30Z code_signature.trusted Stores the trust status of the
certificate chain.Validating the trust of the certificate chain may be
complicated, and this field should only be populated by tools that actively
check the status. type: boolean example: true code_signature.valid Boolean
to capture if the digital signature is verified against the binary
content.Leave unpopulated if a certificate was unchecked. type: boolean
example: true container Container fields are used for meta information
about the specific container that is the source of information. These
fields help correlate data based containers from any runtime.
container.cpu.usage Percent CPU used which is normalized by the number of
CPU cores and it ranges from 0 to 1. Scaling factor: 1000. type:
scaled_float container.disk.read.bytes The total number of bytes (gauge)
read successfully (aggregated from all disks) since the last metric
collection. type: long container.disk.write.bytes The total number of bytes
(gauge) written successfully (aggregated from all disks) since the last
metric collection. type: long container.id Unique container id. type:
keyword container.image.name Name of the image the container was built on.
type: keyword container.image.tag Container image tags. type: keyword
container.labels Image labels. type: object container.memory.usage Memory
usage percentage and it ranges from 0 to 1. Scaling factor: 1000. type:
scaled_float container.name Container name. type: keyword
container.network.egress.bytes The number of bytes (gauge) sent out on all
network interfaces by the container since the last metric collection. type:
long container.network.ingress.bytes The number of bytes received (gauge)
on all network interfaces by the container since the last metric
collection. type: long container.runtime Runtime managing this container.
type: keyword example: docker data_stream The data_stream fields take part
in defining the new data stream naming scheme.In the new data stream naming
scheme the value of the data stream fields combine to the name of the
actual data stream in the following manner:
{data_stream.type}-{data_stream.dataset}-{data_stream.namespace} . This
means the fields can only contain characters that are valid as part of
names of data streams. More details about this can be found in this blog
post .An Elasticsearch data stream consists of one or more backing indices,
and a data stream name forms part of the backing indices names. Due to this
convention, data streams must also follow index naming restrictions. For
example, data stream names cannot include \ , / , * , ? , " , < , > , | , `
` (space character), , , or # . Please see the Elasticsearch reference for
additional restrictions . data_stream.dataset The field can contain
anything that makes sense to signify the source of the data.Examples
include nginx.access , prometheus , endpoint etc. For data streams that
otherwise fit, but that do not have dataset set we use the value "generic"
for the dataset value. event.dataset should have the same value as
data_stream.dataset .Beyond the Elasticsearch data stream naming criteria
noted above, the dataset value has additional restrictions: * Must not
contain - * No longer than 100 characters type: constant_keyword example:
nginx.access data_stream.namespace A user defined namespace. Namespaces are
useful to allow grouping of data.Many users already organize their indices
this way, and the data stream naming scheme now provides this best practice
as a default. Many users will populate this field with default . If no
value is used, it falls back to default .Beyond the Elasticsearch index
naming criteria noted above, namespace value has the additional
restrictions: * Must not contain - * No longer than 100 characters type:
constant_keyword example: production data_stream.type An overarching type
for the data stream.Currently allowed values are "logs" and "metrics". We
expect to also add "traces" and "synthetics" in the near future. type:
constant_keyword example: logs destination Destination fields capture
details about the receiver of a network exchange/packet. These fields are
populated from a network event, packet, or other event containing details
of a network transaction.Destination fields are usually populated in
conjunction with source fields. The source and destination fields are
considered the baseline and should always be filled if an event contains
source and destination details from a network transaction. If the event
also contains identification of the client and server roles, then the
client and server fields should also be populated. destination.address Some
event destination addresses are defined ambiguously. The event will
sometimes list an IP, a domain or a unix socket. You should always store
the raw address in the .address field.Then it should be duplicated to .ip
or .domain , depending on which one it is. type: keyword
destination.as.number Unique number allocated to the autonomous system. The
autonomous system number (ASN) uniquely identifies each network on the
Internet. type: long example: 15169 destination.as.organization.name
Organization name. type: keyword example: Google LLC
destination.as.organization.name.text type: match_only_text
destination.bytes Bytes sent from the destination to the source. type: long
example: 184 format: bytes destination.domain The domain name of the
destination system.This value may be a host name, a fully qualified domain
name, or another host naming format. The value may derive from the original
event or be added from enrichment. type: keyword example: foo.example.com
destination.geo.city_name City name. type: keyword example: Montreal
destination.geo.continent_code Two-letter code representing continent’s
name. type: keyword example: NA destination.geo.continent_name Name of the
continent. type: keyword example: North America
destination.geo.country_iso_code Country ISO code. type: keyword example:
CA destination.geo.country_name Country name. type: keyword example: Canada
destination.geo.location Longitude and latitude. type: geo_point example: {
"lon": -73.614830, "lat": 45.505918 } destination.geo.name User-defined
description of a location, at the level of granularity they care
about.Could be the name of their data centers, the floor number, if this
describes a local physical entity, city names.Not typically used in
automated geolocation. type: keyword example: boston-dc
destination.geo.postal_code Postal code associated with the location.Values
appropriate for this field may also be known as a postcode or ZIP code and
will vary widely from country to country. type: keyword example: 94040
destination.geo.region_iso_code Region ISO code. type: keyword example:
CA-QC destination.geo.region_name Region name. type: keyword example:
Quebec destination.geo.timezone The time zone of the location, such as IANA
time zone name. type: keyword example: America/Argentina/Buenos_Aires
destination.ip IP address of the destination (IPv4 or IPv6). type: ip
destination.mac MAC address of the destination.The notation format from RFC
7042 is suggested: Each octet (that is, 8-bit byte) is represented by two
[uppercase] hexadecimal digits giving the value of the octet as an unsigned
integer. Successive octets are separated by a hyphen. type: keyword
example: 00-00-5E-00-53-23 destination.nat.ip Translated ip of destination
based NAT sessions (e.g. internet to private DMZ)Typically used with load
balancers, firewalls, or routers. type: ip destination.nat.port Port the
source session is translated to by NAT Device.Typically used with load
balancers, firewalls, or routers. type: long format: string
destination.packets Packets sent from the destination to the source. type:
long example: 12 destination.port Port of the destination. type: long
format: string destination.registered_domain The highest registered
destination domain, stripped of the subdomain.For example, the registered
domain for "foo.example.com" is "example.com".This value can be determined
precisely with a list like the public suffix list ( http://publicsuffix.org
). Trying to approximate this by simply taking the last two labels will not
work well for TLDs such as "co.uk". type: keyword example: example.com
destination.subdomain The subdomain portion of a fully qualified domain
name includes all of the names except the host name under the
registered_domain. In a partially qualified domain, or if the the
qualification level of the full name cannot be determined, subdomain
contains all of the names below the registered domain.For example the
subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has
multiple levels of subdomain, such as "sub2.sub1.example.com", the
subdomain field should contain "sub2.sub1", with no trailing period. type:
keyword example: east destination.top_level_domain The effective top level
domain (eTLD), also known as the domain suffix, is the last part of the
domain name. For example, the top level domain for example.com is
"com".This value can be determined precisely with a list like the public
suffix list ( http://publicsuffix.org ). Trying to approximate this by
simply taking the last label will not work well for effective TLDs such as
"co.uk". type: keyword example: co.uk destination.user.domain Name of the
directory the user is a member of.For example, an LDAP or Active Directory
domain name. type: keyword destination.user.email User email address. type:
keyword destination.user.full_name User’s full name, if available. type:
keyword example: Albert Einstein destination.user.full_name.text type:
match_only_text destination.user.group.domain Name of the directory the
group is a member of.For example, an LDAP or Active Directory domain name.
type: keyword destination.user.group.id Unique identifier for the group on
the system/platform. type: keyword destination.user.group.name Name of the
group. type: keyword destination.user.hash Unique user hash to correlate
information for a user in anonymized form.Useful if user.id or user.name
contain confidential information and cannot be used. type: keyword
destination.user.id Unique identifier of the user. type: keyword example:
S-1-5-21-202424912787-2692429404-2351956786-1000 destination.user.name
Short name or login of the user. type: keyword example: a.einstein
destination.user.name.text type: match_only_text destination.user.roles
Array of user roles at the time of the event. type: keyword example:
["kibana_admin", "reporting_user"] dll These fields contain information
about code libraries dynamically loaded into processes. Many operating
systems refer to "shared code libraries" with different names, but this
field set refers to all of the following:* Dynamic-link library ( .dll )
commonly used on Windows* Shared Object ( .so ) commonly used on Unix-like
operating systems* Dynamic library ( .dylib ) commonly used on macOS
dll.code_signature.digest_algorithm The hashing algorithm used to sign the
process.This value can distinguish signatures when a file is signed
multiple times by the same signer but with a different digest algorithm.
type: keyword example: sha256 dll.code_signature.exists Boolean to capture
if a signature is present. type: boolean example: true
dll.code_signature.signing_id The identifier used to sign the process.This
is used to identify the application manufactured by a software vendor. The
field is relevant to Apple *OS only. type: keyword example:
com.apple.xpc.proxy dll.code_signature.status Additional information about
the certificate status.This is useful for logging cryptographic errors with
the certificate validity or trust status. Leave unpopulated if the validity
or trust of the certificate was unchecked. type: keyword example:
ERROR_UNTRUSTED_ROOT dll.code_signature.subject_name Subject name of the
code signer type: keyword example: Microsoft Corporation
dll.code_signature.team_id The team identifier used to sign the
process.This is used to identify the team or vendor of a software product.
The field is relevant to Apple *OS only. type: keyword example: EQHXZ8M8AV
dll.code_signature.timestamp Date and time when the code signature was
generated and signed. type: date example: 2021-01-01T12:10:30Z
dll.code_signature.trusted Stores the trust status of the certificate
chain.Validating the trust of the certificate chain may be complicated, and
this field should only be populated by tools that actively check the
status. type: boolean example: true dll.code_signature.valid Boolean to
capture if the digital signature is verified against the binary
content.Leave unpopulated if a certificate was unchecked. type: boolean
example: true dll.hash.md5 MD5 hash. type: keyword dll.hash.sha1 SHA1 hash.
type: keyword dll.hash.sha256 SHA256 hash. type: keyword dll.hash.sha512
SHA512 hash. type: keyword dll.hash.ssdeep SSDEEP hash. type: keyword
dll.name Name of the library.This generally maps to the name of the file on
disk. type: keyword example: kernel32.dll dll.path Full file path of the
library. type: keyword example: C:\Windows\System32\kernel32.dll
dll.pe.architecture CPU architecture target for the file. type: keyword
example: x64 dll.pe.company Internal company name of the file, provided at
compile-time. type: keyword example: Microsoft Corporation
dll.pe.description Internal description of the file, provided at
compile-time. type: keyword example: Paint dll.pe.file_version Internal
version of the file, provided at compile-time. type: keyword example:
6.3.9600.17415 dll.pe.imphash A hash of the imports in a PE file. An
imphash — or import hash — can be used to fingerprint binaries even after
recompilation or other code-level transformations have occurred, which
would change more traditional hash values.Learn more at
https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
. type: keyword example: 0c6803c4e922103c4dca5963aad36ddf
dll.pe.original_file_name Internal name of the file, provided at
compile-time. type: keyword example: MSPAINT.EXE dll.pe.product Internal
product name of the file, provided at compile-time. type: keyword example:
Microsoft® Windows® Operating System dns Fields describing DNS queries and
answers.DNS events should either represent a single DNS query prior to
getting answers ( dns.type:query ) or they should represent a full exchange
and contain the query details as well as all of the answers that were
provided for this query ( dns.type:answer ). dns.answers An array
containing an object for each answer section returned by the server.The
main keys that should be present in these objects are defined by ECS.
Records that have more information may contain more keys than what ECS
defines.Not all DNS data sources give all details about DNS answers. At
minimum, answer objects must contain the data key. If more information is
available, map as much of it to ECS as possible, and add any additional
fields to the answer objects as custom fields. type: object
dns.answers.class The class of DNS data contained in this resource record.
type: keyword example: IN dns.answers.data The data describing the
resource.The meaning of this data depends on the type and class of the
resource record. type: keyword example: 10.10.10.10 dns.answers.name The
domain name to which this resource record pertains.If a chain of CNAME is
being resolved, each answer’s name should be the one that corresponds with
the answer’s data . It should not simply be the original question.name
repeated. type: keyword example: www.example.com dns.answers.ttl The time
interval in seconds that this resource record may be cached before it
should be discarded. Zero values mean that the data should not be cached.
type: long example: 180 dns.answers.type The type of data contained in this
resource record. type: keyword example: CNAME dns.header_flags Array of 2
letter DNS header flags.Expected values are: AA, TC, RD, RA, AD, CD, DO.
type: keyword example: ["RD", "RA"] dns.id The DNS packet identifier
assigned by the program that generated the query. The identifier is copied
to the response. type: keyword example: 62111 dns.op_code The DNS operation
code that specifies the kind of query in the message. This value is set by
the originator of a query and copied into the response. type: keyword
example: QUERY dns.question.class The class of records being queried. type:
keyword example: IN dns.question.name The name being queried.If the name
field contains non-printable characters (below 32 or above 126), those
characters should be represented as escaped base 10 integers (\DDD). Back
slashes and quotes should be escaped. Tabs, carriage returns, and line
feeds should be converted to \t, \r, and \n respectively. type: keyword
example: www.example.com dns.question.registered_domain The highest
registered domain, stripped of the subdomain.For example, the registered
domain for "foo.example.com" is "example.com".This value can be determined
precisely with a list like the public suffix list ( http://publicsuffix.org
). Trying to approximate this by simply taking the last two labels will not
work well for TLDs such as "co.uk". type: keyword example: example.com
dns.question.subdomain The subdomain is all of the labels under the
registered_domain.If the domain has multiple levels of subdomain, such as
"sub2.sub1.example.com", the subdomain field should contain "sub2.sub1",
with no trailing period. type: keyword example: www
dns.question.top_level_domain The effective top level domain (eTLD), also
known as the domain suffix, is the last part of the domain name. For
example, the top level domain for example.com is "com".This value can be
determined precisely with a list like the public suffix list (
http://publicsuffix.org ). Trying to approximate this by simply taking the
last label will not work well for effective TLDs such as "co.uk". type:
keyword example: co.uk dns.question.type The type of record being queried.
type: keyword example: AAAA dns.resolved_ip Array containing all IPs seen
in answers.data .The answers array can be difficult to use, because of the
variety of data formats it can contain. Extracting all IP addresses seen in
there to dns.resolved_ip makes it possible to index them as IP addresses,
and makes them easier to visualize and query for. type: ip example:
["10.10.10.10", "10.10.10.11"] dns.response_code The DNS response code.
type: keyword example: NOERROR dns.type The type of DNS event captured,
query or answer.If your source of DNS events only gives you DNS queries,
you should only create dns events of type dns.type:query .If your source of
DNS events gives you answers as well, you should create one event per query
(optionally as soon as the query is seen). And a second event containing
all query details as well as an array of answers. type: keyword example:
answer ecs Meta-information specific to ECS. ecs.version ECS version this
event conforms to. ecs.version is a required field and must exist in all
events.When querying across multiple indices — which may conform to
slightly different ECS versions — this field lets integrations adjust to
the schema version of the events. type: keyword example: 1.0.0 required:
True elf These fields contain Linux Executable Linkable Format (ELF)
metadata. elf.architecture Machine architecture of the ELF file. type:
keyword example: x86-64 elf.byte_order Byte sequence of ELF file. type:
keyword example: Little Endian elf.cpu_type CPU type of the ELF file. type:
keyword example: Intel elf.creation_date Extracted when possible from the
file’s metadata. Indicates when it was built or compiled. It can also be
faked by malware creators. type: date elf.exports List of exported element
names and types. type: flattened elf.header.abi_version Version of the ELF
Application Binary Interface (ABI). type: keyword elf.header.class Header
class of the ELF file. type: keyword elf.header.data Data table of the ELF
header. type: keyword elf.header.entrypoint Header entrypoint of the ELF
file. type: long format: string elf.header.object_version "0x1" for
original ELF files. type: keyword elf.header.os_abi Application Binary
Interface (ABI) of the Linux OS. type: keyword elf.header.type Header type
of the ELF file. type: keyword elf.header.version Version of the ELF
header. type: keyword elf.imports List of imported element names and types.
type: flattened elf.sections An array containing an object for each section
of the ELF file.The keys that should be present in these objects are
defined by sub-fields underneath elf.sections.* . type: nested
elf.sections.chi2 Chi-square probability distribution of the section. type:
long format: number elf.sections.entropy Shannon entropy calculation from
the section. type: long format: number elf.sections.flags ELF Section List
flags. type: keyword elf.sections.name ELF Section List name. type: keyword
elf.sections.physical_offset ELF Section List offset. type: keyword
elf.sections.physical_size ELF Section List physical size. type: long
format: bytes elf.sections.type ELF Section List type. type: keyword
elf.sections.virtual_address ELF Section List virtual address. type: long
format: string elf.sections.virtual_size ELF Section List virtual size.
type: long format: string elf.segments An array containing an object for
each segment of the ELF file.The keys that should be present in these
objects are defined by sub-fields underneath elf.segments.* . type: nested
elf.segments.sections ELF object segment sections. type: keyword
elf.segments.type ELF object segment type. type: keyword
elf.shared_libraries List of shared libraries used by this ELF object.
type: keyword elf.telfhash telfhash symbol hash for ELF file. type: keyword
error These fields can represent errors of any kind.Use them for errors
that happen while fetching events or in cases where the event itself
contains an error. error.code Error code describing the error. type:
keyword error.id Unique identifier for the error. type: keyword
error.message Error message. type: match_only_text error.stack_trace The
stack trace of this error in plain text. type: wildcard
error.stack_trace.text type: match_only_text error.type The type of the
error, for example the class name of the exception. type: keyword example:
java.lang.NullPointerException event The event fields are used for context
information about the log or metric event itself.A log is defined as an
event containing details of something that happened. Log events must
include the time at which the thing happened. Examples of log events
include a process starting on a host, a network packet being sent from a
source to a destination, or a network connection between a client and a
server being initiated or closed. A metric is defined as an event
containing one or more numerical measurements and the time at which the
measurement was taken. Examples of metric events include memory pressure
measured on a host and device temperature. See the event.kind definition in
this section for additional details about metric and state events.
event.action The action captured by the event.This describes the
information in the event. It is more specific than event.category .
Examples are group-add , process-started , file-created . The value is
normally defined by the implementer. type: keyword example:
user-password-change event.agent_id_status Agents are normally responsible
for populating the agent.id field value. If the system receiving events is
capable of validating the value based on authentication information for the
client then this field can be used to reflect the outcome of that
validation.For example if the agent’s connection is authenticated with mTLS
and the client cert contains the ID of the agent to which the cert was
issued then the agent.id value in events can be checked against the
certificate. If the values match then event.agent_id_status: verified is
added to the event, otherwise one of the other allowed values should be
used.If no validation is performed then the field should be omitted.The
allowed values are: verified - The agent.id field value matches expected
value obtained from auth metadata. mismatch - The agent.id field value does
not match the expected value obtained from auth metadata. missing - There
was no agent.id field in the event to validate. auth_metadata_missing -
There was no auth metadata or it was missing information about the agent
ID. type: keyword example: verified event.category This is one of four ECS
Categorization Fields, and indicates the second level in the ECS category
hierarchy. event.category represents the "big buckets" of ECS categories.
For example, filtering on event.category:process yields all events relating
to process activity. This field is closely related to event.type , which is
used as a subcategory.This field is an array. This will allow proper
categorization of some events that fall in multiple categories. type:
keyword example: authentication event.code Identification code for this
event, if one exists.Some event sources use event codes to identify
messages unambiguously, regardless of message language or wording
adjustments over time. An example of this is the Windows Event ID. type:
keyword example: 4648 event.created event.created contains the date/time
when the event was first read by an agent, or by your pipeline.This field
is distinct from @timestamp in that @timestamp typically contain the time
extracted from the original event.In most situations, these two timestamps
will be slightly different. The difference can be used to calculate the
delay between your source generating an event, and the time when your agent
first processed it. This can be used to monitor your agent’s or pipeline’s
ability to keep up with your event source.In case the two timestamps are
identical, @timestamp should be used. type: date example:
2016-05-23T08:05:34.857Z event.dataset Name of the dataset.If an event
source publishes more than one type of log or events (e.g. access log,
error log), the dataset is used to specify which one the event comes
from.It’s recommended but not required to start the dataset name with the
module name, followed by a dot, then the dataset name. type: keyword
example: apache.access event.duration Duration of the event in
nanoseconds.If event.start and event.end are known this value should be the
difference between the end and start time. type: long format: duration
event.end event.end contains the date when the event ended or when the
activity was last observed. type: date event.hash Hash (perhaps logstash
fingerprint) of raw field to be able to demonstrate log integrity. type:
keyword example: 123456789012345678901234567890ABCD event.id Unique ID to
describe the event. type: keyword example: 8a4f500d event.ingested
Timestamp when an event arrived in the central data store.This is different
from @timestamp , which is when the event originally occurred. It’s also
different from event.created , which is meant to capture the first time an
agent saw the event.In normal conditions, assuming no tampering, the
timestamps should chronologically look like this: @timestamp <
event.created < event.ingested . type: date example:
2016-05-23T08:05:35.101Z event.kind This is one of four ECS Categorization
Fields, and indicates the highest level in the ECS category hierarchy.
event.kind gives high-level information about what type of information the
event contains, without being specific to the contents of the event. For
example, values of this field distinguish alert events from metric
events.The value of this field can be used to inform how these kinds of
events should be handled. They may warrant different retention, different
access control, it may also help understand whether the data coming in at a
regular interval or not. type: keyword example: alert event.module Name of
the module this data is coming from.If your monitoring agent supports the
concept of modules or plugins to process events of a given source (e.g.
Apache logs), event.module should contain the name of this module. type:
keyword example: apache event.original Raw text message of entire event.
Used to demonstrate log integrity or where the full log message (before
splitting it up in multiple parts) may be required, e.g. for reindex.This
field is not indexed and doc_values are disabled. It cannot be searched,
but it can be retrieved from _source . If users wish to override this and
index this field, please see Field data types in the Elasticsearch
Reference . type: keyword example: Sep 19 08:26:10 host CEF:0|Security|
threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1
dst=2.1.2.2spt=1232 Field is not indexed. event.outcome This is one of four
ECS Categorization Fields, and indicates the lowest level in the ECS
category hierarchy. event.outcome simply denotes whether the event
represents a success or a failure from the perspective of the entity that
produced the event.Note that when a single transaction is described in
multiple events, each event may populate different values of event.outcome
, according to their perspective.Also note that in the case of a compound
event (a single event that contains multiple logical events), this field
should be populated with the value that best captures the overall success
or failure from the perspective of the event producer.Further note that not
all events will have an associated outcome. For example, this field is
generally not populated for metric events, events with event.type:info , or
any events for which an outcome does not make logical sense. type: keyword
example: success event.provider Source of the event.Event transports such
as Syslog or the Windows Event Log typically mention the source of an
event. It can be the name of the software that generated the event (e.g.
Sysmon, httpd), or of a subsystem of the operating system (kernel,
Microsoft-Windows-Security-Auditing). type: keyword example: kernel
event.reason Reason why this event happened, according to the source.This
describes the why of a particular action or outcome captured in the event.
Where event.action captures the action from the event, event.reason
describes why that action was taken. For example, a web proxy with an
event.action which denied the request may also populate event.reason with
the reason why (e.g. blocked site ). type: keyword example: Terminated an
unexpected process event.reference Reference URL linking to additional
information about this event.This URL links to a static definition of this
event. Alert events, indicated by event.kind:alert , are a common use case
for this field. type: keyword example:
https://system.example.com/event/#0001234 event.risk_score Risk score or
priority of the event (e.g. security solutions). Use your system’s original
value here. type: float event.risk_score_norm Normalized risk score or
priority of the event, on a scale of 0 to 100.This is mainly useful if you
use more than one system that assigns risk scores, and you want to see a
normalized value across all systems. type: float event.sequence Sequence
number of the event.The sequence number is a value published by some event
sources, to make the exact ordering of events unambiguous, regardless of
the timestamp precision. type: long format: string event.severity The
numeric severity of the event according to your event source.What the
different severity values mean can be different between sources and use
cases. It’s up to the implementer to make sure severities are consistent
across events from the same source.The Syslog severity belongs in
log.syslog.severity.code . event.severity is meant to represent the
severity according to the event source (e.g. firewall, IDS). If the event
source does not publish its own severity, you may optionally copy the
log.syslog.severity.code to event.severity . type: long example: 7 format:
string event.start event.start contains the date when the event started or
when the activity was first observed. type: date event.timezone This field
should be populated when the event’s timestamp does not include timezone
information already (e.g. default Syslog timestamps). It’s optional
otherwise.Acceptable timezone formats are: a canonical ID (e.g.
"Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential
(e.g. "-05:00"). type: keyword event.type This is one of four ECS
Categorization Fields, and indicates the third level in the ECS category
hierarchy. event.type represents a categorization "sub-bucket" that, when
used along with the event.category field values, enables filtering events
down to a level appropriate for single visualization.This field is an
array. This will allow proper categorization of some events that fall in
multiple event types. type: keyword event.url URL linking to an external
system to continue investigation of this event.This URL links to another
system where in-depth investigation of the specific occurrence of this
event can take place. Alert events, indicated by event.kind:alert , are a
common use case for this field. type: keyword example:
https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
faas The user fields describe information about the function as a service
that is relevant to the event. faas.coldstart Boolean value indicating a
cold start of a function. type: boolean faas.execution The execution ID of
the current function execution. type: keyword example:
af9d5aa4-a685-4c5f-a22b-444f80b3cc28 faas.trigger Details about the
function trigger. type: nested faas.trigger.request_id The ID of the
trigger request , message, event, etc. type: keyword example: 123456789
faas.trigger.type The trigger for the function execution.Expected values
are: * http * pubsub * datasource * timer * other type: keyword example:
http file A file is defined as a set of information that has been created
on, or has existed on a filesystem.File objects can be associated with host
events, network events, and/or file events (e.g., those produced by File
Integrity Monitoring [FIM] products or services). File fields provide
details about the affected file associated with the event or metric.
file.accessed Last time the file was accessed.Note that not all filesystems
keep track of access time. type: date file.attributes Array of file
attributes.Attributes names will vary by platform. Here’s a non-exhaustive
list of values that are expected in this field: archive, compressed,
directory, encrypted, execute, hidden, read, readonly, system, write. type:
keyword example: ["readonly", "system"]
file.code_signature.digest_algorithm The hashing algorithm used to sign the
process.This value can distinguish signatures when a file is signed
multiple times by the same signer but with a different digest algorithm.
type: keyword example: sha256 file.code_signature.exists Boolean to capture
if a signature is present. type: boolean example: true
file.code_signature.signing_id The identifier used to sign the process.This
is used to identify the application manufactured by a software vendor. The
field is relevant to Apple *OS only. type: keyword example:
com.apple.xpc.proxy file.code_signature.status Additional information about
the certificate status.This is useful for logging cryptographic errors with
the certificate validity or trust status. Leave unpopulated if the validity
or trust of the certificate was unchecked. type: keyword example:
ERROR_UNTRUSTED_ROOT file.code_signature.subject_name Subject name of the
code signer type: keyword example: Microsoft Corporation
file.code_signature.team_id The team identifier used to sign the
process.This is used to identify the team or vendor of a software product.
The field is relevant to Apple *OS only. type: keyword example: EQHXZ8M8AV
file.code_signature.timestamp Date and time when the code signature was
generated and signed. type: date example: 2021-01-01T12:10:30Z
file.code_signature.trusted Stores the trust status of the certificate
chain.Validating the trust of the certificate chain may be complicated, and
this field should only be populated by tools that actively check the
status. type: boolean example: true file.code_signature.valid Boolean to
capture if the digital signature is verified against the binary
content.Leave unpopulated if a certificate was unchecked. type: boolean
example: true file.created File creation time.Note that not all filesystems
store the creation time. type: date file.ctime Last time the file
attributes or metadata changed.Note that changes to the file content will
update mtime . This implies ctime will be adjusted at the same time, since
mtime is an attribute of the file. type: date file.device Device that is
the source of the file. type: keyword example: sda file.directory Directory
where the file is located. It should include the drive letter, when
appropriate. type: keyword example: /home/alice file.drive_letter Drive
letter where the file is located. This field is only relevant on
Windows.The value should be uppercase, and not include the colon. type:
keyword example: C file.elf.architecture Machine architecture of the ELF
file. type: keyword example: x86-64 file.elf.byte_order Byte sequence of
ELF file. type: keyword example: Little Endian file.elf.cpu_type CPU type
of the ELF file. type: keyword example: Intel file.elf.creation_date
Extracted when possible from the file’s metadata. Indicates when it was
built or compiled. It can also be faked by malware creators. type: date
file.elf.exports List of exported element names and types. type: flattened
file.elf.header.abi_version Version of the ELF Application Binary Interface
(ABI). type: keyword file.elf.header.class Header class of the ELF file.
type: keyword file.elf.header.data Data table of the ELF header. type:
keyword file.elf.header.entrypoint Header entrypoint of the ELF file. type:
long format: string file.elf.header.object_version "0x1" for original ELF
files. type: keyword file.elf.header.os_abi Application Binary Interface
(ABI) of the Linux OS. type: keyword file.elf.header.type Header type of
the ELF file. type: keyword file.elf.header.version Version of the ELF
header. type: keyword file.elf.imports List of imported element names and
types. type: flattened file.elf.sections An array containing an object for
each section of the ELF file.The keys that should be present in these
objects are defined by sub-fields underneath elf.sections.* . type: nested
file.elf.sections.chi2 Chi-square probability distribution of the section.
type: long format: number file.elf.sections.entropy Shannon entropy
calculation from the section. type: long format: number
file.elf.sections.flags ELF Section List flags. type: keyword
file.elf.sections.name ELF Section List name. type: keyword
file.elf.sections.physical_offset ELF Section List offset. type: keyword
file.elf.sections.physical_size ELF Section List physical size. type: long
format: bytes file.elf.sections.type ELF Section List type. type: keyword
file.elf.sections.virtual_address ELF Section List virtual address. type:
long format: string file.elf.sections.virtual_size ELF Section List virtual
size. type: long format: string file.elf.segments An array containing an
object for each segment of the ELF file.The keys that should be present in
these objects are defined by sub-fields underneath elf.segments.* . type:
nested file.elf.segments.sections ELF object segment sections. type:
keyword file.elf.segments.type ELF object segment type. type: keyword
file.elf.shared_libraries List of shared libraries used by this ELF object.
type: keyword file.elf.telfhash telfhash symbol hash for ELF file. type:
keyword file.extension File extension, excluding the leading dot.Note that
when the file name has multiple extensions (example.tar.gz), only the last
one should be captured ("gz", not "tar.gz"). type: keyword example: png
file.fork_name A fork is additional data associated with a filesystem
object.On Linux, a resource fork is used to store additional data with a
filesystem object. A file always has at least one fork for the data
portion, and additional forks may exist.On NTFS, this is analogous to an
Alternate Data Stream (ADS), and the default data stream for a file is just
called $DATA. Zone.Identifier is commonly used by Windows to track contents
downloaded from the Internet. An ADS is typically of the form:
C:\path\to\filename.extension:some_fork_name , and some_fork_name is the
value that should populate fork_name . filename.extension should populate
file.name , and extension should populate file.extension . The full path,
file.path , will include the fork name. type: keyword example:
Zone.Identifer file.gid Primary group ID (GID) of the file. type: keyword
example: 1001 file.group Primary group name of the file. type: keyword
example: alice file.hash.md5 MD5 hash. type: keyword file.hash.sha1 SHA1
hash. type: keyword file.hash.sha256 SHA256 hash. type: keyword
file.hash.sha512 SHA512 hash. type: keyword file.hash.ssdeep SSDEEP hash.
type: keyword file.inode Inode representing the file in the filesystem.
type: keyword example: 256383 file.mime_type MIME type should identify the
format of the file or stream of bytes using IANA official types , where
possible. When more than one type is applicable, the most specific type
should be used. type: keyword file.mode Mode of the file in octal
representation. type: keyword example: 0640 file.mtime Last time the file
content was modified. type: date file.name Name of the file including the
extension, without the directory. type: keyword example: example.png
file.owner File owner’s username. type: keyword example: alice file.path
Full path to the file, including the file name. It should include the drive
letter, when appropriate. type: keyword example: /home/alice/example.png
file.path.text type: match_only_text file.pe.architecture CPU architecture
target for the file. type: keyword example: x64 file.pe.company Internal
company name of the file, provided at compile-time. type: keyword example:
Microsoft Corporation file.pe.description Internal description of the file,
provided at compile-time. type: keyword example: Paint file.pe.file_version
Internal version of the file, provided at compile-time. type: keyword
example: 6.3.9600.17415 file.pe.imphash A hash of the imports in a PE file.
An imphash — or import hash — can be used to fingerprint binaries even
after recompilation or other code-level transformations have occurred,
which would change more traditional hash values.Learn more at
https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
. type: keyword example: 0c6803c4e922103c4dca5963aad36ddf
file.pe.original_file_name Internal name of the file, provided at
compile-time. type: keyword example: MSPAINT.EXE file.pe.product Internal
product name of the file, provided at compile-time. type: keyword example:
Microsoft® Windows® Operating System file.size File size in bytes.Only
relevant when file.type is "file". type: long example: 16384
file.target_path Target path for symlinks. type: keyword
file.target_path.text type: match_only_text file.type File type (file, dir,
or symlink). type: keyword example: file file.uid The user ID (UID) or
security identifier (SID) of the file owner. type: keyword example: 1001
file.x509.alternative_names List of subject alternative names (SAN). Name
types vary by certificate authority and certificate type but commonly
contain IP addresses, DNS names (and wildcards), and email addresses. type:
keyword example: *.elastic.co file.x509.issuer.common_name List of common
name (CN) of issuing certificate authority. type: keyword example: Example
SHA2 High Assurance Server CA file.x509.issuer.country List of country ©
codes type: keyword example: US file.x509.issuer.distinguished_name
Distinguished name (DN) of issuing certificate authority. type: keyword
example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High
Assurance Server CA file.x509.issuer.locality List of locality names (L)
type: keyword example: Mountain View file.x509.issuer.organization List of
organizations (O) of issuing certificate authority. type: keyword example:
Example Inc file.x509.issuer.organizational_unit List of organizational
units (OU) of issuing certificate authority. type: keyword example:
www.example.com file.x509.issuer.state_or_province List of state or
province names (ST, S, or P) type: keyword example: California
file.x509.not_after Time at which the certificate is no longer considered
valid. type: date example: 2020-07-16 03:15:39+00:00 file.x509.not_before
Time at which the certificate is first considered valid. type: date
example: 2019-08-16 01:40:25+00:00 file.x509.public_key_algorithm Algorithm
used to generate the public key. type: keyword example: RSA
file.x509.public_key_curve The curve used by the elliptic curve public key
algorithm. This is algorithm specific. type: keyword example: nistp521
file.x509.public_key_exponent Exponent used to derive the public key. This
is algorithm specific. type: long example: 65537 Field is not indexed.
file.x509.public_key_size The size of the public key space in bits. type:
long example: 2048 file.x509.serial_number Unique serial number issued by
the certificate authority. For consistency, if this value is alphanumeric,
it should be formatted without colons and uppercase characters. type:
keyword example: 55FBB9C7DEBF09809D12CCAA file.x509.signature_algorithm
Identifier for certificate signature algorithm. We recommend using names
found in Go Lang Crypto library. See
https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353
. type: keyword example: SHA256-RSA file.x509.subject.common_name List of
common names (CN) of subject. type: keyword example:
shared.global.example.net file.x509.subject.country List of country © code
type: keyword example: US file.x509.subject.distinguished_name
Distinguished name (DN) of the certificate subject entity. type: keyword
example: C=US, ST=California, L=San Francisco, O=Example, Inc.,
CN=shared.global.example.net file.x509.subject.locality List of locality
names (L) type: keyword example: San Francisco
file.x509.subject.organization List of organizations (O) of subject. type:
keyword example: Example, Inc. file.x509.subject.organizational_unit List
of organizational units (OU) of subject. type: keyword
file.x509.subject.state_or_province List of state or province names (ST, S,
or P) type: keyword example: California file.x509.version_number Version of
x509 format. type: keyword example: 3 geo Geo fields can carry data about a
specific location related to an event.This geolocation information can be
derived from techniques such as Geo IP, or be user-supplied. geo.city_name
City name. type: keyword example: Montreal geo.continent_code Two-letter
code representing continent’s name. type: keyword example: NA
geo.continent_name Name of the continent. type: keyword example: North
America geo.country_iso_code Country ISO code. type: keyword example: CA
geo.country_name Country name. type: keyword example: Canada geo.location
Longitude and latitude. type: geo_point example: { "lon": -73.614830,
"lat": 45.505918 } geo.name User-defined description of a location, at the
level of granularity they care about.Could be the name of their data
centers, the floor number, if this describes a local physical entity, city
names.Not typically used in automated geolocation. type: keyword example:
boston-dc geo.postal_code Postal code associated with the location.Values
appropriate for this field may also be known as a postcode or ZIP code and
will vary widely from country to country. type: keyword example: 94040
geo.region_iso_code Region ISO code. type: keyword example: CA-QC
geo.region_name Region name. type: keyword example: Quebec geo.timezone The
time zone of the location, such as IANA time zone name. type: keyword
example: America/Argentina/Buenos_Aires group The group fields are meant to
represent groups that are relevant to the event. group.domain Name of the
directory the group is a member of.For example, an LDAP or Active Directory
domain name. type: keyword group.id Unique identifier for the group on the
system/platform. type: keyword group.name Name of the group. type: keyword
hash The hash fields represent different bitwise hash algorithms and their
values.Field names for common hashes (e.g. MD5, SHA1) are predefined. Add
fields for other hashes by lowercasing the hash algorithm name and using
underscore separators as appropriate (snake case, e.g. sha3_512).Note that
this fieldset is used for common hashes that may be computed over a range
of generic bytes. Entity-specific hashes such as ja3 or imphash are placed
in the fieldsets to which they relate (tls and pe, respectively). hash.md5
MD5 hash. type: keyword hash.sha1 SHA1 hash. type: keyword hash.sha256
SHA256 hash. type: keyword hash.sha512 SHA512 hash. type: keyword
hash.ssdeep SSDEEP hash. type: keyword host A host is defined as a general
computing instance.ECS host.* fields should be populated with details about
the host on which the event happened, or from which the measurement was
taken. Host types include hardware, virtual machines, Docker containers,
and Kubernetes nodes. host.architecture Operating system architecture.
type: keyword example: x86_64 host.cpu.usage Percent CPU used which is
normalized by the number of CPU cores and it ranges from 0 to 1.Scaling
factor: 1000.For example: For a two core host, this value should be the
average of the two cores, between 0 and 1. type: scaled_float
host.disk.read.bytes The total number of bytes (gauge) read successfully
(aggregated from all disks) since the last metric collection. type: long
host.disk.write.bytes The total number of bytes (gauge) written
successfully (aggregated from all disks) since the last metric collection.
type: long host.domain Name of the domain of which the host is a member.For
example, on Windows this could be the host’s Active Directory domain or
NetBIOS domain name. For Linux this could be the domain of the host’s LDAP
provider. type: keyword example: CONTOSO host.geo.city_name City name.
type: keyword example: Montreal host.geo.continent_code Two-letter code
representing continent’s name. type: keyword example: NA
host.geo.continent_name Name of the continent. type: keyword example: North
America host.geo.country_iso_code Country ISO code. type: keyword example:
CA host.geo.country_name Country name. type: keyword example: Canada
host.geo.location Longitude and latitude. type: geo_point example: { "lon":
-73.614830, "lat": 45.505918 } host.geo.name User-defined description of a
location, at the level of granularity they care about.Could be the name of
their data centers, the floor number, if this describes a local physical
entity, city names.Not typically used in automated geolocation. type:
keyword example: boston-dc host.geo.postal_code Postal code associated with
the location.Values appropriate for this field may also be known as a
postcode or ZIP code and will vary widely from country to country. type:
keyword example: 94040 host.geo.region_iso_code Region ISO code. type:
keyword example: CA-QC host.geo.region_name Region name. type: keyword
example: Quebec host.geo.timezone The time zone of the location, such as
IANA time zone name. type: keyword example: America/Argentina/Buenos_Aires
host.hostname Hostname of the host.It normally contains what the hostname
command returns on the host machine. type: keyword host.id Unique host
id.As hostname is not always unique, use values that are meaningful in your
environment.Example: The current usage of beat.name . type: keyword host.ip
Host ip addresses. type: ip host.mac Host MAC addresses.The notation format
from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented
by two [uppercase] hexadecimal digits giving the value of the octet as an
unsigned integer. Successive octets are separated by a hyphen. type:
keyword example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"] host.name Name
of the host.It can contain what hostname returns on Unix systems, the fully
qualified domain name, or a name specified by the user. The sender decides
which value to use. type: keyword host.network.egress.bytes The number of
bytes (gauge) sent out on all network interfaces by the host since the last
metric collection. type: long host.network.egress.packets The number of
packets (gauge) sent out on all network interfaces by the host since the
last metric collection. type: long host.network.ingress.bytes The number of
bytes received (gauge) on all network interfaces by the host since the last
metric collection. type: long host.network.ingress.packets The number of
packets (gauge) received on all network interfaces by the host since the
last metric collection. type: long host.os.family OS family (such as
redhat, debian, freebsd, windows). type: keyword example: debian
host.os.full Operating system name, including the version or code name.
type: keyword example: Mac OS Mojave host.os.full.text type:
match_only_text host.os.kernel Operating system kernel version as a raw
string. type: keyword example: 4.4.0-112-generic host.os.name Operating
system name, without the version. type: keyword example: Mac OS X
host.os.name.text type: match_only_text host.os.platform Operating system
platform (such centos, ubuntu, windows). type: keyword example: darwin
host.os.type Use the os.type field to categorize the operating system into
one of the broad commercial families.One of these following values should
be used (lowercase): linux, macos, unix, windows.If the OS you’re dealing
with is not in the list, the field should not be populated. Please let us
know by opening an issue with ECS, to propose its addition. type: keyword
example: macos host.os.version Operating system version as a raw string.
type: keyword example: 10.14.1 host.type Type of host.For Cloud providers
this can be the machine type like t2.medium . If vm, this could be the
container, for example, or other information meaningful in your
environment. type: keyword host.uptime Seconds the host has been up. type:
long example: 1325 http Fields related to HTTP activity. Use the url field
set to store the url of the request. http.request.body.bytes Size in bytes
of the request body. type: long example: 887 format: bytes
http.request.body.content The full HTTP request body. type: wildcard
example: Hello world http.request.body.content.text type: match_only_text
http.request.bytes Total size in bytes of the request (body and headers).
type: long example: 1437 format: bytes http.request.id A unique identifier
for each HTTP request to correlate logs between clients and servers in
transactions.The id may be contained in a non-standard HTTP header, such as
X-Request-ID or X-Correlation-ID . type: keyword example:
123e4567-e89b-12d3-a456-426614174000 http.request.method HTTP request
method.The value should retain its casing from the original event. For
example, GET , get , and GeT are all considered valid values for this
field. type: keyword example: POST http.request.mime_type Mime type of the
body of the request.This value must only be populated based on the content
of the request body, not on the Content-Type header. Comparing the mime
type of a request with the request’s Content-Type header can be helpful in
detecting threats or misconfigured clients. type: keyword example:
image/gif http.request.referrer Referrer for this HTTP request. type:
keyword example: https://blog.example.com/ http.response.body.bytes Size in
bytes of the response body. type: long example: 887 format: bytes
http.response.body.content The full HTTP response body. type: wildcard
example: Hello world http.response.body.content.text type: match_only_text
http.response.bytes Total size in bytes of the response (body and headers).
type: long example: 1437 format: bytes http.response.mime_type Mime type of
the body of the response.This value must only be populated based on the
content of the response body, not on the Content-Type header. Comparing the
mime type of a response with the response’s Content-Type header can be
helpful in detecting misconfigured servers. type: keyword example:
image/gif http.response.status_code HTTP response status code. type: long
example: 404 format: string http.version HTTP version. type: keyword
example: 1.1 interface The interface fields are used to record ingress and
egress interface information when reported by an observer (e.g. firewall,
router, load balancer) in the context of the observer handling a network
connection. In the case of a single observer interface (e.g. network sensor
on a span port) only the observer.ingress information should be populated.
interface.alias Interface alias as reported by the system, typically used
in firewall implementations for e.g. inside, outside, or dmz logical
interface naming. type: keyword example: outside interface.id Interface ID
as reported by an observer (typically SNMP interface ID). type: keyword
example: 10 interface.name Interface name as reported by the system. type:
keyword example: eth0 log Details about the event’s logging mechanism or
logging transport.The log.* fields are typically populated with details
about the logging mechanism used to create and/or transport the event. For
example, syslog details belong under log.syslog.* .The details specific to
your event source are typically not logged under log.* , but rather in
event.* or in other ECS fields. log.file.path Full path to the log file
this event came from, including the file name. It should include the drive
letter, when appropriate.If the event wasn’t read from a log file, do not
populate this field. type: keyword example: /var/log/fun-times.log
log.level Original log level of the log event.If the source of the event
provides a log level or textual severity, this is the one that goes in
log.level . If your source doesn’t specify one, you may put your event
transport’s severity here (e.g. Syslog severity).Some examples are warn ,
err , i , informational . type: keyword example: error log.logger The name
of the logger inside an application. This is usually the name of the class
which initialized the logger, or can be a custom name. type: keyword
example: org.elasticsearch.bootstrap.Bootstrap log.origin.file.line The
line number of the file containing the source code which originated the log
event. type: long example: 42 log.origin.file.name The name of the file
containing the source code which originated the log event.Note that this
field is not meant to capture the log file. The correct field to capture
the log file is log.file.path . type: keyword example: Bootstrap.java
log.origin.function The name of the function or method which originated the
log event. type: keyword example: init log.syslog The Syslog metadata of
the event, if the event was transmitted via Syslog. Please see RFCs 5424 or
3164. type: object log.syslog.facility.code The Syslog numeric facility of
the log event, if available.According to RFCs 5424 and 3164, this value
should be an integer between 0 and 23. type: long example: 23 format:
string log.syslog.facility.name The Syslog text-based facility of the log
event, if available. type: keyword example: local7 log.syslog.priority
Syslog numeric priority of the event, if available.According to RFCs 5424
and 3164, the priority is 8 * facility + severity. This number is therefore
expected to contain a value between 0 and 191. type: long example: 135
format: string log.syslog.severity.code The Syslog numeric severity of the
log event, if available.If the event source publishing via Syslog provides
a different numeric severity value (e.g. firewall, IDS), your source’s
numeric severity should go to event.severity . If the event source does not
specify a distinct severity, you can optionally copy the Syslog severity to
event.severity . type: long example: 3 log.syslog.severity.name The Syslog
numeric severity of the log event, if available.If the event source
publishing via Syslog provides a different severity value (e.g. firewall,
IDS), your source’s text severity should go to log.level . If the event
source does not specify a distinct severity, you can optionally copy the
Syslog severity to log.level . type: keyword example: Error network The
network is defined as the communication path over which a host or network
event happens.The network.* fields should be populated with details about
the network activity associated with an event. network.application When a
specific application or service is identified from network connection
details (source/dest IPs, ports, certificates, or wire format), this field
captures the application’s or service’s name.For example, the original
event identifies the network connection being from a specific web service
in a https network connection, like facebook or twitter .The field value
must be normalized to lowercase for querying. type: keyword example: aim
network.bytes Total bytes transferred in both directions.If source.bytes
and destination.bytes are known, network.bytes is their sum. type: long
example: 368 format: bytes network.community_id A hash of source and
destination IPs and ports, as well as the protocol used in a communication.
This is a tool-agnostic standard to identify flows.Learn more at
https://github.com/corelight/community-id-spec . type: keyword example:
1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= network.direction Direction of the network
traffic.Recommended values are: * ingress * egress * inbound * outbound *
internal * external * unknown When mapping events from a host-based
monitoring context, populate this field from the host’s point of view,
using the values "ingress" or "egress".When mapping events from a network
or perimeter-based monitoring context, populate this field from the point
of view of the network perimeter, using the values "inbound", "outbound",
"internal" or "external".Note that "internal" is not crossing perimeter
boundaries, and is meant to describe communication between two hosts within
the perimeter. Note also that "external" is meant to describe traffic
between two hosts that are external to the perimeter. This could for
example be useful for ISPs or VPN service providers. type: keyword example:
inbound network.forwarded_ip Host IP address when the source IP address is
the proxy. type: ip example: 192.1.1.2 network.iana_number IANA Protocol
Number (
https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml ).
Standardized list of protocols. This aligns well with NetFlow and sFlow
related logs which use the IANA Protocol Number. type: keyword example: 6
network.inner Network.inner fields are added in addition to network.vlan
fields to describe the innermost VLAN when q-in-q VLAN tagging is present.
Allowed fields include vlan.id and vlan.name. Inner vlan fields are
typically used when sending traffic with multiple 802.1q encapsulations to
a network sensor (e.g. Zeek, Wireshark.) type: object network.inner.vlan.id
VLAN ID as reported by the observer. type: keyword example: 10
network.inner.vlan.name Optional VLAN name as reported by the observer.
type: keyword example: outside network.name Name given by operators to
sections of their network. type: keyword example: Guest Wifi
network.packets Total packets transferred in both directions.If
source.packets and destination.packets are known, network.packets is their
sum. type: long example: 24 network.protocol In the OSI Model this would be
the Application Layer protocol. For example, http , dns , or ssh .The field
value must be normalized to lowercase for querying. type: keyword example:
http network.transport Same as network.iana_number, but instead using the
Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)The field
value must be normalized to lowercase for querying. type: keyword example:
tcp network.type In the OSI Model this would be the Network Layer. ipv4,
ipv6, ipsec, pim, etcThe field value must be normalized to lowercase for
querying. type: keyword example: ipv4 network.vlan.id VLAN ID as reported
by the observer. type: keyword example: 10 network.vlan.name Optional VLAN
name as reported by the observer. type: keyword example: outside observer
An observer is defined as a special network, security, or application
device used to detect, observe, or create network, security, or
application-related events and metrics.This could be a custom hardware
appliance or a server that has been configured to run special network,
security, or application software. Examples include firewalls, web proxies,
intrusion detection/prevention systems, network monitoring sensors, web
application firewalls, data loss prevention systems, and APM servers. The
observer.* fields shall be populated with details of the system, if any,
that detects, observes and/or creates a network, security, or application
event or metric. Message queues and ETL components used in processing
events or metrics are not considered observers in ECS. observer.egress
Observer.egress holds information like interface number and name, vlan, and
zone information to classify egress traffic. Single armed monitoring such
as a network sensor on a span port should only use observer.ingress to
categorize traffic. type: object observer.egress.interface.alias Interface
alias as reported by the system, typically used in firewall implementations
for e.g. inside, outside, or dmz logical interface naming. type: keyword
example: outside observer.egress.interface.id Interface ID as reported by
an observer (typically SNMP interface ID). type: keyword example: 10
observer.egress.interface.name Interface name as reported by the system.
type: keyword example: eth0 observer.egress.vlan.id VLAN ID as reported by
the observer. type: keyword example: 10 observer.egress.vlan.name Optional
VLAN name as reported by the observer. type: keyword example: outside
observer.egress.zone Network zone of outbound traffic as reported by the
observer to categorize the destination area of egress traffic, e.g.
Internal, External, DMZ, HR, Legal, etc. type: keyword example:
Public_Internet observer.geo.city_name City name. type: keyword example:
Montreal observer.geo.continent_code Two-letter code representing
continent’s name. type: keyword example: NA observer.geo.continent_name
Name of the continent. type: keyword example: North America
observer.geo.country_iso_code Country ISO code. type: keyword example: CA
observer.geo.country_name Country name. type: keyword example: Canada
observer.geo.location Longitude and latitude. type: geo_point example: {
"lon": -73.614830, "lat": 45.505918 } observer.geo.name User-defined
description of a location, at the level of granularity they care
about.Could be the name of their data centers, the floor number, if this
describes a local physical entity, city names.Not typically used in
automated geolocation. type: keyword example: boston-dc
observer.geo.postal_code Postal code associated with the location.Values
appropriate for this field may also be known as a postcode or ZIP code and
will vary widely from country to country. type: keyword example: 94040
observer.geo.region_iso_code Region ISO code. type: keyword example: CA-QC
observer.geo.region_name Region name. type: keyword example: Quebec
observer.geo.timezone The time zone of the location, such as IANA time zone
name. type: keyword example: America/Argentina/Buenos_Aires
observer.hostname Hostname of the observer. type: keyword observer.ingress
Observer.ingress holds information like interface number and name, vlan,
and zone information to classify ingress traffic. Single armed monitoring
such as a network sensor on a span port should only use observer.ingress to
categorize traffic. type: object observer.ingress.interface.alias Interface
alias as reported by the system, typically used in firewall implementations
for e.g. inside, outside, or dmz logical interface naming. type: keyword
example: outside observer.ingress.interface.id Interface ID as reported by
an observer (typically SNMP interface ID). type: keyword example: 10
observer.ingress.interface.name Interface name as reported by the system.
type: keyword example: eth0 observer.ingress.vlan.id VLAN ID as reported by
the observer. type: keyword example: 10 observer.ingress.vlan.name Optional
VLAN name as reported by the observer. type: keyword example: outside
observer.ingress.zone Network zone of incoming traffic as reported by the
observer to categorize the source area of ingress traffic. e.g. internal,
External, DMZ, HR, Legal, etc. type: keyword example: DMZ observer.ip IP
addresses of the observer. type: ip observer.mac MAC addresses of the
observer.The notation format from RFC 7042 is suggested: Each octet (that
is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving
the value of the octet as an unsigned integer. Successive octets are
separated by a hyphen. type: keyword example: ["00-00-5E-00-53-23",
"00-00-5E-00-53-24"] observer.name Custom name of the observer.This is a
name that can be given to an observer. This can be helpful for example if
multiple firewalls of the same model are used in an organization.If no
custom name is needed, the field can be left empty. type: keyword example:
1_proxySG observer.os.family OS family (such as redhat, debian, freebsd,
windows). type: keyword example: debian observer.os.full Operating system
name, including the version or code name. type: keyword example: Mac OS
Mojave observer.os.full.text type: match_only_text observer.os.kernel
Operating system kernel version as a raw string. type: keyword example:
4.4.0-112-generic observer.os.name Operating system name, without the
version. type: keyword example: Mac OS X observer.os.name.text type:
match_only_text observer.os.platform Operating system platform (such
centos, ubuntu, windows). type: keyword example: darwin observer.os.type
Use the os.type field to categorize the operating system into one of the
broad commercial families.One of these following values should be used
(lowercase): linux, macos, unix, windows.If the OS you’re dealing with is
not in the list, the field should not be populated. Please let us know by
opening an issue with ECS, to propose its addition. type: keyword example:
macos observer.os.version Operating system version as a raw string. type:
keyword example: 10.14.1 observer.product The product name of the observer.
type: keyword example: s200 observer.serial_number Observer serial number.
type: keyword observer.type The type of the observer the data is coming
from.There is no predefined list of observer types. Some examples are
forwarder , firewall , ids , ips , proxy , poller , sensor , APM server .
type: keyword example: firewall observer.vendor Vendor name of the
observer. type: keyword example: Symantec observer.version Observer
version. type: keyword orchestrator Fields that describe the resources
which container orchestrators manage or act upon. orchestrator.api_version
API version being used to carry out the action type: keyword example:
v1beta1 orchestrator.cluster.name Name of the cluster. type: keyword
orchestrator.cluster.url URL of the API used to manage the cluster. type:
keyword orchestrator.cluster.version The version of the cluster. type:
keyword orchestrator.namespace Namespace in which the action is taking
place. type: keyword example: kube-system orchestrator.organization
Organization affected by the event (for multi-tenant orchestrator setups).
type: keyword example: elastic orchestrator.resource.name Name of the
resource being acted upon. type: keyword example: test-pod-cdcws
orchestrator.resource.type Type of resource being acted upon. type: keyword
example: service orchestrator.type Orchestrator cluster type (e.g.
kubernetes, nomad or cloudfoundry). type: keyword example: kubernetes
organization The organization fields enrich data with information about the
company or entity the data is associated with.These fields help you arrange
or filter data stored in an index by one or multiple organizations.
organization.id Unique identifier for the organization. type: keyword
organization.name Organization name. type: keyword organization.name.text
type: match_only_text os The OS fields contain information about the
operating system. os.family OS family (such as redhat, debian, freebsd,
windows). type: keyword example: debian os.full Operating system name,
including the version or code name. type: keyword example: Mac OS Mojave
os.full.text type: match_only_text os.kernel Operating system kernel
version as a raw string. type: keyword example: 4.4.0-112-generic os.name
Operating system name, without the version. type: keyword example: Mac OS X
os.name.text type: match_only_text os.platform Operating system platform
(such centos, ubuntu, windows). type: keyword example: darwin os.type Use
the os.type field to categorize the operating system into one of the broad
commercial families.One of these following values should be used
(lowercase): linux, macos, unix, windows.If the OS you’re dealing with is
not in the list, the field should not be populated. Please let us know by
opening an issue with ECS, to propose its addition. type: keyword example:
macos os.version Operating system version as a raw string. type: keyword
example: 10.14.1 package These fields contain information about an
installed software package. It contains general information about a
package, such as name, version or size. It also contains installation
details, such as time or location. package.architecture Package
architecture. type: keyword example: x86_64 package.build_version
Additional information about the build version of the installed package.For
example use the commit SHA of a non-released package. type: keyword
example: 36f4f7e89dd61b0988b12ee000b98966867710cd package.checksum Checksum
of the installed package for verification. type: keyword example:
68b329da9893e34099c7d8ad5cb9c940 package.description Description of the
package. type: keyword example: Open source programming language to build
simple/reliable/efficient software. package.install_scope Indicating how
the package was installed, e.g. user-local, global. type: keyword example:
global package.installed Time when package was installed. type: date
package.license License under which the package was released.Use a short
name, e.g. the license identifier from SPDX License List where possible (
https://spdx.org/licenses/ ). type: keyword example: Apache License 2.0
package.name Package name type: keyword example: go package.path Path where
the package is installed. type: keyword example:
/usr/local/Cellar/go/1.12.9/ package.reference Home page or reference URL
of the software in this package, if available. type: keyword example:
https://golang.org package.size Package size in bytes. type: long example:
62231 format: string package.type Type of package.This should contain the
package file type, rather than the package manager name. Examples: rpm,
dpkg, brew, npm, gem, nupkg, jar. type: keyword example: rpm
package.version Package version type: keyword example: 1.12.9 pe These
fields contain Windows Portable Executable (PE) metadata. pe.architecture
CPU architecture target for the file. type: keyword example: x64 pe.company
Internal company name of the file, provided at compile-time. type: keyword
example: Microsoft Corporation pe.description Internal description of the
file, provided at compile-time. type: keyword example: Paint
pe.file_version Internal version of the file, provided at compile-time.
type: keyword example: 6.3.9600.17415 pe.imphash A hash of the imports in a
PE file. An imphash — or import hash — can be used to fingerprint binaries
even after recompilation or other code-level transformations have occurred,
which would change more traditional hash values.Learn more at
https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
. type: keyword example: 0c6803c4e922103c4dca5963aad36ddf
pe.original_file_name Internal name of the file, provided at compile-time.
type: keyword example: MSPAINT.EXE pe.product Internal product name of the
file, provided at compile-time. type: keyword example: Microsoft® Windows®
Operating System process These fields contain information about a
process.These fields can help you correlate metrics information with a
process id/name from a log message. The process.pid often stays in the
metric itself and is copied to the global field for correlation.
process.args Array of process arguments, starting with the absolute path to
the executable.May be filtered to protect sensitive information. type:
keyword example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]
process.args_count Length of the process.args array.This field can be
useful for querying or performing bucket analysis on how many arguments
were provided to start a process. More arguments may be an indication of
suspicious activity. type: long example: 4
process.code_signature.digest_algorithm The hashing algorithm used to sign
the process.This value can distinguish signatures when a file is signed
multiple times by the same signer but with a different digest algorithm.
type: keyword example: sha256 process.code_signature.exists Boolean to
capture if a signature is present. type: boolean example: true
process.code_signature.signing_id The identifier used to sign the
process.This is used to identify the application manufactured by a software
vendor. The field is relevant to Apple *OS only. type: keyword example:
com.apple.xpc.proxy process.code_signature.status Additional information
about the certificate status.This is useful for logging cryptographic
errors with the certificate validity or trust status. Leave unpopulated if
the validity or trust of the certificate was unchecked. type: keyword
example: ERROR_UNTRUSTED_ROOT process.code_signature.subject_name Subject
name of the code signer type: keyword example: Microsoft Corporation
process.code_signature.team_id The team identifier used to sign the
process.This is used to identify the team or vendor of a software product.
The field is relevant to Apple *OS only. type: keyword example: EQHXZ8M8AV
process.code_signature.timestamp Date and time when the code signature was
generated and signed. type: date example: 2021-01-01T12:10:30Z
process.code_signature.trusted Stores the trust status of the certificate
chain.Validating the trust of the certificate chain may be complicated, and
this field should only be populated by tools that actively check the
status. type: boolean example: true process.code_signature.valid Boolean to
capture if the digital signature is verified against the binary
content.Leave unpopulated if a certificate was unchecked. type: boolean
example: true process.command_line Full command line that started the
process, including the absolute path to the executable, and all
arguments.Some arguments may be filtered to protect sensitive information.
type: wildcard example: /usr/bin/ssh -l user 10.0.0.16
process.command_line.text type: match_only_text process.elf.architecture
Machine architecture of the ELF file. type: keyword example: x86-64
process.elf.byte_order Byte sequence of ELF file. type: keyword example:
Little Endian process.elf.cpu_type CPU type of the ELF file. type: keyword
example: Intel process.elf.creation_date Extracted when possible from the
file’s metadata. Indicates when it was built or compiled. It can also be
faked by malware creators. type: date process.elf.exports List of exported
element names and types. type: flattened process.elf.header.abi_version
Version of the ELF Application Binary Interface (ABI). type: keyword
process.elf.header.class Header class of the ELF file. type: keyword
process.elf.header.data Data table of the ELF header. type: keyword
process.elf.header.entrypoint Header entrypoint of the ELF file. type: long
format: string process.elf.header.object_version "0x1" for original ELF
files. type: keyword process.elf.header.os_abi Application Binary Interface
(ABI) of the Linux OS. type: keyword process.elf.header.type Header type of
the ELF file. type: keyword process.elf.header.version Version of the ELF
header. type: keyword process.elf.imports List of imported element names
and types. type: flattened process.elf.sections An array containing an
object for each section of the ELF file.The keys that should be present in
these objects are defined by sub-fields underneath elf.sections.* . type:
nested process.elf.sections.chi2 Chi-square probability distribution of the
section. type: long format: number process.elf.sections.entropy Shannon
entropy calculation from the section. type: long format: number
process.elf.sections.flags ELF Section List flags. type: keyword
process.elf.sections.name ELF Section List name. type: keyword
process.elf.sections.physical_offset ELF Section List offset. type: keyword
process.elf.sections.physical_size ELF Section List physical size. type:
long format: bytes process.elf.sections.type ELF Section List type. type:
keyword process.elf.sections.virtual_address ELF Section List virtual
address. type: long format: string process.elf.sections.virtual_size ELF
Section List virtual size. type: long format: string process.elf.segments
An array containing an object for each segment of the ELF file.The keys
that should be present in these objects are defined by sub-fields
underneath elf.segments.* . type: nested process.elf.segments.sections ELF
object segment sections. type: keyword process.elf.segments.type ELF object
segment type. type: keyword process.elf.shared_libraries List of shared
libraries used by this ELF object. type: keyword process.elf.telfhash
telfhash symbol hash for ELF file. type: keyword process.end The time the
process ended. type: date example: 2016-05-23T08:05:34.853Z
process.entity_id Unique identifier for the process.The implementation of
this is specified by the data source, but some examples of what could be
used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of
some uniquely identifying components of a process.Constructing a globally
unique identifier is a common practice to mitigate PID reuse as well as to
identify a specific process over time, across multiple monitored hosts.
type: keyword example: c2c455d9f99375d process.executable Absolute path to
the process executable. type: keyword example: /usr/bin/ssh
process.executable.text type: match_only_text process.exit_code The exit
code of the process, if this is a termination event.The field should be
absent if there is no exit code for the event (e.g. process start). type:
long example: 137 process.hash.md5 MD5 hash. type: keyword
process.hash.sha1 SHA1 hash. type: keyword process.hash.sha256 SHA256 hash.
type: keyword process.hash.sha512 SHA512 hash. type: keyword
process.hash.ssdeep SSDEEP hash. type: keyword process.name Process
name.Sometimes called program name or similar. type: keyword example: ssh
process.name.text type: match_only_text process.parent.args Array of
process arguments, starting with the absolute path to the executable.May be
filtered to protect sensitive information. type: keyword example:
["/usr/bin/ssh", "-l", "user", "10.0.0.16"] process.parent.args_count
Length of the process.args array.This field can be useful for querying or
performing bucket analysis on how many arguments were provided to start a
process. More arguments may be an indication of suspicious activity. type:
long example: 4 process.parent.code_signature.digest_algorithm The hashing
algorithm used to sign the process.This value can distinguish signatures
when a file is signed multiple times by the same signer but with a
different digest algorithm. type: keyword example: sha256
process.parent.code_signature.exists Boolean to capture if a signature is
present. type: boolean example: true
process.parent.code_signature.signing_id The identifier used to sign the
process.This is used to identify the application manufactured by a software
vendor. The field is relevant to Apple *OS only. type: keyword example:
com.apple.xpc.proxy process.parent.code_signature.status Additional
information about the certificate status.This is useful for logging
cryptographic errors with the certificate validity or trust status. Leave
unpopulated if the validity or trust of the certificate was unchecked.
type: keyword example: ERROR_UNTRUSTED_ROOT
process.parent.code_signature.subject_name Subject name of the code signer
type: keyword example: Microsoft Corporation
process.parent.code_signature.team_id The team identifier used to sign the
process.This is used to identify the team or vendor of a software product.
The field is relevant to Apple *OS only. type: keyword example: EQHXZ8M8AV
process.parent.code_signature.timestamp Date and time when the code
signature was generated and signed. type: date example:
2021-01-01T12:10:30Z process.parent.code_signature.trusted Stores the trust
status of the certificate chain.Validating the trust of the certificate
chain may be complicated, and this field should only be populated by tools
that actively check the status. type: boolean example: true
process.parent.code_signature.valid Boolean to capture if the digital
signature is verified against the binary content.Leave unpopulated if a
certificate was unchecked. type: boolean example: true
process.parent.command_line Full command line that started the process,
including the absolute path to the executable, and all arguments.Some
arguments may be filtered to protect sensitive information. type: wildcard
example: /usr/bin/ssh -l user 10.0.0.16 process.parent.command_line.text
type: match_only_text process.parent.elf.architecture Machine architecture
of the ELF file. type: keyword example: x86-64
process.parent.elf.byte_order Byte sequence of ELF file. type: keyword
example: Little Endian process.parent.elf.cpu_type CPU type of the ELF
file. type: keyword example: Intel process.parent.elf.creation_date
Extracted when possible from the file’s metadata. Indicates when it was
built or compiled. It can also be faked by malware creators. type: date
process.parent.elf.exports List of exported element names and types. type:
flattened process.parent.elf.header.abi_version Version of the ELF
Application Binary Interface (ABI). type: keyword
process.parent.elf.header.class Header class of the ELF file. type: keyword
process.parent.elf.header.data Data table of the ELF header. type: keyword
process.parent.elf.header.entrypoint Header entrypoint of the ELF file.
type: long format: string process.parent.elf.header.object_version "0x1"
for original ELF files. type: keyword process.parent.elf.header.os_abi
Application Binary Interface (ABI) of the Linux OS. type: keyword
process.parent.elf.header.type Header type of the ELF file. type: keyword
process.parent.elf.header.version Version of the ELF header. type: keyword
process.parent.elf.imports List of imported element names and types. type:
flattened process.parent.elf.sections An array containing an object for
each section of the ELF file.The keys that should be present in these
objects are defined by sub-fields underneath elf.sections.* . type: nested
process.parent.elf.sections.chi2 Chi-square probability distribution of the
section. type: long format: number process.parent.elf.sections.entropy
Shannon entropy calculation from the section. type: long format: number
process.parent.elf.sections.flags ELF Section List flags. type: keyword
process.parent.elf.sections.name ELF Section List name. type: keyword
process.parent.elf.sections.physical_offset ELF Section List offset. type:
keyword process.parent.elf.sections.physical_size ELF Section List physical
size. type: long format: bytes process.parent.elf.sections.type ELF Section
List type. type: keyword process.parent.elf.sections.virtual_address ELF
Section List virtual address. type: long format: string
process.parent.elf.sections.virtual_size ELF Section List virtual size.
type: long format: string process.parent.elf.segments An array containing
an object for each segment of the ELF file.The keys that should be present
in these objects are defined by sub-fields underneath elf.segments.* .
type: nested process.parent.elf.segments.sections ELF object segment
sections. type: keyword process.parent.elf.segments.type ELF object segment
type. type: keyword process.parent.elf.shared_libraries List of shared
libraries used by this ELF object. type: keyword
process.parent.elf.telfhash telfhash symbol hash for ELF file. type:
keyword process.parent.end The time the process ended. type: date example:
2016-05-23T08:05:34.853Z process.parent.entity_id Unique identifier for the
process.The implementation of this is specified by the data source, but
some examples of what could be used here are a process-generated UUID,
Sysmon Process GUIDs, or a hash of some uniquely identifying components of
a process.Constructing a globally unique identifier is a common practice to
mitigate PID reuse as well as to identify a specific process over time,
across multiple monitored hosts. type: keyword example: c2c455d9f99375d
process.parent.executable Absolute path to the process executable. type:
keyword example: /usr/bin/ssh process.parent.executable.text type:
match_only_text process.parent.exit_code The exit code of the process, if
this is a termination event.The field should be absent if there is no exit
code for the event (e.g. process start). type: long example: 137
process.parent.hash.md5 MD5 hash. type: keyword process.parent.hash.sha1
SHA1 hash. type: keyword process.parent.hash.sha256 SHA256 hash. type:
keyword process.parent.hash.sha512 SHA512 hash. type: keyword
process.parent.hash.ssdeep SSDEEP hash. type: keyword process.parent.name
Process name.Sometimes called program name or similar. type: keyword
example: ssh process.parent.name.text type: match_only_text
process.parent.pe.architecture CPU architecture target for the file. type:
keyword example: x64 process.parent.pe.company Internal company name of the
file, provided at compile-time. type: keyword example: Microsoft
Corporation process.parent.pe.description Internal description of the file,
provided at compile-time. type: keyword example: Paint
process.parent.pe.file_version Internal version of the file, provided at
compile-time. type: keyword example: 6.3.9600.17415
process.parent.pe.imphash A hash of the imports in a PE file. An
imphash — or import hash — can be used to fingerprint binaries even after
recompilation or other code-level transformations have occurred, which
would change more traditional hash values.Learn more at
https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
. type: keyword example: 0c6803c4e922103c4dca5963aad36ddf
process.parent.pe.original_file_name Internal name of the file, provided at
compile-time. type: keyword example: MSPAINT.EXE process.parent.pe.product
Internal product name of the file, provided at compile-time. type: keyword
example: Microsoft® Windows® Operating System process.parent.pgid
Identifier of the group of processes the process belongs to. type: long
format: string process.parent.pid Process id. type: long example: 4242
format: string process.parent.start The time the process started. type:
date example: 2016-05-23T08:05:34.853Z process.parent.thread.id Thread ID.
type: long example: 4242 format: string process.parent.thread.name Thread
name. type: keyword example: thread-0 process.parent.title Process
title.The proctitle, some times the same as process name. Can also be
different: for example a browser setting its title to the web page
currently opened. type: keyword process.parent.title.text type:
match_only_text process.parent.uptime Seconds the process has been up.
type: long example: 1325 process.parent.working_directory The working
directory of the process. type: keyword example: /home/alice
process.parent.working_directory.text type: match_only_text
process.pe.architecture CPU architecture target for the file. type: keyword
example: x64 process.pe.company Internal company name of the file, provided
at compile-time. type: keyword example: Microsoft Corporation
process.pe.description Internal description of the file, provided at
compile-time. type: keyword example: Paint process.pe.file_version Internal
version of the file, provided at compile-time. type: keyword example:
6.3.9600.17415 process.pe.imphash A hash of the imports in a PE file. An
imphash — or import hash — can be used to fingerprint binaries even after
recompilation or other code-level transformations have occurred, which
would change more traditional hash values.Learn more at
https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
. type: keyword example: 0c6803c4e922103c4dca5963aad36ddf
process.pe.original_file_name Internal name of the file, provided at
compile-time. type: keyword example: MSPAINT.EXE process.pe.product
Internal product name of the file, provided at compile-time. type: keyword
example: Microsoft® Windows® Operating System process.pgid Identifier of
the group of processes the process belongs to. type: long format: string
process.pid Process id. type: long example: 4242 format: string
process.start The time the process started. type: date example:
2016-05-23T08:05:34.853Z process.thread.id Thread ID. type: long example:
4242 format: string process.thread.name Thread name. type: keyword example:
thread-0 process.title Process title.The proctitle, some times the same as
process name. Can also be different: for example a browser setting its
title to the web page currently opened. type: keyword process.title.text
type: match_only_text process.uptime Seconds the process has been up. type:
long example: 1325 process.working_directory The working directory of the
process. type: keyword example: /home/alice process.working_directory.text
type: match_only_text registry Fields related to Windows Registry
operations. registry.data.bytes Original bytes written with base64
encoding.For Windows registry operations, such as SetValueEx and
RegQueryValueEx, this corresponds to the data pointed by lp_data . This is
optional but provides better recoverability and should be populated for
REG_BINARY encoded values. type: keyword example:
ZQBuAC0AVQBTAAAAZQBuAAAAAAA= registry.data.strings Content when writing
string types.Populated as an array when writing string data to the
registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this
should be an array with one string. For sequences of string with
REG_MULTI_SZ, this array will be variable length. For numeric data, such as
REG_DWORD and REG_QWORD, this should be populated with the decimal
representation (e.g "1" ). type: wildcard example:
["C:\rta\red_ttp\bin\myapp.exe"] registry.data.type Standard registry type
for encoding contents type: keyword example: REG_SZ registry.hive
Abbreviated name for the hive. type: keyword example: HKLM registry.key
Hive-relative path of keys. type: keyword example:
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\winword.exe registry.path Full path, including hive, key and value
type: keyword example: HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
registry.value Name of the value written. type: keyword example: Debugger
related This field set is meant to facilitate pivoting around a piece of
data.Some pieces of information can be seen in many places in an ECS event.
To facilitate searching for them, store an array of all seen values to
their corresponding field in related. .A concrete example is IP addresses,
which can be under host, observer, source, destination, client, server, and
network.forwarded_ip. If you append all IPs to related.ip , you can then
search for a given IP trivially, no matter where it appeared, by querying
related.ip:192.0.2.15 . related.hash All the hashes seen on your event.
Populating this field, then using it to search for hashes can help in
situations where you’re unsure what the hash algorithm is (and therefore
which key name to search). type: keyword related.hosts All hostnames or
other host identifiers seen on your event. Example identifiers include
FQDNs, domain names, workstation names, or aliases. type: keyword
related.ip All of the IPs seen on your event. type: ip related.user All the
user names or other user identifiers seen on the event. type: keyword rule
Rule fields are used to capture the specifics of any observer or agent
rules that generate alerts or other notable events.Examples of data sources
that would populate the rule fields include: network admission control
platforms, network or host IDS/IPS, network firewalls, web application
firewalls, url filters, endpoint detection and response (EDR) systems, etc.
rule.author Name, organization, or pseudonym of the author or authors who
created the rule used to generate this event. type: keyword example:
["Star-Lord"] rule.category A categorization value keyword used by the
entity using the rule for detection of this event. type: keyword example:
Attempted Information Leak rule.description The description of the rule
generating the event. type: keyword example: Block requests to public DNS
over HTTPS / TLS protocols rule.id A rule ID that is unique within the
scope of an agent, observer, or other entity using the rule for detection
of this event. type: keyword example: 101 rule.license Name of the license
under which the rule used to generate this event is made available. type:
keyword example: Apache 2.0 rule.name The name of the rule or signature
generating the event. type: keyword example: BLOCK_DNS_over_TLS
rule.reference Reference URL to additional information about the rule used
to generate this event.The URL can point to the vendor’s documentation
about the rule. If that’s not available, it can also be a link to a more
general page describing this type of alert. type: keyword example:
https://en.wikipedia.org/wiki/DNS_over_TLS rule.ruleset Name of the
ruleset, policy, group, or parent category in which the rule used to
generate this event is a member. type: keyword example:
Standard_Protocol_Filters rule.uuid A rule ID that is unique within the
scope of a set or group of agents, observers, or other entities using the
rule for detection of this event. type: keyword example: 1100110011
rule.version The version / revision of the rule being used for analysis.
type: keyword example: 1.1 server A Server is defined as the responder in a
network connection for events regarding sessions, connections, or
bidirectional flow records.For TCP events, the server is the receiver of
the initial SYN packet(s) of the TCP connection. For other protocols, the
server is generally the responder in the network transaction. Some systems
actually use the term "responder" to refer the server in TCP connections.
The server fields describe details about the system acting as the server in
the network event. Server fields are usually populated in conjunction with
client fields. Server fields are generally not populated for packet-level
events.Client / server representations can add semantic context to an
exchange, which is helpful to visualize the data in certain situations. If
your context falls in that category, you should still ensure that source
and destination are filled appropriately. server.address Some event server
addresses are defined ambiguously. The event will sometimes list an IP, a
domain or a unix socket. You should always store the raw address in the
.address field.Then it should be duplicated to .ip or .domain , depending
on which one it is. type: keyword server.as.number Unique number allocated
to the autonomous system. The autonomous system number (ASN) uniquely
identifies each network on the Internet. type: long example: 15169
server.as.organization.name Organization name. type: keyword example:
Google LLC server.as.organization.name.text type: match_only_text
server.bytes Bytes sent from the server to the client. type: long example:
184 format: bytes server.domain The domain name of the server system.This
value may be a host name, a fully qualified domain name, or another host
naming format. The value may derive from the original event or be added
from enrichment. type: keyword example: foo.example.com
server.geo.city_name City name. type: keyword example: Montreal
server.geo.continent_code Two-letter code representing continent’s name.
type: keyword example: NA server.geo.continent_name Name of the continent.
type: keyword example: North America server.geo.country_iso_code Country
ISO code. type: keyword example: CA server.geo.country_name Country name.
type: keyword example: Canada server.geo.location Longitude and latitude.
type: geo_point example: { "lon": -73.614830, "lat": 45.505918 }
server.geo.name User-defined description of a location, at the level of
granularity they care about.Could be the name of their data centers, the
floor number, if this describes a local physical entity, city names.Not
typically used in automated geolocation. type: keyword example: boston-dc
server.geo.postal_code Postal code associated with the location.Values
appropriate for this field may also be known as a postcode or ZIP code and
will vary widely from country to country. type: keyword example: 94040
server.geo.region_iso_code Region ISO code. type: keyword example: CA-QC
server.geo.region_name Region name. type: keyword example: Quebec
server.geo.timezone The time zone of the location, such as IANA time zone
name. type: keyword example: America/Argentina/Buenos_Aires server.ip IP
address of the server (IPv4 or IPv6). type: ip server.mac MAC address of
the server.The notation format from RFC 7042 is suggested: Each octet (that
is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving
the value of the octet as an unsigned integer. Successive octets are
separated by a hyphen. type: keyword example: 00-00-5E-00-53-23
server.nat.ip Translated ip of destination based NAT sessions (e.g.
internet to private DMZ)Typically used with load balancers, firewalls, or
routers. type: ip server.nat.port Translated port of destination based NAT
sessions (e.g. internet to private DMZ)Typically used with load balancers,
firewalls, or routers. type: long format: string server.packets Packets
sent from the server to the client. type: long example: 12 server.port Port
of the server. type: long format: string server.registered_domain The
highest registered server domain, stripped of the subdomain.For example,
the registered domain for "foo.example.com" is "example.com".This value can
be determined precisely with a list like the public suffix list (
http://publicsuffix.org ). Trying to approximate this by simply taking the
last two labels will not work well for TLDs such as "co.uk". type: keyword
example: example.com server.subdomain The subdomain portion of a fully
qualified domain name includes all of the names except the host name under
the registered_domain. In a partially qualified domain, or if the the
qualification level of the full name cannot be determined, subdomain
contains all of the names below the registered domain.For example the
subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has
multiple levels of subdomain, such as "sub2.sub1.example.com", the
subdomain field should contain "sub2.sub1", with no trailing period. type:
keyword example: east server.top_level_domain The effective top level
domain (eTLD), also known as the domain suffix, is the last part of the
domain name. For example, the top level domain for example.com is
"com".This value can be determined precisely with a list like the public
suffix list ( http://publicsuffix.org ). Trying to approximate this by
simply taking the last label will not work well for effective TLDs such as
"co.uk". type: keyword example: co.uk server.user.domain Name of the
directory the user is a member of.For example, an LDAP or Active Directory
domain name. type: keyword server.user.email User email address. type:
keyword server.user.full_name User’s full name, if available. type: keyword
example: Albert Einstein server.user.full_name.text type: match_only_text
server.user.group.domain Name of the directory the group is a member of.For
example, an LDAP or Active Directory domain name. type: keyword
server.user.group.id Unique identifier for the group on the
system/platform. type: keyword server.user.group.name Name of the group.
type: keyword server.user.hash Unique user hash to correlate information
for a user in anonymized form.Useful if user.id or user.name contain
confidential information and cannot be used. type: keyword server.user.id
Unique identifier of the user. type: keyword example:
S-1-5-21-202424912787-2692429404-2351956786-1000 server.user.name Short
name or login of the user. type: keyword example: a.einstein
server.user.name.text type: match_only_text server.user.roles Array of user
roles at the time of the event. type: keyword example: ["kibana_admin",
"reporting_user"] service The service fields describe the service for or
from which the data was collected.These fields help you find and correlate
logs for a specific service and version. service.address Address where data
about this service was collected from.This should be a URI, network address
(ipv4:port or [ipv6]:port) or a resource path (sockets). type: keyword
example: 172.26.0.2:5432 service.environment Identifies the environment
where the service is running.If the same service runs in different
environments (production, staging, QA, development, etc.), the environment
can identify other instances of the same service. Can also group services
and applications from the same environment. type: keyword example:
production service.ephemeral_id Ephemeral identifier of this service (if
one exists).This id normally changes across restarts, but service.id does
not. type: keyword example: 8a4f500f service.id Unique identifier of the
running service. If the service is comprised of many nodes, the service.id
should be the same for all nodes.This id should uniquely identify the
service. This makes it possible to correlate logs and metrics for one
specific service, no matter which particular node emitted the event.Note
that if you need to see the events from one specific host of the service,
you should filter on that host.name or host.id instead. type: keyword
example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 service.name Name of the
service data is collected from.The name of the service is normally user
given. This allows for distributed services that run on multiple hosts to
correlate the related instances based on the name.In the case of
Elasticsearch the service.name could contain the cluster name. For Beats
the service.name is by default a copy of the service.type field if no name
is specified. type: keyword example: elasticsearch-metrics
service.node.name Name of a service node.This allows for two nodes of the
same service running on the same host to be differentiated. Therefore,
service.node.name should typically be unique across nodes of a given
service.In the case of Elasticsearch, the service.node.name could contain
the unique node name within the Elasticsearch cluster. In cases where the
service doesn’t have the concept of a node name, the host name or container
name can be used to distinguish running instances that make up this
service. If those do not provide uniqueness (e.g. multiple instances of the
service running on the same host) - the node name can be manually set.
type: keyword example: instance-0000000016 service.origin.address Address
where data about this service was collected from.This should be a URI,
network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
type: keyword example: 172.26.0.2:5432 service.origin.environment
Identifies the environment where the service is running.If the same service
runs in different environments (production, staging, QA, development,
etc.), the environment can identify other instances of the same service.
Can also group services and applications from the same environment. type:
keyword example: production service.origin.ephemeral_id Ephemeral
identifier of this service (if one exists).This id normally changes across
restarts, but service.id does not. type: keyword example: 8a4f500f
service.origin.id Unique identifier of the running service. If the service
is comprised of many nodes, the service.id should be the same for all
nodes.This id should uniquely identify the service. This makes it possible
to correlate logs and metrics for one specific service, no matter which
particular node emitted the event.Note that if you need to see the events
from one specific host of the service, you should filter on that host.name
or host.id instead. type: keyword example:
d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 service.origin.name Name of the
service data is collected from.The name of the service is normally user
given. This allows for distributed services that run on multiple hosts to
correlate the related instances based on the name.In the case of
Elasticsearch the service.name could contain the cluster name. For Beats
the service.name is by default a copy of the service.type field if no name
is specified. type: keyword example: elasticsearch-metrics
service.origin.node.name Name of a service node.This allows for two nodes
of the same service running on the same host to be differentiated.
Therefore, service.node.name should typically be unique across nodes of a
given service.In the case of Elasticsearch, the service.node.name could
contain the unique node name within the Elasticsearch cluster. In cases
where the service doesn’t have the concept of a node name, the host name or
container name can be used to distinguish running instances that make up
this service. If those do not provide uniqueness (e.g. multiple instances
of the service running on the same host) - the node name can be manually
set. type: keyword example: instance-0000000016 service.origin.state
Current state of the service. type: keyword service.origin.type The type of
the service data is collected from.The type can be used to group and
correlate logs and metrics from one service type.Example: If logs or
metrics are collected from Elasticsearch, service.type would be
elasticsearch . type: keyword example: elasticsearch service.origin.version
Version of the service the data was collected from.This allows to look at a
data set only for a specific version of a service. type: keyword example:
3.2.4 service.state Current state of the service. type: keyword
service.target.address Address where data about this service was collected
from.This should be a URI, network address (ipv4:port or [ipv6]:port) or a
resource path (sockets). type: keyword example: 172.26.0.2:5432
service.target.environment Identifies the environment where the service is
running.If the same service runs in different environments (production,
staging, QA, development, etc.), the environment can identify other
instances of the same service. Can also group services and applications
from the same environment. type: keyword example: production
service.target.ephemeral_id Ephemeral identifier of this service (if one
exists).This id normally changes across restarts, but service.id does not.
type: keyword example: 8a4f500f service.target.id Unique identifier of the
running service. If the service is comprised of many nodes, the service.id
should be the same for all nodes.This id should uniquely identify the
service. This makes it possible to correlate logs and metrics for one
specific service, no matter which particular node emitted the event.Note
that if you need to see the events from one specific host of the service,
you should filter on that host.name or host.id instead. type: keyword
example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 service.target.name Name
of the service data is collected from.The name of the service is normally
user given. This allows for distributed services that run on multiple hosts
to correlate the related instances based on the name.In the case of
Elasticsearch the service.name could contain the cluster name. For Beats
the service.name is by default a copy of the service.type field if no name
is specified. type: keyword example: elasticsearch-metrics
service.target.node.name Name of a service node.This allows for two nodes
of the same service running on the same host to be differentiated.
Therefore, service.node.name should typically be unique across nodes of a
given service.In the case of Elasticsearch, the service.node.name could
contain the unique node name within the Elasticsearch cluster. In cases
where the service doesn’t have the concept of a node name, the host name or
container name can be used to distinguish running instances that make up
this service. If those do not provide uniqueness (e.g. multiple instances
of the service running on the same host) - the node name can be manually
set. type: keyword example: instance-0000000016 service.target.state
Current state of the service. type: keyword service.target.type The type of
the service data is collected from.The type can be used to group and
correlate logs and metrics from one service type.Example: If logs or
metrics are collected from Elasticsearch, service.type would be
elasticsearch . type: keyword example: elasticsearch service.target.version
Version of the service the data was collected from.This allows to look at a
data set only for a specific version of a service. type: keyword example:
3.2.4 service.type The type of the service data is collected from.The type
can be used to group and correlate logs and metrics from one service
type.Example: If logs or metrics are collected from Elasticsearch,
service.type would be elasticsearch . type: keyword example: elasticsearch
service.version Version of the service the data was collected from.This
allows to look at a data set only for a specific version of a service.
type: keyword example: 3.2.4 source Source fields capture details about the
sender of a network exchange/packet. These fields are populated from a
network event, packet, or other event containing details of a network
transaction.Source fields are usually populated in conjunction with
destination fields. The source and destination fields are considered the
baseline and should always be filled if an event contains source and
destination details from a network transaction. If the event also contains
identification of the client and server roles, then the client and server
fields should also be populated. source.address Some event source addresses
are defined ambiguously. The event will sometimes list an IP, a domain or a
unix socket. You should always store the raw address in the .address
field.Then it should be duplicated to .ip or .domain , depending on which
one it is. type: keyword source.as.number Unique number allocated to the
autonomous system. The autonomous system number (ASN) uniquely identifies
each network on the Internet. type: long example: 15169
source.as.organization.name Organization name. type: keyword example:
Google LLC source.as.organization.name.text type: match_only_text
source.bytes Bytes sent from the source to the destination. type: long
example: 184 format: bytes source.domain The domain name of the source
system.This value may be a host name, a fully qualified domain name, or
another host naming format. The value may derive from the original event or
be added from enrichment. type: keyword example: foo.example.com
source.geo.city_name City name. type: keyword example: Montreal
source.geo.continent_code Two-letter code representing continent’s name.
type: keyword example: NA source.geo.continent_name Name of the continent.
type: keyword example: North America source.geo.country_iso_code Country
ISO code. type: keyword example: CA source.geo.country_name Country name.
type: keyword example: Canada source.geo.location Longitude and latitude.
type: geo_point example: { "lon": -73.614830, "lat": 45.505918 }
source.geo.name User-defined description of a location, at the level of
granularity they care about.Could be the name of their data centers, the
floor number, if this describes a local physical entity, city names.Not
typically used in automated geolocation. type: keyword example: boston-dc
source.geo.postal_code Postal code associated with the location.Values
appropriate for this field may also be known as a postcode or ZIP code and
will vary widely from country to country. type: keyword example: 94040
source.geo.region_iso_code Region ISO code. type: keyword example: CA-QC
source.geo.region_name Region name. type: keyword example: Quebec
source.geo.timezone The time zone of the location, such as IANA time zone
name. type: keyword example: America/Argentina/Buenos_Aires source.ip IP
address of the source (IPv4 or IPv6). type: ip source.mac MAC address of
the source.The notation format from RFC 7042 is suggested: Each octet (that
is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving
the value of the octet as an unsigned integer. Successive octets are
separated by a hyphen. type: keyword example: 00-00-5E-00-53-23
source.nat.ip Translated ip of source based NAT sessions (e.g. internal
client to internet)Typically connections traversing load balancers,
firewalls, or routers. type: ip source.nat.port Translated port of source
based NAT sessions. (e.g. internal client to internet)Typically used with
load balancers, firewalls, or routers. type: long format: string
source.packets Packets sent from the source to the destination. type: long
example: 12 source.port Port of the source. type: long format: string
source.registered_domain The highest registered source domain, stripped of
the subdomain.For example, the registered domain for "foo.example.com" is
"example.com".This value can be determined precisely with a list like the
public suffix list ( http://publicsuffix.org ). Trying to approximate this
by simply taking the last two labels will not work well for TLDs such as
"co.uk". type: keyword example: example.com source.subdomain The subdomain
portion of a fully qualified domain name includes all of the names except
the host name under the registered_domain. In a partially qualified domain,
or if the the qualification level of the full name cannot be determined,
subdomain contains all of the names below the registered domain.For example
the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain
has multiple levels of subdomain, such as "sub2.sub1.example.com", the
subdomain field should contain "sub2.sub1", with no trailing period. type:
keyword example: east source.top_level_domain The effective top level
domain (eTLD), also known as the domain suffix, is the last part of the
domain name. For example, the top level domain for example.com is
"com".This value can be determined precisely with a list like the public
suffix list ( http://publicsuffix.org ). Trying to approximate this by
simply taking the last label will not work well for effective TLDs such as
"co.uk". type: keyword example: co.uk source.user.domain Name of the
directory the user is a member of.For example, an LDAP or Active Directory
domain name. type: keyword source.user.email User email address. type:
keyword source.user.full_name User’s full name, if available. type: keyword
example: Albert Einstein source.user.full_name.text type: match_only_text
source.user.group.domain Name of the directory the group is a member of.For
example, an LDAP or Active Directory domain name. type: keyword
source.user.group.id Unique identifier for the group on the
system/platform. type: keyword source.user.group.name Name of the group.
type: keyword source.user.hash Unique user hash to correlate information
for a user in anonymized form.Useful if user.id or user.name contain
confidential information and cannot be used. type: keyword source.user.id
Unique identifier of the user. type: keyword example:
S-1-5-21-202424912787-2692429404-2351956786-1000 source.user.name Short
name or login of the user. type: keyword example: a.einstein
source.user.name.text type: match_only_text source.user.roles Array of user
roles at the time of the event. type: keyword example: ["kibana_admin",
"reporting_user"] threat Fields to classify events and alerts according to
a threat taxonomy such as the MITRE ATT&CK® framework.These fields are for
users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.)
within a common taxonomy. The threat.tactic.* fields are meant to capture
the high level category of the threat (e.g. "impact"). The
threat.technique.* fields are meant to capture which kind of approach is
used by this detected threat, to accomplish the goal (e.g. "endpoint denial
of service"). threat.enrichments A list of associated indicators objects
enriching the event, and the context of that association/enrichment. type:
nested threat.enrichments.indicator Object containing associated indicators
enriching the event. type: object threat.enrichments.indicator.as.number
Unique number allocated to the autonomous system. The autonomous system
number (ASN) uniquely identifies each network on the Internet. type: long
example: 15169 threat.enrichments.indicator.as.organization.name
Organization name. type: keyword example: Google LLC
threat.enrichments.indicator.as.organization.name.text type:
match_only_text threat.enrichments.indicator.confidence
Identifies the vendor-neutral confidence rating using the
None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework.
Vendor-specific confidence scales may be added as custom fields.Expected
values are: * Not Specified * None * Low * Medium * High type: keyword
example: Medium threat.enrichments.indicator.description Describes the type
of action conducted by the threat. type: keyword example: IP x.x.x.x was
observed delivering the Angler EK.
threat.enrichments.indicator.email.address Identifies a threat indicator as
an email address (irrespective of direction). type: keyword example:
phish@example.com threat.enrichments.indicator.file.accessed Last time the
file was accessed.Note that not all filesystems keep track of access time.
type: date threat.enrichments.indicator.file.attributes Array of file
attributes.Attributes names will vary by platform. Here’s a non-exhaustive
list of values that are expected in this field: archive, compressed,
directory, encrypted, execute, hidden, read, readonly, system, write. type:
keyword example: ["readonly", "system"]
threat.enrichments.indicator.file.code_signature.digest_algorithm The
hashing algorithm used to sign the process.This value can distinguish
signatures when a file is signed multiple times by the same signer but with
a different digest algorithm. type: keyword example: sha256
threat.enrichments.indicator.file.code_signature.exists Boolean to capture
if a signature is present. type: boolean example: true
threat.enrichments.indicator.file.code_signature.signing_id The identifier
used to sign the process.This is used to identify the application
manufactured by a software vendor. The field is relevant to Apple *OS only.
type: keyword example: com.apple.xpc.proxy
threat.enrichments.indicator.file.code_signature.status Additional
information about the certificate status.This is useful for logging
cryptographic errors with the certificate validity or trust status. Leave
unpopulated if the validity or trust of the certificate was unchecked.
type: keyword example: ERROR_UNTRUSTED_ROOT
threat.enrichments.indicator.file.code_signature.subject_name Subject name
of the code signer type: keyword example: Microsoft Corporation
threat.enrichments.indicator.file.code_signature.team_id The team
identifier used to sign the process.This is used to identify the team or
vendor of a software product. The field is relevant to Apple *OS only.
type: keyword example: EQHXZ8M8AV
threat.enrichments.indicator.file.code_signature.timestamp Date and time
when the code signature was generated and signed. type: date example:
2021-01-01T12:10:30Z
threat.enrichments.indicator.file.code_signature.trusted Stores the trust
status of the certificate chain.Validating the trust of the certificate
chain may be complicated, and this field should only be populated by tools
that actively check the status. type: boolean example: true
threat.enrichments.indicator.file.code_signature.valid Boolean to capture
if the digital signature is verified against the binary content.Leave
unpopulated if a certificate was unchecked. type: boolean example: true
threat.enrichments.indicator.file.created File creation time.Note that not
all filesystems store the creation time. type: date
threat.enrichments.indicator.file.ctime Last time the file attributes or
metadata changed.Note that changes to the file content will update mtime .
This implies ctime will be adjusted at the same time, since mtime is an
attribute of the file. type: date threat.enrichments.indicator.file.device
Device that is the source of the file. type: keyword example: sda
threat.enrichments.indicator.file.directory Directory where the file is
located. It should include the drive letter, when appropriate. type:
keyword example: /home/alice threat.enrichments.indicator.file.drive_letter
Drive letter where the file is located. This field is only relevant on
Windows.The value should be uppercase, and not include the colon. type:
keyword example: C threat.enrichments.indicator.file.elf.architecture
Machine architecture of the ELF file. type: keyword example: x86-64
threat.enrichments.indicator.file.elf.byte_order Byte sequence of ELF file.
type: keyword example: Little Endian
threat.enrichments.indicator.file.elf.cpu_type CPU type of the ELF file.
type: keyword example: Intel
threat.enrichments.indicator.file.elf.creation_date Extracted when possible
from the file’s metadata. Indicates when it was built or compiled. It can
also be faked by malware creators. type: date
threat.enrichments.indicator.file.elf.exports List of exported element
names and types. type: flattened
threat.enrichments.indicator.file.elf.header.abi_version Version of the ELF
Application Binary Interface (ABI). type: keyword
threat.enrichments.indicator.file.elf.header.class Header class of the ELF
file. type: keyword threat.enrichments.indicator.file.elf.header.data Data
table of the ELF header. type: keyword
threat.enrichments.indicator.file.elf.header.entrypoint Header entrypoint
of the ELF file. type: long format: string
threat.enrichments.indicator.file.elf.header.object_version "0x1" for
original ELF files. type: keyword
threat.enrichments.indicator.file.elf.header.os_abi Application Binary
Interface (ABI) of the Linux OS. type: keyword
threat.enrichments.indicator.file.elf.header.type Header type of the ELF
file. type: keyword threat.enrichments.indicator.file.elf.header.version
Version of the ELF header. type: keyword
threat.enrichments.indicator.file.elf.imports List of imported element
names and types. type: flattened
threat.enrichments.indicator.file.elf.sections An array containing an
object for each section of the ELF file.The keys that should be present in
these objects are defined by sub-fields underneath elf.sections.* . type:
nested threat.enrichments.indicator.file.elf.sections.chi2 Chi-square
probability distribution of the section. type: long format: number
threat.enrichments.indicator.file.elf.sections.entropy Shannon entropy
calculation from the section. type: long format: number
threat.enrichments.indicator.file.elf.sections.flags ELF Section List
flags. type: keyword threat.enrichments.indicator.file.elf.sections.name
ELF Section List name. type: keyword
threat.enrichments.indicator.file.elf.sections.physical_offset ELF Section
List offset. type: keyword
threat.enrichments.indicator.file.elf.sections.physical_size ELF Section
List physical size. type: long format: bytes
threat.enrichments.indicator.file.elf.sections.type ELF Section List type.
type: keyword
threat.enrichments.indicator.file.elf.sections.virtual_address ELF Section
List virtual address. type: long format: string
threat.enrichments.indicator.file.elf.sections.virtual_size ELF Section
List virtual size. type: long format: string
threat.enrichments.indicator.file.elf.segments An array containing an
object for each segment of the ELF file.The keys that should be present in
these objects are defined by sub-fields underneath elf.segments.* . type:
nested threat.enrichments.indicator.file.elf.segments.sections ELF object
segment sections. type: keyword
threat.enrichments.indicator.file.elf.segments.type ELF object segment
type. type: keyword threat.enrichments.indicator.file.elf.shared_libraries
List of shared libraries used by this ELF object. type: keyword
threat.enrichments.indicator.file.elf.telfhash telfhash symbol hash for ELF
file. type: keyword threat.enrichments.indicator.file.extension File
extension, excluding the leading dot.Note that when the file name has
multiple extensions (example.tar.gz), only the last one should be captured
("gz", not "tar.gz"). type: keyword example: png
threat.enrichments.indicator.file.fork_name A fork is additional data
associated with a filesystem object.On Linux, a resource fork is used to
store additional data with a filesystem object. A file always has at least
one fork for the data portion, and additional forks may exist.On NTFS, this
is analogous to an Alternate Data Stream (ADS), and the default data stream
for a file is just called $DATA. Zone.Identifier is commonly used by
Windows to track contents downloaded from the Internet. An ADS is typically
of the form: C:\path\to\filename.extension:some_fork_name , and
some_fork_name is the value that should populate fork_name .
filename.extension should populate file.name , and extension should
populate file.extension . The full path, file.path , will include the fork
name. type: keyword example: Zone.Identifer
threat.enrichments.indicator.file.gid Primary group ID (GID) of the file.
type: keyword example: 1001 threat.enrichments.indicator.file.group Primary
group name of the file. type: keyword example: alice
threat.enrichments.indicator.file.hash.md5 MD5 hash. type: keyword
threat.enrichments.indicator.file.hash.sha1 SHA1 hash. type: keyword
threat.enrichments.indicator.file.hash.sha256 SHA256 hash. type: keyword
threat.enrichments.indicator.file.hash.sha512 SHA512 hash. type: keyword
threat.enrichments.indicator.file.hash.ssdeep SSDEEP hash. type: keyword
threat.enrichments.indicator.file.inode Inode representing the file in the
filesystem. type: keyword example: 256383
threat.enrichments.indicator.file.mime_type MIME type should identify the
format of the file or stream of bytes using IANA official types , where
possible. When more than one type is applicable, the most specific type
should be used. type: keyword threat.enrichments.indicator.file.mode Mode
of the file in octal representation. type: keyword example: 0640
threat.enrichments.indicator.file.mtime Last time the file content was
modified. type: date threat.enrichments.indicator.file.name Name of the
file including the extension, without the directory. type: keyword example:
example.png threat.enrichments.indicator.file.owner File owner’s username.
type: keyword example: alice threat.enrichments.indicator.file.path Full
path to the file, including the file name. It should include the drive
letter, when appropriate. type: keyword example: /home/alice/example.png
threat.enrichments.indicator.file.path.text type: match_only_text
threat.enrichments.indicator.file.pe.architecture CPU architecture target
for the file. type: keyword example: x64
threat.enrichments.indicator.file.pe.company Internal company name of the
file, provided at compile-time. type: keyword example: Microsoft
Corporation threat.enrichments.indicator.file.pe.description Internal
description of the file, provided at compile-time. type: keyword example:
Paint threat.enrichments.indicator.file.pe.file_version Internal version of
the file, provided at compile-time. type: keyword example: 6.3.9600.17415
threat.enrichments.indicator.file.pe.imphash A hash of the imports in a PE
file. An imphash — or import hash — can be used to fingerprint binaries
even after recompilation or other code-level transformations have occurred,
which would change more traditional hash values.Learn more at
https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
. type: keyword example: 0c6803c4e922103c4dca5963aad36ddf
threat.enrichments.indicator.file.pe.original_file_name Internal name of
the file, provided at compile-time. type: keyword example: MSPAINT.EXE
threat.enrichments.indicator.file.pe.product Internal product name of the
file, provided at compile-time. type: keyword example: Microsoft® Windows®
Operating System threat.enrichments.indicator.file.size File size in
bytes.Only relevant when file.type is "file". type: long example: 16384
threat.enrichments.indicator.file.target_path Target path for symlinks.
type: keyword threat.enrichments.indicator.file.target_path.text type:
match_only_text threat.enrichments.indicator.file.type File type (file,
dir, or symlink). type: keyword example: file
threat.enrichments.indicator.file.uid The user ID (UID) or security
identifier (SID) of the file owner. type: keyword example: 1001
threat.enrichments.indicator.file.x509.alternative_names List of subject
alternative names (SAN). Name types vary by certificate authority and
certificate type but commonly contain IP addresses, DNS names (and
wildcards), and email addresses. type: keyword example: *.elastic.co
threat.enrichments.indicator.file.x509.issuer.common_name List of common
name (CN) of issuing certificate authority. type: keyword example: Example
SHA2 High Assurance Server CA
threat.enrichments.indicator.file.x509.issuer.country List of country ©
codes type: keyword example: US
threat.enrichments.indicator.file.x509.issuer.distinguished_name
Distinguished name (DN) of issuing certificate authority. type: keyword
example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High
Assurance Server CA threat.enrichments.indicator.file.x509.issuer.locality
List of locality names (L) type: keyword example: Mountain View
threat.enrichments.indicator.file.x509.issuer.organization List of
organizations (O) of issuing certificate authority. type: keyword example:
Example Inc
threat.enrichments.indicator.file.x509.issuer.organizational_unit List of
organizational units (OU) of issuing certificate authority. type: keyword
example: www.example.com
threat.enrichments.indicator.file.x509.issuer.state_or_province List of
state or province names (ST, S, or P) type: keyword example: California
threat.enrichments.indicator.file.x509.not_after Time at which the
certificate is no longer considered valid. type: date example: 2020-07-16
03:15:39+00:00 threat.enrichments.indicator.file.x509.not_before Time at
which the certificate is first considered valid. type: date example:
2019-08-16 01:40:25+00:00
threat.enrichments.indicator.file.x509.public_key_algorithm Algorithm used
to generate the public key. type: keyword example: RSA
threat.enrichments.indicator.file.x509.public_key_curve The curve used by
the elliptic curve public key algorithm. This is algorithm specific. type:
keyword example: nistp521
threat.enrichments.indicator.file.x509.public_key_exponent Exponent used to
derive the public key. This is algorithm specific. type: long example:
65537 Field is not indexed.
threat.enrichments.indicator.file.x509.public_key_size The size of the
public key space in bits. type: long example: 2048
threat.enrichments.indicator.file.x509.serial_number Unique serial number
issued by the certificate authority. For consistency, if this value is
alphanumeric, it should be formatted without colons and uppercase
characters. type: keyword example: 55FBB9C7DEBF09809D12CCAA
threat.enrichments.indicator.file.x509.signature_algorithm Identifier for
certificate signature algorithm. We recommend using names found in Go Lang
Crypto library. See
https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353
. type: keyword example: SHA256-RSA
threat.enrichments.indicator.file.x509.subject.common_name List of common
names (CN) of subject. type: keyword example: shared.global.example.net
threat.enrichments.indicator.file.x509.subject.country List of country ©
code type: keyword example: US
threat.enrichments.indicator.file.x509.subject.distinguished_name
Distinguished name (DN) of the certificate subject entity. type: keyword
example: C=US, ST=California, L=San Francisco, O=Example, Inc.,
CN=shared.global.example.net
threat.enrichments.indicator.file.x509.subject.locality List of locality
names (L) type: keyword example: San Francisco
threat.enrichments.indicator.file.x509.subject.organization List of
organizations (O) of subject. type: keyword example: Example, Inc.
threat.enrichments.indicator.file.x509.subject.organizational_unit List of
organizational units (OU) of subject. type: keyword
threat.enrichments.indicator.file.x509.subject.state_or_province List of
state or province names (ST, S, or P) type: keyword example: California
threat.enrichments.indicator.file.x509.version_number Version of x509
format. type: keyword example: 3 threat.enrichments.indicator.first_seen
The date and time when intelligence source first reported sighting this
indicator. type: date example: 2020-11-05T17:25:47.000Z
threat.enrichments.indicator.geo.city_name City name. type: keyword
example: Montreal threat.enrichments.indicator.geo.continent_code
Two-letter code representing continent’s name. type: keyword example: NA
threat.enrichments.indicator.geo.continent_name Name of the continent.
type: keyword example: North America
threat.enrichments.indicator.geo.country_iso_code Country ISO code. type:
keyword example: CA threat.enrichments.indicator.geo.country_name Country
name. type: keyword example: Canada
threat.enrichments.indicator.geo.location Longitude and latitude. type:
geo_point example: { "lon": -73.614830, "lat": 45.505918 }
threat.enrichments.indicator.geo.name User-defined description of a
location, at the level of granularity they care about.Could be the name of
their data centers, the floor number, if this describes a local physical
entity, city names.Not typically used in automated geolocation. type:
keyword example: boston-dc threat.enrichments.indicator.geo.postal_code
Postal code associated with the location.Values appropriate for this field
may also be known as a postcode or ZIP code and will vary widely from
country to country. type: keyword example: 94040
threat.enrichments.indicator.geo.region_iso_code Region ISO code. type:
keyword example: CA-QC threat.enrichments.indicator.geo.region_name Region
name. type: keyword example: Quebec
threat.enrichments.indicator.geo.timezone The time zone of the location,
such as IANA time zone name. type: keyword example:
America/Argentina/Buenos_Aires threat.enrichments.indicator.ip Identifies a
threat indicator as an IP address (irrespective of direction). type: ip
example: 1.2.3.4 threat.enrichments.indicator.last_seen The date and time
when intelligence source last reported sighting this indicator. type: date
example: 2020-11-05T17:25:47.000Z threat.enrichments.indicator.marking.tlp
Traffic Light Protocol sharing markings. Recommended values are: * WHITE *
GREEN * AMBER * RED type: keyword example: White
threat.enrichments.indicator.modified_at The date and time when
intelligence source last modified information for this indicator. type:
date example: 2020-11-05T17:25:47.000Z threat.enrichments.indicator.port
Identifies a threat indicator as a port number (irrespective of direction).
type: long example: 443 threat.enrichments.indicator.provider The name of
the indicator’s provider. type: keyword example: lrz_urlhaus
threat.enrichments.indicator.reference Reference URL linking to additional
information about this indicator. type: keyword example:
https://system.example.com/indicator/0001234
threat.enrichments.indicator.registry.data.bytes Original bytes written
with base64 encoding.For Windows registry operations, such as SetValueEx
and RegQueryValueEx, this corresponds to the data pointed by lp_data . This
is optional but provides better recoverability and should be populated for
REG_BINARY encoded values. type: keyword example:
ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
threat.enrichments.indicator.registry.data.strings Content when writing
string types.Populated as an array when writing string data to the
registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this
should be an array with one string. For sequences of string with
REG_MULTI_SZ, this array will be variable length. For numeric data, such as
REG_DWORD and REG_QWORD, this should be populated with the decimal
representation (e.g "1" ). type: wildcard example:
["C:\rta\red_ttp\bin\myapp.exe"]
threat.enrichments.indicator.registry.data.type Standard registry type for
encoding contents type: keyword example: REG_SZ
threat.enrichments.indicator.registry.hive Abbreviated name for the hive.
type: keyword example: HKLM threat.enrichments.indicator.registry.key
Hive-relative path of keys. type: keyword example:
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\winword.exe threat.enrichments.indicator.registry.path Full path,
including hive, key and value type: keyword example:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\winword.exe\Debugger threat.enrichments.indicator.registry.value
Name of the value written. type: keyword example: Debugger
threat.enrichments.indicator.scanner_stats Count of AV/EDR vendors that
successfully detected malicious file or URL. type: long example: 4
threat.enrichments.indicator.sightings Number of times this indicator was
observed conducting threat activity. type: long example: 20
threat.enrichments.indicator.type Type of indicator as represented by Cyber
Observable in STIX 2.0. Recommended values: * autonomous-system * artifact
* directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr *
mac-addr * mutex * port * process * software * url * user-account *
windows-registry-key * x509-certificate type: keyword example: ipv4-addr
threat.enrichments.indicator.url.domain Domain of the url, such as
"www.elastic.co".In some cases a URL may refer to an IP and/or port
directly, without a domain name. In this case, the IP address would go to
the domain field.If the URL contains a literal IPv6 address enclosed by [
and ] (IETF RFC 2732), the [ and ] characters should also be captured in
the domain field. type: keyword example: www.elastic.co
threat.enrichments.indicator.url.extension The field contains the file
extension from the original request url, excluding the leading dot.The file
extension is only set if it exists, as not every url has a file
extension.The leading period must not be included. For example, the value
must be "png", not ".png".Note that when the file name has multiple
extensions (example.tar.gz), only the last one should be captured ("gz",
not "tar.gz"). type: keyword example: png
threat.enrichments.indicator.url.fragment Portion of the url after the # ,
such as "top".The # is not part of the fragment. type: keyword
threat.enrichments.indicator.url.full If full URLs are important to your
use case, they should be stored in url.full , whether this field is
reconstructed or present in the event source. type: wildcard example:
https://www.elastic.co:443/search?q=elasticsearch#top
threat.enrichments.indicator.url.full.text type: match_only_text
threat.enrichments.indicator.url.original Unmodified original url as seen
in the event source.Note that in network monitoring, the observed URL may
be a full URL, whereas in access logs, the URL is often just represented as
a path.This field is meant to represent the URL as it was observed,
complete or not. type: wildcard example:
https://www.elastic.co:443/search?q=elasticsearch#top or
/search?q=elasticsearch threat.enrichments.indicator.url.original.text
type: match_only_text threat.enrichments.indicator.url.password Password of
the request. type: keyword threat.enrichments.indicator.url.path Path of
the request, such as "/search". type: wildcard
threat.enrichments.indicator.url.port Port of the request, such as 443.
type: long example: 443 format: string
threat.enrichments.indicator.url.query The query field describes the query
string of the request, such as "q=elasticsearch".The ? is excluded from the
query string. If a URL contains no ? , there is no query field. If there is
a ? but no query, the query field exists with an empty string. The exists
query can be used to differentiate between the two cases. type: keyword
threat.enrichments.indicator.url.registered_domain The highest registered
url domain, stripped of the subdomain.For example, the registered domain
for "foo.example.com" is "example.com".This value can be determined
precisely with a list like the public suffix list ( http://publicsuffix.org
). Trying to approximate this by simply taking the last two labels will not
work well for TLDs such as "co.uk". type: keyword example: example.com
threat.enrichments.indicator.url.scheme Scheme of the request, such as
"https".Note: The : is not part of the scheme. type: keyword example: https
threat.enrichments.indicator.url.subdomain The subdomain portion of a fully
qualified domain name includes all of the names except the host name under
the registered_domain. In a partially qualified domain, or if the the
qualification level of the full name cannot be determined, subdomain
contains all of the names below the registered domain.For example the
subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has
multiple levels of subdomain, such as "sub2.sub1.example.com", the
subdomain field should contain "sub2.sub1", with no trailing period. type:
keyword example: east threat.enrichments.indicator.url.top_level_domain The
effective top level domain (eTLD), also known as the domain suffix, is the
last part of the domain name. For example, the top level domain for
example.com is "com".This value can be determined precisely with a list
like the public suffix list ( http://publicsuffix.org ). Trying to
approximate this by simply taking the last label will not work well for
effective TLDs such as "co.uk". type: keyword example: co.uk
threat.enrichments.indicator.url.username Username of the request. type:
keyword threat.enrichments.indicator.x509.alternative_names List of subject
alternative names (SAN). Name types vary by certificate authority and
certificate type but commonly contain IP addresses, DNS names (and
wildcards), and email addresses. type: keyword example: *.elastic.co
threat.enrichments.indicator.x509.issuer.common_name List of common name
(CN) of issuing certificate authority. type: keyword example: Example SHA2
High Assurance Server CA threat.enrichments.indicator.x509.issuer.country
List of country © codes type: keyword example: US
threat.enrichments.indicator.x509.issuer.distinguished_name Distinguished
name (DN) of issuing certificate authority. type: keyword example: C=US,
O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
threat.enrichments.indicator.x509.issuer.locality List of locality names
(L) type: keyword example: Mountain View
threat.enrichments.indicator.x509.issuer.organization List of organizations
(O) of issuing certificate authority. type: keyword example: Example Inc
threat.enrichments.indicator.x509.issuer.organizational_unit List of
organizational units (OU) of issuing certificate authority. type: keyword
example: www.example.com
threat.enrichments.indicator.x509.issuer.state_or_province List of state or
province names (ST, S, or P) type: keyword example: California
threat.enrichments.indicator.x509.not_after Time at which the certificate
is no longer considered valid. type: date example: 2020-07-16
03:15:39+00:00 threat.enrichments.indicator.x509.not_before Time at which
the certificate is first considered valid. type: date example: 2019-08-16
01:40:25+00:00 threat.enrichments.indicator.x509.public_key_algorithm
Algorithm used to generate the public key. type: keyword example: RSA
threat.enrichments.indicator.x509.public_key_curve The curve used by the
elliptic curve public key algorithm. This is algorithm specific. type:
keyword example: nistp521
threat.enrichments.indicator.x509.public_key_exponent Exponent used to
derive the public key. This is algorithm specific. type: long example:
65537 Field is not indexed.
threat.enrichments.indicator.x509.public_key_size The size of the public
key space in bits. type: long example: 2048
threat.enrichments.indicator.x509.serial_number Unique serial number issued
by the certificate authority. For consistency, if this value is
alphanumeric, it should be formatted without colons and uppercase
characters. type: keyword example: 55FBB9C7DEBF09809D12CCAA
threat.enrichments.indicator.x509.signature_algorithm Identifier for
certificate signature algorithm. We recommend using names found in Go Lang
Crypto library. See
https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353
. type: keyword example: SHA256-RSA
threat.enrichments.indicator.x509.subject.common_name List of common names
(CN) of subject. type: keyword example: shared.global.example.net
threat.enrichments.indicator.x509.subject.country List of country © code
type: keyword example: US
threat.enrichments.indicator.x509.subject.distinguished_name Distinguished
name (DN) of the certificate subject entity. type: keyword example: C=US,
ST=California, L=San Francisco, O=Example, Inc.,
CN=shared.global.example.net
threat.enrichments.indicator.x509.subject.locality List of locality names
(L) type: keyword example: San Francisco
threat.enrichments.indicator.x509.subject.organization List of
organizations (O) of subject. type: keyword example: Example, Inc.
threat.enrichments.indicator.x509.subject.organizational_unit List of
organizational units (OU) of subject. type: keyword
threat.enrichments.indicator.x509.subject.state_or_province List of state
or province names (ST, S, or P) type: keyword example: California
threat.enrichments.indicator.x509.version_number Version of x509 format.
type: keyword example: 3 threat.enrichments.matched.atomic Identifies the
atomic indicator value that matched a local environment endpoint or network
event. type: keyword example: bad-domain.com
threat.enrichments.matched.field Identifies the field of the atomic
indicator that matched a local environment endpoint or network event. type:
keyword example: file.hash.sha256 threat.enrichments.matched.id Identifies
the _id of the indicator document enriching the event. type: keyword
example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5
threat.enrichments.matched.index Identifies the _index of the indicator
document enriching the event. type: keyword example:
filebeat-8.0.0-2021.05.23-000011 threat.enrichments.matched.type Identifies
the type of match that caused the event to be enriched with the given
indicator type: keyword example: indicator_match_rule threat.framework Name
of the threat framework used to further categorize and classify the tactic
and technique of the reported threat. Framework classification can be
provided by detecting systems, evaluated at ingest time, or retrospectively
tagged to events. type: keyword example: MITRE ATT&CK threat.group.alias
The alias(es) of the group for a set of related intrusion activity that are
tracked by a common name in the security community.While not required, you
can use a MITRE ATT&CK® group alias(es). type: keyword example: [ "Magecart
Group 6" ] threat.group.id The id of the group for a set of related
intrusion activity that are tracked by a common name in the security
community.While not required, you can use a MITRE ATT&CK® group id. type:
keyword example: G0037 threat.group.name The name of the group for a set of
related intrusion activity that are tracked by a common name in the
security community.While not required, you can use a MITRE ATT&CK® group
name. type: keyword example: FIN6 threat.group.reference The reference URL
of the group for a set of related intrusion activity that are tracked by a
common name in the security community.While not required, you can use a
MITRE ATT&CK® group reference URL. type: keyword example:
https://attack.mitre.org/groups/G0037/ threat.indicator.as.number Unique
number allocated to the autonomous system. The autonomous system number
(ASN) uniquely identifies each network on the Internet. type: long example:
15169 threat.indicator.as.organization.name Organization name. type:
keyword example: Google LLC threat.indicator.as.organization.name.text
type: match_only_text threat.indicator.confidence
Identifies the vendor-neutral confidence rating using the
None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework.
Vendor-specific confidence scales may be added as custom fields.Expected
values are: * Not Specified * None * Low * Medium * High type: keyword
example: Medium threat.indicator.description Describes the type of action
conducted by the threat. type: keyword example: IP x.x.x.x was observed
delivering the Angler EK. threat.indicator.email.address Identifies a
threat indicator as an email address (irrespective of direction). type:
keyword example: phish@example.com threat.indicator.file.accessed Last time
the file was accessed.Note that not all filesystems keep track of access
time. type: date threat.indicator.file.attributes Array of file
attributes.Attributes names will vary by platform. Here’s a non-exhaustive
list of values that are expected in this field: archive, compressed,
directory, encrypted, execute, hidden, read, readonly, system, write. type:
keyword example: ["readonly", "system"]
threat.indicator.file.code_signature.digest_algorithm The hashing algorithm
used to sign the process.This value can distinguish signatures when a file
is signed multiple times by the same signer but with a different digest
algorithm. type: keyword example: sha256
threat.indicator.file.code_signature.exists Boolean to capture if a
signature is present. type: boolean example: true
threat.indicator.file.code_signature.signing_id The identifier used to sign
the process.This is used to identify the application manufactured by a
software vendor. The field is relevant to Apple *OS only. type: keyword
example: com.apple.xpc.proxy threat.indicator.file.code_signature.status
Additional information about the certificate status.This is useful for
logging cryptographic errors with the certificate validity or trust status.
Leave unpopulated if the validity or trust of the certificate was
unchecked. type: keyword example: ERROR_UNTRUSTED_ROOT
threat.indicator.file.code_signature.subject_name Subject name of the code
signer type: keyword example: Microsoft Corporation
threat.indicator.file.code_signature.team_id The team identifier used to
sign the process.This is used to identify the team or vendor of a software
product. The field is relevant to Apple *OS only. type: keyword example:
EQHXZ8M8AV threat.indicator.file.code_signature.timestamp Date and time
when the code signature was generated and signed. type: date example:
2021-01-01T12:10:30Z threat.indicator.file.code_signature.trusted Stores
the trust status of the certificate chain.Validating the trust of the
certificate chain may be complicated, and this field should only be
populated by tools that actively check the status. type: boolean example:
true threat.indicator.file.code_signature.valid Boolean to capture if the
digital signature is verified against the binary content.Leave unpopulated
if a certificate was unchecked. type: boolean example: true
threat.indicator.file.created File creation time.Note that not all
filesystems store the creation time. type: date threat.indicator.file.ctime
Last time the file attributes or metadata changed.Note that changes to the
file content will update mtime . This implies ctime will be adjusted at the
same time, since mtime is an attribute of the file. type: date
threat.indicator.file.device Device that is the source of the file. type:
keyword example: sda threat.indicator.file.directory Directory where the
file is located. It should include the drive letter, when appropriate.
type: keyword example: /home/alice threat.indicator.file.drive_letter Drive
letter where the file is located. This field is only relevant on
Windows.The value should be uppercase, and not include the colon. type:
keyword example: C threat.indicator.file.elf.architecture Machine
architecture of the ELF file. type: keyword example: x86-64
threat.indicator.file.elf.byte_order Byte sequence of ELF file. type:
keyword example: Little Endian threat.indicator.file.elf.cpu_type CPU type
of the ELF file. type: keyword example: Intel
threat.indicator.file.elf.creation_date Extracted when possible from the
file’s metadata. Indicates when it was built or compiled. It can also be
faked by malware creators. type: date threat.indicator.file.elf.exports
List of exported element names and types. type: flattened
threat.indicator.file.elf.header.abi_version Version of the ELF Application
Binary Interface (ABI). type: keyword
threat.indicator.file.elf.header.class Header class of the ELF file. type:
keyword threat.indicator.file.elf.header.data Data table of the ELF header.
type: keyword threat.indicator.file.elf.header.entrypoint Header entrypoint
of the ELF file. type: long format: string
threat.indicator.file.elf.header.object_version "0x1" for original ELF
files. type: keyword threat.indicator.file.elf.header.os_abi Application
Binary Interface (ABI) of the Linux OS. type: keyword
threat.indicator.file.elf.header.type Header type of the ELF file. type:
keyword threat.indicator.file.elf.header.version Version of the ELF header.
type: keyword threat.indicator.file.elf.imports List of imported element
names and types. type: flattened threat.indicator.file.elf.sections An
array containing an object for each section of the ELF file.The keys that
should be present in these objects are defined by sub-fields underneath
elf.sections.* . type: nested threat.indicator.file.elf.sections.chi2
Chi-square probability distribution of the section. type: long format:
number threat.indicator.file.elf.sections.entropy Shannon entropy
calculation from the section. type: long format: number
threat.indicator.file.elf.sections.flags ELF Section List flags. type:
keyword threat.indicator.file.elf.sections.name ELF Section List name.
type: keyword threat.indicator.file.elf.sections.physical_offset ELF
Section List offset. type: keyword
threat.indicator.file.elf.sections.physical_size ELF Section List physical
size. type: long format: bytes threat.indicator.file.elf.sections.type ELF
Section List type. type: keyword
threat.indicator.file.elf.sections.virtual_address ELF Section List virtual
address. type: long format: string
threat.indicator.file.elf.sections.virtual_size ELF Section List virtual
size. type: long format: string threat.indicator.file.elf.segments An array
containing an object for each segment of the ELF file.The keys that should
be present in these objects are defined by sub-fields underneath
elf.segments.* . type: nested threat.indicator.file.elf.segments.sections
ELF object segment sections. type: keyword
threat.indicator.file.elf.segments.type ELF object segment type. type:
keyword threat.indicator.file.elf.shared_libraries List of shared libraries
used by this ELF object. type: keyword threat.indicator.file.elf.telfhash
telfhash symbol hash for ELF file. type: keyword
threat.indicator.file.extension File extension, excluding the leading
dot.Note that when the file name has multiple extensions (example.tar.gz),
only the last one should be captured ("gz", not "tar.gz"). type: keyword
example: png threat.indicator.file.fork_name A fork is additional data
associated with a filesystem object.On Linux, a resource fork is used to
store additional data with a filesystem object. A file always has at least
one fork for the data portion, and additional forks may exist.On NTFS, this
is analogous to an Alternate Data Stream (ADS), and the default data stream
for a file is just called $DATA. Zone.Identifier is commonly used by
Windows to track contents downloaded from the Internet. An ADS is typically
of the form: C:\path\to\filename.extension:some_fork_name , and
some_fork_name is the value that should populate fork_name .
filename.extension should populate file.name , and extension should
populate file.extension . The full path, file.path , will include the fork
name. type: keyword example: Zone.Identifer threat.indicator.file.gid
Primary group ID (GID) of the file. type: keyword example: 1001
threat.indicator.file.group Primary group name of the file. type: keyword
example: alice threat.indicator.file.hash.md5 MD5 hash. type: keyword
threat.indicator.file.hash.sha1 SHA1 hash. type: keyword
threat.indicator.file.hash.sha256 SHA256 hash. type: keyword
threat.indicator.file.hash.sha512 SHA512 hash. type: keyword
threat.indicator.file.hash.ssdeep SSDEEP hash. type: keyword
threat.indicator.file.inode Inode representing the file in the filesystem.
type: keyword example: 256383 threat.indicator.file.mime_type MIME type
should identify the format of the file or stream of bytes using IANA
official types , where possible. When more than one type is applicable, the
most specific type should be used. type: keyword threat.indicator.file.mode
Mode of the file in octal representation. type: keyword example: 0640
threat.indicator.file.mtime Last time the file content was modified. type:
date threat.indicator.file.name Name of the file including the extension,
without the directory. type: keyword example: example.png
threat.indicator.file.owner File owner’s username. type: keyword example:
alice threat.indicator.file.path Full path to the file, including the file
name. It should include the drive letter, when appropriate. type: keyword
example: /home/alice/example.png threat.indicator.file.path.text type:
match_only_text threat.indicator.file.pe.architecture CPU architecture
target for the file. type: keyword example: x64
threat.indicator.file.pe.company Internal company name of the file,
provided at compile-time. type: keyword example: Microsoft Corporation
threat.indicator.file.pe.description Internal description of the file,
provided at compile-time. type: keyword example: Paint
threat.indicator.file.pe.file_version Internal version of the file,
provided at compile-time. type: keyword example: 6.3.9600.17415
threat.indicator.file.pe.imphash A hash of the imports in a PE file. An
imphash — or import hash — can be used to fingerprint binaries even after
recompilation or other code-level transformations have occurred, which
would change more traditional hash values.Learn more at
https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
. type: keyword example: 0c6803c4e922103c4dca5963aad36ddf
threat.indicator.file.pe.original_file_name Internal name of the file,
provided at compile-time. type: keyword example: MSPAINT.EXE
threat.indicator.file.pe.product Internal product name of the file,
provided at compile-time. type: keyword example: Microsoft® Windows®
Operating System threat.indicator.file.size File size in bytes.Only
relevant when file.type is "file". type: long example: 16384
threat.indicator.file.target_path Target path for symlinks. type: keyword
threat.indicator.file.target_path.text type: match_only_text
threat.indicator.file.type File type (file, dir, or symlink). type: keyword
example: file threat.indicator.file.uid The user ID (UID) or security
identifier (SID) of the file owner. type: keyword example: 1001
threat.indicator.file.x509.alternative_names List of subject alternative
names (SAN). Name types vary by certificate authority and certificate type
but commonly contain IP addresses, DNS names (and wildcards), and email
addresses. type: keyword example: *.elastic.co
threat.indicator.file.x509.issuer.common_name List of common name (CN) of
issuing certificate authority. type: keyword example: Example SHA2 High
Assurance Server CA threat.indicator.file.x509.issuer.country List of
country © codes type: keyword example: US
threat.indicator.file.x509.issuer.distinguished_name Distinguished name
(DN) of issuing certificate authority. type: keyword example: C=US,
O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
threat.indicator.file.x509.issuer.locality List of locality names (L) type:
keyword example: Mountain View
threat.indicator.file.x509.issuer.organization List of organizations (O) of
issuing certificate authority. type: keyword example: Example Inc
threat.indicator.file.x509.issuer.organizational_unit List of
organizational units (OU) of issuing certificate authority. type: keyword
example: www.example.com
threat.indicator.file.x509.issuer.state_or_province List of state or
province names (ST, S, or P) type: keyword example: California
threat.indicator.file.x509.not_after Time at which the certificate is no
longer considered valid. type: date example: 2020-07-16 03:15:39+00:00
threat.indicator.file.x509.not_before Time at which the certificate is
first considered valid. type: date example: 2019-08-16 01:40:25+00:00
threat.indicator.file.x509.public_key_algorithm Algorithm used to generate
the public key. type: keyword example: RSA
threat.indicator.file.x509.public_key_curve The curve used by the elliptic
curve public key algorithm. This is algorithm specific. type: keyword
example: nistp521 threat.indicator.file.x509.public_key_exponent Exponent
used to derive the public key. This is algorithm specific. type: long
example: 65537 Field is not indexed.
threat.indicator.file.x509.public_key_size The size of the public key space
in bits. type: long example: 2048 threat.indicator.file.x509.serial_number
Unique serial number issued by the certificate authority. For consistency,
if this value is alphanumeric, it should be formatted without colons and
uppercase characters. type: keyword example: 55FBB9C7DEBF09809D12CCAA
threat.indicator.file.x509.signature_algorithm Identifier for certificate
signature algorithm. We recommend using names found in Go Lang Crypto
library. See
https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353
. type: keyword example: SHA256-RSA
threat.indicator.file.x509.subject.common_name List of common names (CN) of
subject. type: keyword example: shared.global.example.net
threat.indicator.file.x509.subject.country List of country © code type:
keyword example: US threat.indicator.file.x509.subject.distinguished_name
Distinguished name (DN) of the certificate subject entity. type: keyword
example: C=US, ST=California, L=San Francisco, O=Example, Inc.,
CN=shared.global.example.net threat.indicator.file.x509.subject.locality
List of locality names (L) type: keyword example: San Francisco
threat.indicator.file.x509.subject.organization List of organizations (O)
of subject. type: keyword example: Example, Inc.
threat.indicator.file.x509.subject.organizational_unit List of
organizational units (OU) of subject. type: keyword
threat.indicator.file.x509.subject.state_or_province List of state or
province names (ST, S, or P) type: keyword example: California
threat.indicator.file.x509.version_number Version of x509 format. type:
keyword example: 3 threat.indicator.first_seen The date and time when
intelligence source first reported sighting this indicator. type: date
example: 2020-11-05T17:25:47.000Z threat.indicator.geo.city_name City name.
type: keyword example: Montreal threat.indicator.geo.continent_code
Two-letter code representing continent’s name. type: keyword example: NA
threat.indicator.geo.continent_name Name of the continent. type: keyword
example: North America threat.indicator.geo.country_iso_code Country ISO
code. type: keyword example: CA threat.indicator.geo.country_name Country
name. type: keyword example: Canada threat.indicator.geo.location Longitude
and latitude. type: geo_point example: { "lon": -73.614830, "lat":
45.505918 } threat.indicator.geo.name User-defined description of a
location, at the level of granularity they care about.Could be the name of
their data centers, the floor number, if this describes a local physical
entity, city names.Not typically used in automated geolocation. type:
keyword example: boston-dc threat.indicator.geo.postal_code Postal code
associated with the location.Values appropriate for this field may also be
known as a postcode or ZIP code and will vary widely from country to
country. type: keyword example: 94040 threat.indicator.geo.region_iso_code
Region ISO code. type: keyword example: CA-QC
threat.indicator.geo.region_name Region name. type: keyword example: Quebec
threat.indicator.geo.timezone The time zone of the location, such as IANA
time zone name. type: keyword example: America/Argentina/Buenos_Aires
threat.indicator.ip Identifies a threat indicator as an IP address
(irrespective of direction). type: ip example: 1.2.3.4
threat.indicator.last_seen The date and time when intelligence source last
reported sighting this indicator. type: date example:
2020-11-05T17:25:47.000Z threat.indicator.marking.tlp Traffic Light
Protocol sharing markings.Recommended values are: * WHITE * GREEN * AMBER *
RED type: keyword example: WHITE threat.indicator.modified_at The date and
time when intelligence source last modified information for this indicator.
type: date example: 2020-11-05T17:25:47.000Z threat.indicator.port
Identifies a threat indicator as a port number (irrespective of direction).
type: long example: 443 threat.indicator.provider The name of the
indicator’s provider. type: keyword example: lrz_urlhaus
threat.indicator.reference Reference URL linking to additional information
about this indicator. type: keyword example:
https://system.example.com/indicator/0001234
threat.indicator.registry.data.bytes Original bytes written with base64
encoding.For Windows registry operations, such as SetValueEx and
RegQueryValueEx, this corresponds to the data pointed by lp_data . This is
optional but provides better recoverability and should be populated for
REG_BINARY encoded values. type: keyword example:
ZQBuAC0AVQBTAAAAZQBuAAAAAAA= threat.indicator.registry.data.strings Content
when writing string types.Populated as an array when writing string data to
the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ),
this should be an array with one string. For sequences of string with
REG_MULTI_SZ, this array will be variable length. For numeric data, such as
REG_DWORD and REG_QWORD, this should be populated with the decimal
representation (e.g "1" ). type: wildcard example:
["C:\rta\red_ttp\bin\myapp.exe"] threat.indicator.registry.data.type
Standard registry type for encoding contents type: keyword example: REG_SZ
threat.indicator.registry.hive Abbreviated name for the hive. type: keyword
example: HKLM threat.indicator.registry.key Hive-relative path of keys.
type: keyword example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\winword.exe threat.indicator.registry.path Full
path, including hive, key and value type: keyword example:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\winword.exe\Debugger threat.indicator.registry.value Name of the
value written. type: keyword example: Debugger
threat.indicator.scanner_stats Count of AV/EDR vendors that successfully
detected malicious file or URL. type: long example: 4
threat.indicator.sightings Number of times this indicator was observed
conducting threat activity. type: long example: 20 threat.indicator.type
Type of indicator as represented by Cyber Observable in STIX
2.0.Recommended values: * autonomous-system * artifact * directory *
domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex
* port * process * software * url * user-account * windows-registry-key *
x509-certificate type: keyword example: ipv4-addr
threat.indicator.url.domain Domain of the url, such as "www.elastic.co".In
some cases a URL may refer to an IP and/or port directly, without a domain
name. In this case, the IP address would go to the domain field.If the URL
contains a literal IPv6 address enclosed by [ and ] (IETF RFC 2732), the [
and ] characters should also be captured in the domain field. type: keyword
example: www.elastic.co threat.indicator.url.extension The field contains
the file extension from the original request url, excluding the leading
dot.The file extension is only set if it exists, as not every url has a
file extension.The leading period must not be included. For example, the
value must be "png", not ".png".Note that when the file name has multiple
extensions (example.tar.gz), only the last one should be captured ("gz",
not "tar.gz"). type: keyword example: png threat.indicator.url.fragment
Portion of the url after the # , such as "top".The # is not part of the
fragment. type: keyword threat.indicator.url.full If full URLs are
important to your use case, they should be stored in url.full , whether
this field is reconstructed or present in the event source. type: wildcard
example: https://www.elastic.co:443/search?q=elasticsearch#top
threat.indicator.url.full.text type: match_only_text
threat.indicator.url.original Unmodified original url as seen in the event
source.Note that in network monitoring, the observed URL may be a full URL,
whereas in access logs, the URL is often just represented as a path.This
field is meant to represent the URL as it was observed, complete or not.
type: wildcard example:
https://www.elastic.co:443/search?q=elasticsearch#top or
/search?q=elasticsearch threat.indicator.url.original.text type:
match_only_text threat.indicator.url.password Password of the request.
type: keyword threat.indicator.url.path Path of the request, such as
"/search". type: wildcard threat.indicator.url.port Port of the request,
such as 443. type: long example: 443 format: string
threat.indicator.url.query The query field describes the query string of
the request, such as "q=elasticsearch".The ? is excluded from the query
string. If a URL contains no ? , there is no query field. If there is a ?
but no query, the query field exists with an empty string. The exists query
can be used to differentiate between the two cases. type: keyword
threat.indicator.url.registered_domain The highest registered url domain,
stripped of the subdomain.For example, the registered domain for
"foo.example.com" is "example.com".This value can be determined precisely
with a list like the public suffix list ( http://publicsuffix.org ). Trying
to approximate this by simply taking the last two labels will not work well
for TLDs such as "co.uk". type: keyword example: example.com
threat.indicator.url.scheme Scheme of the request, such as "https".Note:
The : is not part of the scheme. type: keyword example: https
threat.indicator.url.subdomain The subdomain portion of a fully qualified
domain name includes all of the names except the host name under the
registered_domain. In a partially qualified domain, or if the the
qualification level of the full name cannot be determined, subdomain
contains all of the names below the registered domain.For example the
subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has
multiple levels of subdomain, such as "sub2.sub1.example.com", the
subdomain field should contain "sub2.sub1", with no trailing period. type:
keyword example: east threat.indicator.url.top_level_domain The effective
top level domain (eTLD), also known as the domain suffix, is the last part
of the domain name. For example, the top level domain for example.com is
"com".This value can be determined precisely with a list like the public
suffix list ( http://publicsuffix.org ). Trying to approximate this by
simply taking the last label will not work well for effective TLDs such as
"co.uk". type: keyword example: co.uk threat.indicator.url.username
Username of the request. type: keyword
threat.indicator.x509.alternative_names List of subject alternative names
(SAN). Name types vary by certificate authority and certificate type but
commonly contain IP addresses, DNS names (and wildcards), and email
addresses. type: keyword example: *.elastic.co
threat.indicator.x509.issuer.common_name List of common name (CN) of
issuing certificate authority. type: keyword example: Example SHA2 High
Assurance Server CA threat.indicator.x509.issuer.country List of country ©
codes type: keyword example: US
threat.indicator.x509.issuer.distinguished_name Distinguished name (DN) of
issuing certificate authority. type: keyword example: C=US, O=Example Inc,
OU=www.example.com, CN=Example SHA2 High Assurance Server CA
threat.indicator.x509.issuer.locality List of locality names (L) type:
keyword example: Mountain View threat.indicator.x509.issuer.organization
List of organizations (O) of issuing certificate authority. type: keyword
example: Example Inc threat.indicator.x509.issuer.organizational_unit List
of organizational units (OU) of issuing certificate authority. type:
keyword example: www.example.com
threat.indicator.x509.issuer.state_or_province List of state or province
names (ST, S, or P) type: keyword example: California
threat.indicator.x509.not_after Time at which the certificate is no longer
considered valid. type: date example: 2020-07-16 03:15:39+00:00
threat.indicator.x509.not_before Time at which the certificate is first
considered valid. type: date example: 2019-08-16 01:40:25+00:00
threat.indicator.x509.public_key_algorithm Algorithm used to generate the
public key. type: keyword example: RSA
threat.indicator.x509.public_key_curve The curve used by the elliptic curve
public key algorithm. This is algorithm specific. type: keyword example:
nistp521 threat.indicator.x509.public_key_exponent Exponent used to derive
the public key. This is algorithm specific. type: long example: 65537 Field
is not indexed. threat.indicator.x509.public_key_size The size of the
public key space in bits. type: long example: 2048
threat.indicator.x509.serial_number Unique serial number issued by the
certificate authority. For consistency, if this value is alphanumeric, it
should be formatted without colons and uppercase characters. type: keyword
example: 55FBB9C7DEBF09809D12CCAA threat.indicator.x509.signature_algorithm
Identifier for certificate signature algorithm. We recommend using names
found in Go Lang Crypto library. See
https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353
. type: keyword example: SHA256-RSA
threat.indicator.x509.subject.common_name List of common names (CN) of
subject. type: keyword example: shared.global.example.net
threat.indicator.x509.subject.country List of country © code type: keyword
example: US threat.indicator.x509.subject.distinguished_name Distinguished
name (DN) of the certificate subject entity. type: keyword example: C=US,
ST=California, L=San Francisco, O=Example, Inc.,
CN=shared.global.example.net threat.indicator.x509.subject.locality List of
locality names (L) type: keyword example: San Francisco
threat.indicator.x509.subject.organization List of organizations (O) of
subject. type: keyword example: Example, Inc.
threat.indicator.x509.subject.organizational_unit List of organizational
units (OU) of subject. type: keyword
threat.indicator.x509.subject.state_or_province List of state or province
names (ST, S, or P) type: keyword example: California
threat.indicator.x509.version_number Version of x509 format. type: keyword
example: 3 threat.software.alias The alias(es) of the software for a set of
related intrusion activity that are tracked by a common name in the
security community.While not required, you can use a MITRE ATT&CK®
associated software description. type: keyword example: [ "X-Agent" ]
threat.software.id The id of the software used by this threat to conduct
behavior commonly modeled using MITRE ATT&CK®.While not required, you can
use a MITRE ATT&CK® software id. type: keyword example: S0552
threat.software.name The name of the software used by this threat to
conduct behavior commonly modeled using MITRE ATT&CK®.While not required,
you can use a MITRE ATT&CK® software name. type: keyword example: AdFind
threat.software.platforms The platforms of the software used by this threat
to conduct behavior commonly modeled using MITRE ATT&CK®.Recommended
Values: * AWS * Azure * Azure AD * GCP * Linux * macOS * Network * Office
365 * SaaS * Windows While not required, you can use a MITRE ATT&CK®
software platforms. type: keyword example: [ "Windows" ]
threat.software.reference The reference URL of the software used by this
threat to conduct behavior commonly modeled using MITRE ATT&CK®.While not
required, you can use a MITRE ATT&CK® software reference URL. type: keyword
example: https://attack.mitre.org/software/S0552/ threat.software.type The
type of software used by this threat to conduct behavior commonly modeled
using MITRE ATT&CK®.Recommended values * Malware * Tool While not required,
you can use a MITRE ATT&CK® software type. type: keyword example: Tool
threat.tactic.id The id of tactic used by this threat. You can use a MITRE
ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/
) type: keyword example: TA0002 threat.tactic.name Name of the type of
tactic used by this threat. You can use a MITRE ATT&CK® tactic, for
example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword
example: Execution threat.tactic.reference The reference url of tactic used
by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex.
https://attack.mitre.org/tactics/TA0002/ ) type: keyword example:
https://attack.mitre.org/tactics/TA0002/ threat.technique.id The id of
technique used by this threat. You can use a MITRE ATT&CK® technique, for
example. (ex. https://attack.mitre.org/techniques/T1059/ ) type: keyword
example: T1059 threat.technique.name The name of technique used by this
threat. You can use a MITRE ATT&CK® technique, for example. (ex.
https://attack.mitre.org/techniques/T1059/ ) type: keyword example: Command
and Scripting Interpreter threat.technique.name.text type: match_only_text
threat.technique.reference The reference url of technique used by this
threat. You can use a MITRE ATT&CK® technique, for example. (ex.
https://attack.mitre.org/techniques/T1059/ ) type: keyword example:
https://attack.mitre.org/techniques/T1059/ threat.technique.subtechnique.id
The full id of subtechnique used by this threat. You can use a MITRE
ATT&CK® subtechnique, for example. (ex.
https://attack.mitre.org/techniques/T1059/001/ ) type: keyword example:
T1059.001 threat.technique.subtechnique.name The name of subtechnique used
by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex.
https://attack.mitre.org/techniques/T1059/001/ ) type: keyword example:
PowerShell threat.technique.subtechnique.name.text type: match_only_text
threat.technique.subtechnique.reference The reference url of subtechnique
used by this threat. You can use a MITRE ATT&CK® subtechnique, for example.
(ex. https://attack.mitre.org/techniques/T1059/001/ ) type: keyword
example: https://attack.mitre.org/techniques/T1059/001/ tls Fields related
to a TLS connection. These fields focus on the TLS protocol itself and
intentionally avoids in-depth analysis of the related x.509 certificate
files. tls.cipher String indicating the cipher used during the current
connection. type: keyword example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
tls.client.certificate PEM-encoded stand-alone certificate offered by the
client. This is usually mutually-exclusive of client.certificate_chain
since this value also exists in that list. type: keyword example: MII…
tls.client.certificate_chain Array of PEM-encoded certificates that make up
the certificate chain offered by the client. This is usually
mutually-exclusive of client.certificate since that value should be the
first certificate in the chain. type: keyword example: ["MII… ", "MII… "]
tls.client.hash.md5 Certificate fingerprint using the MD5 digest of
DER-encoded version of certificate offered by the client. For consistency
with other hash values, this value should be formatted as an uppercase
hash. type: keyword example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
tls.client.hash.sha1 Certificate fingerprint using the SHA1 digest of
DER-encoded version of certificate offered by the client. For consistency
with other hash values, this value should be formatted as an uppercase
hash. type: keyword example: 9E393D93138888D288266C2D915214D1D1CCEB2A
tls.client.hash.sha256 Certificate fingerprint using the SHA256 digest of
DER-encoded version of certificate offered by the client. For consistency
with other hash values, this value should be formatted as an uppercase
hash. type: keyword example:
0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
tls.client.issuer Distinguished name of subject of the issuer of the x.509
certificate presented by the client. type: keyword example: CN=Example Root
CA, OU=Infrastructure Team, DC=example, DC=com tls.client.ja3 A hash that
identifies clients based on how they perform an SSL/TLS handshake. type:
keyword example: d4e5b18d6b55c71272893221c96ba240 tls.client.not_after
Date/Time indicating when client certificate is no longer considered valid.
type: date example: 2021-01-01T00:00:00.000Z tls.client.not_before
Date/Time indicating when client certificate is first considered valid.
type: date example: 1970-01-01T00:00:00.000Z tls.client.server_name Also
called an SNI, this tells the server which hostname to which the client is
attempting to connect to. When this value is available, it should get
copied to destination.domain . type: keyword example: www.elastic.co
tls.client.subject Distinguished name of subject of the x.509 certificate
presented by the client. type: keyword example: CN=myclient,
OU=Documentation Team, DC=example, DC=com tls.client.supported_ciphers
Array of ciphers offered by the client during the client hello. type:
keyword example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "… "]
tls.client.x509.alternative_names List of subject alternative names (SAN).
Name types vary by certificate authority and certificate type but commonly
contain IP addresses, DNS names (and wildcards), and email addresses. type:
keyword example: *.elastic.co tls.client.x509.issuer.common_name List of
common name (CN) of issuing certificate authority. type: keyword example:
Example SHA2 High Assurance Server CA tls.client.x509.issuer.country List
of country © codes type: keyword example: US
tls.client.x509.issuer.distinguished_name Distinguished name (DN) of
issuing certificate authority. type: keyword example: C=US, O=Example Inc,
OU=www.example.com, CN=Example SHA2 High Assurance Server CA
tls.client.x509.issuer.locality List of locality names (L) type: keyword
example: Mountain View tls.client.x509.issuer.organization List of
organizations (O) of issuing certificate authority. type: keyword example:
Example Inc tls.client.x509.issuer.organizational_unit List of
organizational units (OU) of issuing certificate authority. type: keyword
example: www.example.com tls.client.x509.issuer.state_or_province List of
state or province names (ST, S, or P) type: keyword example: California
tls.client.x509.not_after Time at which the certificate is no longer
considered valid. type: date example: 2020-07-16 03:15:39+00:00
tls.client.x509.not_before Time at which the certificate is first
considered valid. type: date example: 2019-08-16 01:40:25+00:00
tls.client.x509.public_key_algorithm Algorithm used to generate the public
key. type: keyword example: RSA tls.client.x509.public_key_curve The curve
used by the elliptic curve public key algorithm. This is algorithm
specific. type: keyword example: nistp521
tls.client.x509.public_key_exponent Exponent used to derive the public key.
This is algorithm specific. type: long example: 65537 Field is not indexed.
tls.client.x509.public_key_size The size of the public key space in bits.
type: long example: 2048 tls.client.x509.serial_number Unique serial number
issued by the certificate authority. For consistency, if this value is
alphanumeric, it should be formatted without colons and uppercase
characters. type: keyword example: 55FBB9C7DEBF09809D12CCAA
tls.client.x509.signature_algorithm Identifier for certificate signature
algorithm. We recommend using names found in Go Lang Crypto library. See
https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353
. type: keyword example: SHA256-RSA tls.client.x509.subject.common_name
List of common names (CN) of subject. type: keyword example:
shared.global.example.net tls.client.x509.subject.country List of country ©
code type: keyword example: US tls.client.x509.subject.distinguished_name
Distinguished name (DN) of the certificate subject entity. type: keyword
example: C=US, ST=California, L=San Francisco, O=Example, Inc.,
CN=shared.global.example.net tls.client.x509.subject.locality List of
locality names (L) type: keyword example: San Francisco
tls.client.x509.subject.organization List of organizations (O) of subject.
type: keyword example: Example, Inc.
tls.client.x509.subject.organizational_unit List of organizational units
(OU) of subject. type: keyword tls.client.x509.subject.state_or_province
List of state or province names (ST, S, or P) type: keyword example:
California tls.client.x509.version_number Version of x509 format. type:
keyword example: 3 tls.curve String indicating the curve used for the given
cipher, when applicable. type: keyword example: secp256r1 tls.established
Boolean flag indicating if the TLS negotiation was successful and
transitioned to an encrypted tunnel. type: boolean tls.next_protocol String
indicating the protocol being tunneled. Per the values in the IANA registry
(
https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
), this string should be lower case. type: keyword example: http/1.1
tls.resumed Boolean flag indicating if this TLS connection was resumed from
an existing TLS negotiation. type: boolean tls.server.certificate
PEM-encoded stand-alone certificate offered by the server. This is usually
mutually-exclusive of server.certificate_chain since this value also exists
in that list. type: keyword example: MII… tls.server.certificate_chain
Array of PEM-encoded certificates that make up the certificate chain
offered by the server. This is usually mutually-exclusive of
server.certificate since that value should be the first certificate in the
chain. type: keyword example: ["MII… ", "MII… "] tls.server.hash.md5
Certificate fingerprint using the MD5 digest of DER-encoded version of
certificate offered by the server. For consistency with other hash values,
this value should be formatted as an uppercase hash. type: keyword example:
0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC tls.server.hash.sha1 Certificate
fingerprint using the SHA1 digest of DER-encoded version of certificate
offered by the server. For consistency with other hash values, this value
should be formatted as an uppercase hash. type: keyword example:
9E393D93138888D288266C2D915214D1D1CCEB2A tls.server.hash.sha256 Certificate
fingerprint using the SHA256 digest of DER-encoded version of certificate
offered by the server. For consistency with other hash values, this value
should be formatted as an uppercase hash. type: keyword example:
0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
tls.server.issuer Subject of the issuer of the x.509 certificate presented
by the server. type: keyword example: CN=Example Root CA, OU=Infrastructure
Team, DC=example, DC=com tls.server.ja3s A hash that identifies servers
based on how they perform an SSL/TLS handshake. type: keyword example:
394441ab65754e2207b1e1b457b3641d tls.server.not_after Timestamp indicating
when server certificate is no longer considered valid. type: date example:
2021-01-01T00:00:00.000Z tls.server.not_before Timestamp indicating when
server certificate is first considered valid. type: date example:
1970-01-01T00:00:00.000Z tls.server.subject Subject of the x.509
certificate presented by the server. type: keyword example:
CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
tls.server.x509.alternative_names List of subject alternative names (SAN).
Name types vary by certificate authority and certificate type but commonly
contain IP addresses, DNS names (and wildcards), and email addresses. type:
keyword example: *.elastic.co tls.server.x509.issuer.common_name List of
common name (CN) of issuing certificate authority. type: keyword example:
Example SHA2 High Assurance Server CA tls.server.x509.issuer.country List
of country © codes type: keyword example: US
tls.server.x509.issuer.distinguished_name Distinguished name (DN) of
issuing certificate authority. type: keyword example: C=US, O=Example Inc,
OU=www.example.com, CN=Example SHA2 High Assurance Server CA
tls.server.x509.issuer.locality List of locality names (L) type: keyword
example: Mountain View tls.server.x509.issuer.organization List of
organizations (O) of issuing certificate authority. type: keyword example:
Example Inc tls.server.x509.issuer.organizational_unit List of
organizational units (OU) of issuing certificate authority. type: keyword
example: www.example.com tls.server.x509.issuer.state_or_province List of
state or province names (ST, S, or P) type: keyword example: California
tls.server.x509.not_after Time at which the certificate is no longer
considered valid. type: date example: 2020-07-16 03:15:39+00:00
tls.server.x509.not_before Time at which the certificate is first
considered valid. type: date example: 2019-08-16 01:40:25+00:00
tls.server.x509.public_key_algorithm Algorithm used to generate the public
key. type: keyword example: RSA tls.server.x509.public_key_curve The curve
used by the elliptic curve public key algorithm. This is algorithm
specific. type: keyword example: nistp521
tls.server.x509.public_key_exponent Exponent used to derive the public key.
This is algorithm specific. type: long example: 65537 Field is not indexed.
tls.server.x509.public_key_size The size of the public key space in bits.
type: long example: 2048 tls.server.x509.serial_number Unique serial number
issued by the certificate authority. For consistency, if this value is
alphanumeric, it should be formatted without colons and uppercase
characters. type: keyword example: 55FBB9C7DEBF09809D12CCAA
tls.server.x509.signature_algorithm Identifier for certificate signature
algorithm. We recommend using names found in Go Lang Crypto library. See
https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353
. type: keyword example: SHA256-RSA tls.server.x509.subject.common_name
List of common names (CN) of subject. type: keyword example:
shared.global.example.net tls.server.x509.subject.country List of country ©
code type: keyword example: US tls.server.x509.subject.distinguished_name
Distinguished name (DN) of the certificate subject entity. type: keyword
example: C=US, ST=California, L=San Francisco, O=Example, Inc.,
CN=shared.global.example.net tls.server.x509.subject.locality List of
locality names (L) type: keyword example: San Francisco
tls.server.x509.subject.organization List of organizations (O) of subject.
type: keyword example: Example, Inc.
tls.server.x509.subject.organizational_unit List of organizational units
(OU) of subject. type: keyword tls.server.x509.subject.state_or_province
List of state or province names (ST, S, or P) type: keyword example:
California tls.server.x509.version_number Version of x509 format. type:
keyword example: 3 tls.version Numeric part of the version parsed from the
original string. type: keyword example: 1.2 tls.version_protocol Normalized
lowercase protocol name parsed from original string. type: keyword example:
tls span.id Unique identifier of the span within the scope of its trace.A
span represents an operation within a transaction, such as a request to
another service, or a database query. type: keyword example:
3ff9a8981b7ccd5a trace.id Unique identifier of the trace.A trace groups
multiple events like transactions that belong together. For example, a user
request handled by multiple inter-connected services. type: keyword
example: 4bf92f3577b34da6a3ce929d0e0e4736 transaction.id Unique identifier
of the transaction within the scope of its trace.A transaction is the
highest level of work measured within a service, such as a request to a
server. type: keyword example: 00f067aa0ba902b7 url URL fields provide
support for complete or partial URLs, and supports the breaking down into
scheme, domain, path, and so on. url.domain Domain of the url, such as
"www.elastic.co".In some cases a URL may refer to an IP and/or port
directly, without a domain name. In this case, the IP address would go to
the domain field.If the URL contains a literal IPv6 address enclosed by [
and ] (IETF RFC 2732), the [ and ] characters should also be captured in
the domain field. type: keyword example: www.elastic.co url.extension The
field contains the file extension from the original request url, excluding
the leading dot.The file extension is only set if it exists, as not every
url has a file extension.The leading period must not be included. For
example, the value must be "png", not ".png".Note that when the file name
has multiple extensions (example.tar.gz), only the last one should be
captured ("gz", not "tar.gz"). type: keyword example: png url.fragment
Portion of the url after the # , such as "top".The # is not part of the
fragment. type: keyword url.full If full URLs are important to your use
case, they should be stored in url.full , whether this field is
reconstructed or present in the event source. type: wildcard example:
https://www.elastic.co:443/search?q=elasticsearch#top url.full.text type:
match_only_text url.original Unmodified original url as seen in the event
source.Note that in network monitoring, the observed URL may be a full URL,
whereas in access logs, the URL is often just represented as a path.This
field is meant to represent the URL as it was observed, complete or not.
type: wildcard example:
https://www.elastic.co:443/search?q=elasticsearch#top or
/search?q=elasticsearch url.original.text type: match_only_text
url.password Password of the request. type: keyword url.path Path of the
request, such as "/search". type: wildcard url.port Port of the request,
such as 443. type: long example: 443 format: string url.query The query
field describes the query string of the request, such as
"q=elasticsearch".The ? is excluded from the query string. If a URL
contains no ? , there is no query field. If there is a ? but no query, the
query field exists with an empty string. The exists query can be used to
differentiate between the two cases. type: keyword url.registered_domain
The highest registered url domain, stripped of the subdomain.For example,
the registered domain for "foo.example.com" is "example.com".This value can
be determined precisely with a list like the public suffix list (
http://publicsuffix.org ). Trying to approximate this by simply taking the
last two labels will not work well for TLDs such as "co.uk". type: keyword
example: example.com url.scheme Scheme of the request, such as
"https".Note: The : is not part of the scheme. type: keyword example: https
url.subdomain The subdomain portion of a fully qualified domain name
includes all of the names except the host name under the registered_domain.
In a partially qualified domain, or if the the qualification level of the
full name cannot be determined, subdomain contains all of the names below
the registered domain.For example the subdomain portion of
"www.east.mydomain.co.uk" is "east". If the domain has multiple levels of
subdomain, such as "sub2.sub1.example.com", the subdomain field should
contain "sub2.sub1", with no trailing period. type: keyword example: east
url.top_level_domain The effective top level domain (eTLD), also known as
the domain suffix, is the last part of the domain name. For example, the
top level domain for example.com is "com".This value can be determined
precisely with a list like the public suffix list ( http://publicsuffix.org
). Trying to approximate this by simply taking the last label will not work
well for effective TLDs such as "co.uk". type: keyword example: co.uk
url.username Username of the request. type: keyword user The user fields
describe information about the user that is relevant to the event.Fields
can have one entry or multiple entries. If a user has more than one id,
provide an array that includes all of them. user.changes.domain Name of the
directory the user is a member of.For example, an LDAP or Active Directory
domain name. type: keyword user.changes.email User email address. type:
keyword user.changes.full_name User’s full name, if available. type:
keyword example: Albert Einstein user.changes.full_name.text type:
match_only_text user.changes.group.domain Name of the directory the group
is a member of.For example, an LDAP or Active Directory domain name. type:
keyword user.changes.group.id Unique identifier for the group on the
system/platform. type: keyword user.changes.group.name Name of the group.
type: keyword user.changes.hash Unique user hash to correlate information
for a user in anonymized form.Useful if user.id or user.name contain
confidential information and cannot be used. type: keyword user.changes.id
Unique identifier of the user. type: keyword example:
S-1-5-21-202424912787-2692429404-2351956786-1000 user.changes.name Short
name or login of the user. type: keyword example: a.einstein
user.changes.name.text type: match_only_text user.changes.roles Array of
user roles at the time of the event. type: keyword example:
["kibana_admin", "reporting_user"] user.domain Name of the directory the
user is a member of.For example, an LDAP or Active Directory domain name.
type: keyword user.effective.domain Name of the directory the user is a
member of.For example, an LDAP or Active Directory domain name. type:
keyword user.effective.email User email address. type: keyword
user.effective.full_name User’s full name, if available. type: keyword
example: Albert Einstein user.effective.full_name.text type:
match_only_text user.effective.group.domain Name of the directory the group
is a member of.For example, an LDAP or Active Directory domain name. type:
keyword user.effective.group.id Unique identifier for the group on the
system/platform. type: keyword user.effective.group.name Name of the group.
type: keyword user.effective.hash Unique user hash to correlate information
for a user in anonymized form.Useful if user.id or user.name contain
confidential information and cannot be used. type: keyword
user.effective.id Unique identifier of the user. type: keyword example:
S-1-5-21-202424912787-2692429404-2351956786-1000 user.effective.name Short
name or login of the user. type: keyword example: a.einstein
user.effective.name.text type: match_only_text user.effective.roles Array
of user roles at the time of the event. type: keyword example:
["kibana_admin", "reporting_user"] user.email User email address. type:
keyword user.full_name User’s full name, if available. type: keyword
example: Albert Einstein user.full_name.text type: match_only_text
user.group.domain Name of the directory the group is a member of.For
example, an LDAP or Active Directory domain name. type: keyword
user.group.id Unique identifier for the group on the system/platform. type:
keyword user.group.name Name of the group. type: keyword user.hash Unique
user hash to correlate information for a user in anonymized form.Useful if
user.id or user.name contain confidential information and cannot be used.
type: keyword user.id Unique identifier of the user. type: keyword example:
S-1-5-21-202424912787-2692429404-2351956786-1000 user.name Short name or
login of the user. type: keyword example: a.einstein user.name.text type:
match_only_text user.roles Array of user roles at the time of the event.
type: keyword example: ["kibana_admin", "reporting_user"]
user.target.domain Name of the directory the user is a member of.For
example, an LDAP or Active Directory domain name. type: keyword
user.target.email User email address. type: keyword user.target.full_name
User’s full name, if available. type: keyword example: Albert Einstein
user.target.full_name.text type: match_only_text user.target.group.domain
Name of the directory the group is a member of.For example, an LDAP or
Active Directory domain name. type: keyword user.target.group.id Unique
identifier for the group on the system/platform. type: keyword
user.target.group.name Name of the group. type: keyword user.target.hash
Unique user hash to correlate information for a user in anonymized
form.Useful if user.id or user.name contain confidential information and
cannot be used. type: keyword user.target.id Unique identifier of the user.
type: keyword example: S-1-5-21-202424912787-2692429404-2351956786-1000
user.target.name Short name or login of the user. type: keyword example:
a.einstein user.target.name.text type: match_only_text user.target.roles
Array of user roles at the time of the event. type: keyword example:
["kibana_admin", "reporting_user"] user_agent The user_agent fields
normally come from a browser request.They often show up in web service logs
coming from the parsed user agent string. user_agent.device.name Name of
the device. type: keyword example: iPhone user_agent.name Name of the user
agent. type: keyword example: Safari user_agent.original Unparsed
user_agent string. type: keyword example: Mozilla/5.0 (iPhone; CPU iPhone
OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko)
Version/12.0 Mobile/15E148 Safari/604.1 user_agent.original.text type:
match_only_text user_agent.os.family OS family (such as redhat, debian,
freebsd, windows). type: keyword example: debian user_agent.os.full
Operating system name, including the version or code name. type: keyword
example: Mac OS Mojave user_agent.os.full.text type: match_only_text
user_agent.os.kernel Operating system kernel version as a raw string. type:
keyword example: 4.4.0-112-generic user_agent.os.name Operating system
name, without the version. type: keyword example: Mac OS X
user_agent.os.name.text type: match_only_text user_agent.os.platform
Operating system platform (such centos, ubuntu, windows). type: keyword
example: darwin user_agent.os.type Use the os.type field to categorize the
operating system into one of the broad commercial families.One of these
following values should be used (lowercase): linux, macos, unix, windows.If
the OS you’re dealing with is not in the list, the field should not be
populated. Please let us know by opening an issue with ECS, to propose its
addition. type: keyword example: macos user_agent.os.version Operating
system version as a raw string. type: keyword example: 10.14.1
user_agent.version Version of the user agent. type: keyword example: 12.0
vlan The VLAN fields are used to identify 802.1q tag(s) of a packet, as
well as ingress and egress VLAN associations of an observer in relation to
a specific packet or connection.Network.vlan fields are used to record a
single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for
a packet or connection as observed, typically provided by a network sensor
(e.g. Zeek, Wireshark) passively reporting on traffic.Network.inner VLAN
fields are used to report inner q-in-q 802.1q tags (multiple 802.1q
encapsulations) as observed, typically provided by a network sensor (e.g.
Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields
should only be used in addition to network.vlan fields to indicate q-in-q
tagging.Observer.ingress and observer.egress VLAN values are used to record
observer specific information when observer events contain discrete ingress
and egress VLAN information, typically provided by firewalls, routers, or
load balancers. vlan.id VLAN ID as reported by the observer. type: keyword
example: 10 vlan.name Optional VLAN name as reported by the observer. type:
keyword example: outside vulnerability The vulnerability fields describe
information about a vulnerability that is relevant to an event.
vulnerability.category The type of system or architecture that the
vulnerability affects. These may be platform-specific (for example, Debian
or SUSE) or general (for example, Database or Firewall). For example (
Qualys vulnerability categories )This field must be an array. type: keyword
example: ["Firewall"] vulnerability.classification The classification of
the vulnerability scoring system. For example ( https://www.first.org/cvss/
) type: keyword example: CVSS vulnerability.description The description of
the vulnerability that provides additional context of the vulnerability.
For example ( Common Vulnerabilities and Exposure CVE description ) type:
keyword example: In macOS before 2.12.6, there is a vulnerability in the
RPC… vulnerability.description.text type: match_only_text
vulnerability.enumeration The type of identifier used for this
vulnerability. For example ( https://cve.mitre.org/about/ ) type: keyword
example: CVE vulnerability.id The identification (ID) is the number portion
of a vulnerability entry. It includes a unique identification number for
the vulnerability. For example ( Common Vulnerabilities and Exposure CVE ID
type: keyword example: CVE-2019-00001 vulnerability.reference A resource
that provides additional information, context, and mitigations for the
identified vulnerability. type: keyword example:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111
vulnerability.report_id The report or scan identification number. type:
keyword example: 20191018.0001 vulnerability.scanner.vendor The name of the
vulnerability scanner vendor. type: keyword example: Tenable
vulnerability.score.base Scores can range from 0.0 to 10.0, with 10.0 being
the most severe.Base scores cover an assessment for exploitability metrics
(attack vector, complexity, privileges, and user interaction), impact
metrics (confidentiality, integrity, and availability), and scope. For
example ( https://www.first.org/cvss/specification-document ) type: float
example: 5.5 vulnerability.score.environmental Scores can range from 0.0 to
10.0, with 10.0 being the most severe.Environmental scores cover an
assessment for any modified Base metrics, confidentiality, integrity, and
availability requirements. For example (
https://www.first.org/cvss/specification-document ) type: float example:
5.5 vulnerability.score.temporal Scores can range from 0.0 to 10.0, with
10.0 being the most severe.Temporal scores cover an assessment for code
maturity, remediation level, and confidence. For example (
https://www.first.org/cvss/specification-document ) type: float
vulnerability.score.version The National Vulnerability Database (NVD)
provides qualitative severity rankings of "Low", "Medium", and "High" for
CVSS v2.0 base score ranges in addition to the severity ratings for CVSS
v3.0 as they are defined in the CVSS v3.0 specification.CVSS is owned and
managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization,
whose mission is to help computer security incident response teams across
the world. For example ( https://nvd.nist.gov/vuln-metrics/cvss ) type:
keyword example: 2.0 vulnerability.severity The severity of the
vulnerability can help with metrics and internal prioritization regarding
remediation. For example ( https://nvd.nist.gov/vuln-metrics/cvss ) type:
keyword example: Critical x509 This implements the common core fields for
x509 certificates. This information is likely logged with TLS sessions,
digital signatures found in executable binaries, S/MIME information in
email bodies, or analysis of files on disk.When the certificate relates to
a file, use the fields at file.x509 . When hashes of the DER-encoded
certificate are available, the hash data set should be populated as well
(e.g. file.hash.sha256 ).Events that contain certificate information about
network connections, should use the x509 fields under the relevant TLS
fields: tls.server.x509 and/or tls.client.x509 . x509.alternative_names
List of subject alternative names (SAN). Name types vary by certificate
authority and certificate type but commonly contain IP addresses, DNS names
(and wildcards), and email addresses. type: keyword example: *.elastic.co
x509.issuer.common_name List of common name (CN) of issuing certificate
authority. type: keyword example: Example SHA2 High Assurance Server CA
x509.issuer.country List of country © codes type: keyword example: US
x509.issuer.distinguished_name Distinguished name (DN) of issuing
certificate authority. type: keyword example: C=US, O=Example Inc,
OU=www.example.com, CN=Example SHA2 High Assurance Server CA
x509.issuer.locality List of locality names (L) type: keyword example:
Mountain View x509.issuer.organization List of organizations (O) of issuing
certificate authority. type: keyword example: Example Inc
x509.issuer.organizational_unit List of organizational units (OU) of
issuing certificate authority. type: keyword example: www.example.com
x509.issuer.state_or_province List of state or province names (ST, S, or P)
type: keyword example: California x509.not_after Time at which the
certificate is no longer considered valid. type: date example: 2020-07-16
03:15:39+00:00 x509.not_before Time at which the certificate is first
considered valid. type: date example: 2019-08-16 01:40:25+00:00
x509.public_key_algorithm Algorithm used to generate the public key. type:
keyword example: RSA x509.public_key_curve The curve used by the elliptic
curve public key algorithm. This is algorithm specific. type: keyword
example: nistp521 x509.public_key_exponent Exponent used to derive the
public key. This is algorithm specific. type: long example: 65537 Field is
not indexed. x509.public_key_size The size of the public key space in bits.
type: long example: 2048 x509.serial_number Unique serial number issued by
the certificate authority. For consistency, if this value is alphanumeric,
it should be formatted without colons and uppercase characters. type:
keyword example: 55FBB9C7DEBF09809D12CCAA x509.signature_algorithm
Identifier for certificate signature algorithm. We recommend using names
found in Go Lang Crypto library. See
https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353
. type: keyword example: SHA256-RSA x509.subject.common_name List of common
names (CN) of subject. type: keyword example: shared.global.example.net
x509.subject.country List of country © code type: keyword example: US
x509.subject.distinguished_name Distinguished name (DN) of the certificate
subject entity. type: keyword example: C=US, ST=California, L=San
Francisco, O=Example, Inc., CN=shared.global.example.net
x509.subject.locality List of locality names (L) type: keyword example: San
Francisco x509.subject.organization List of organizations (O) of subject.
type: keyword example: Example, Inc. x509.subject.organizational_unit List
of organizational units (OU) of subject. type: keyword
x509.subject.state_or_province List of state or province names (ST, S, or
P) type: keyword example: California x509.version_number Version of x509
format. type: keyword example: 3
6. NOT SURE HOW TO READ FROM .EVTX FILES
https://www.elastic.co/guide/en/beats/winlogbeat/current/reading-from-evtx.html
Dokumentation
Yes, Winlogbeat can ingest archived .evtx files. When you set the name
parameter as the absolute path to an event log file it will read from that
file.Here’s an example. First create a new config file for Winlogbeat.
winlogbeat-evtx.yml winlogbeat.event_logs: - name: ${EVTX_FILE}
no_more_events: stop winlogbeat.shutdown_timeout: 30s
winlogbeat.registry_file: evtx-registry.yml output.elasticsearch.hosts:
['http://localhost:9200'] name will be set to the value of the EVTX_FILE
environment variable. no_more_events sets the behavior of Winlogbeat when
Windows reports thatthere are no more events to read. We want Winlogbeat to
stop rather than wait since this is an archived file that will not receive
any more events. shutdown_timeout controls the maximum amount of time
Winlogbeat will waitto finish publishing the events to Elasticsearch after
stopping because itreached the end of the log. A separate registry file is
used to avoid overwriting the default registryfile. You can delete this
file after you’re done ingesting the .evtx data. Now execute Winlogbeat and
wait for it to complete. It will exit when it’s done. .\winlogbeat.exe -e
-c .\winlogbeat-evtx.yml -E EVTX_FILE=c:\backup\Security-2019.01.evtx
7. WINLOGBEAT QUICK START: INSTALLATION AND CONFIGURATION
https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html
Dokumentation
This guide describes how to get started quickly with Windows log
monitoring.You’ll learn how to: install Winlogbeat on each system you want
to monitor specify the location of your log files parse log data into
fields and send it to Elasticsearch visualize the log data in Kibana Before
you begin You need Elasticsearch for storing and searching your data, and
Kibana for visualizing andmanaging it. Elasticsearch Service Self-managed
To get started quickly, spin up a deployment of our hosted Elasticsearch
Service . The Elasticsearch Service isavailable on AWS, GCP, and Azure. Try
it out for free . To install and run Elasticsearch and Kibana, see
Installing the Elastic Stack . Step 1: Install Winlogbeat Download the
Winlogbeat zip file from the downloads page . Extract the contents into
C:\Program Files . Rename the winlogbeat-<version> directory to Winlogbeat
. Open a PowerShell prompt as an Administrator (right-click on the
PowerShellicon and select Run As Administrator). From the PowerShell
prompt, run the following commands to install the service. PS
C:\Users\Administrator> cd 'C:\Program Files\Winlogbeat'PS C:\Program
Files\Winlogbeat> .\install-service-winlogbeat.ps1 Security warningRun only
scripts that you trust. While scripts from the internet can be useful,this
script can potentially harm your computer. If you trust this script, usethe
Unblock-File cmdlet to allow the script to run without this warning
message.Do you want to run C:\Program
Files\Winlogbeat\install-service-winlogbeat.ps1?[D] Do not run [R] Run once
[S] Suspend [?] Help (default is "D"): R Status Name DisplayName------ ----
-----------Stopped winlogbeat winlogbeat If script execution is disabled on
your system, you need to set theexecution policy for the current session to
allow the script to run. For example: PowerShell.exe -ExecutionPolicy
UnRestricted -File .\install-service-winlogbeat.ps1 . To use a local
non-Administrator account to run Winlogbeat, follow these additional steps
. Step 2: Connect to the Elastic Stack Connections to Elasticsearch and
Kibana are required to set up Winlogbeat. Set the connection information in
winlogbeat.yml . To locate thisconfiguration file, see Directory layout .
Elasticsearch Service Self-managed Specify the cloud.id of your
Elasticsearch Service, and set cloud.auth to a user who is authorized toset
up Winlogbeat. For example: cloud.id:
"staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="cloud.auth:
"winlogbeat_setup:YOUR_PASSWORD" Set the host and port where Winlogbeat can
find the Elasticsearch installation, andset the username and password of a
user who is authorized to set upWinlogbeat. For example:
output.elasticsearch: hosts: ["https://myEShost:9200"] username:
"winlogbeat_internal" password: "YOUR_PASSWORD" ssl: enabled: true
ca_trusted_fingerprint:
"b9a10bbe64ee9826abeda6546fc988c8bf798b41957c33d05db736716513dc9c" If you
plan to use our pre-built Kibana dashboards, configure the Kibanaendpoint.
Skip this step if Kibana is running on the same host as Elasticsearch.
setup.kibana: host: "mykibanahost:5601" username: "my_kibana_user"
password: "{pwd}" To learn more about required roles and privileges, see
Grant users access to secured resources . Step 3: Configure Winlogbeat In
winlogbeat.yml , configure the event logs that you want to monitor. Under
winlogbeat.event_log , specify a list of event logs to monitor. Bydefault,
Winlogbeat monitors application, security, and system logs.
winlogbeat.event_logs: - name: Application - name: Security - name: System
To obtain a list of available event logs, run Get-EventLog * in
PowerShell.For more information about this command, see the configuration
details for event_logs.name . (Optional) Set logging options to write
Winlogbeat logs to a file: logging.to_files: truelogging.files: path:
C:\ProgramData\winlogbeat\Logslogging.level: info After you save your
configuration file, test it with the following command. PS C:\Program
Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e For
more information about configuring Winlogbeat, also see: Configure
Winlogbeat Config file format winlogbeat.reference.yml : This reference
configurationfile shows all non-deprecated options. You’ll find it in the
same location as winlogbeat.yml . Step 4: Set up assets Winlogbeat comes
with predefined assets for parsing, indexing, andvisualizing your data. To
load these assets: Make sure the user specified in winlogbeat.yml is
authorized to set up Winlogbeat . From the installation directory, run: PS
> .\winlogbeat.exe setup -e This step loads the recommended indextemplate
for writing to Elasticsearch , loads the ingest pipelines to parsethe
events (x-pack only), and deploys the sample dashboards forvisualizing the
data in Kibana. A connection to Elasticsearch (or Elasticsearch Service) is
required to set up the initialenvironment. If you’re using a different
output, such as Logstash, see: Load the index template manually Load Kibana
dashboards Load ingest pipelines (x-pack only) Step 5: Start Winlogbeat
Before starting Winlogbeat, modify the user credentials in winlogbeat.yml
and specify a user who is authorized to publish events . To start the
Winlogbeat service, run: PS C:\Program Files\Winlogbeat> Start-Service
winlogbeat Winlogbeat should now be running. If you used the logging
configurationdescribed here, you can view the log file at
C:\ProgramData\winlogbeat\Logs\winlogbeat . You can view the status of the
service and control it from the Servicesmanagement console in Windows. To
launch the management console, runthis command: PS C:\Program
Files\Winlogbeat> services.msc Stop Winlogbeat Stop the Winlogbeat service
with the following command: PS C:\Program Files\Winlogbeat> Stop-Service
winlogbeat Step 6: View your data in Kibana Winlogbeat comes with pre-built
Kibana dashboards and UIs for visualizing logdata. You loaded the
dashboards earlier when you ran the setup command. To open the dashboards:
Launch Kibana: Elasticsearch Service Self-managed Log in to your Elastic
Cloud account. Navigate to the Kibana endpoint in your deployment. Point
your browser to http://localhost:5601 , replacing localhost with the name
of the Kibana host. In the side navigation, click Discover . To see
Winlogbeat data, makesure the predefined winlogbeat-* index pattern is
selected. If you don’t see data in Kibana, try changing the time filter to
a largerrange. By default, Kibana shows the last 15 minutes. In the side
navigation, click Dashboard , then select the dashboard that youwant to
open. The dashboards are provided as examples. We recommend that you
customize them to meet your needs. Using a local non-Administrator account
to run Winlogbeat By default, the Winlogbeat service runs as the Local
System account.If you want to run the Winlogbeat service as a local user
accountthat is not an Administrator, then follow the steps below. The local
user accountmust be granted Log on as a service in the security policyand
be made part of the Builtin\Event Log Readers group to read the event log.
Open the Services Management console with this command: PS C:\Program
Files\Winlogbeat> services.msc Right-click on service named winlogbeat and
select Properties Under Log On tab, select This account: and browse for the
local account userthat you want to run Winlogbeat service as. Enter local
user account’s password and click Apply . Search and open Local Group
Policy Editor in Windows search orrun gpedit.msc from Powershell. Navigate
to path: Computer Settings → Security Settings → Local Policies and open
User Rights Assignment under it. Inside User Rights Assignment , add your
local user account to the policy named Log on as a service . This should
allow your local user account log on as a service. Open Local Users and
Group Manager by running lusrmgr.msc in Powershell. Under Users ,
right-click on your local account user and open Properties . Select Member
of tab and click on Add... Find and select the group named Event Log
Readers and click Apply .This should allow your local account user to read
the event log. What’s next? Now that you have your logs streaming into
Elasticsearch, learn how to unify your logs,metrics, uptime, and
application performance data. Ingest data from other sources by installing
and configuring other ElasticBeats: Use the Observability apps in Kibana to
search across all your data:
8. START WINLOGBEAT
https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-starting.html
Dokumentation
Before starting Winlogbeat: Follow the steps in Quick start: installation
and configuration to install,configure, and set up the Winlogbeat
environment. Make sure Kibana and Elasticsearch are running. Make sure the
user specified in winlogbeat.yml is authorized to publish events . To start
Winlogbeat, run: PS C:\Program Files\Winlogbeat> Start-Service winlogbeat
Winlogbeat should now be running. If you used the logging
configurationdescribed here, you can view the log file at
C:\ProgramData\winlogbeat\Logs\winlogbeat . You can view the status of the
service and control it from the Servicesmanagement console in Windows. To
launch the management console, runthis command: PS C:\Program
Files\Winlogbeat> services.msc
9. RUN METRICBEAT ON KUBERNETES
https://www.elastic.co/guide/en/beats/metricbeat/current/running-on-kubernetes.html
Dokumentation
You can use Metricbeat Docker images on Kubernetes toretrieve cluster
metrics. Running Elastic Cloud on Kubernetes? See Run Beats on ECK .
Kubernetes deploy manifests You deploy Metricbeat as a DaemonSet to ensure
that there’s a running instance on each node of the cluster. Theseinstances
are used to retrieve most metrics from the host, such as systemmetrics,
Docker stats, and metrics from all the services running on top
ofKubernetes. In addition, one of the Pods in the DaemonSet will constantly
hold a leader lock which makes it responsible forhandling cluster-wide
monitoring.This instance is used to retrieve metrics that are unique for
the wholecluster, such as Kubernetes events or kube-state-metrics .You can
find more information about leader election configuration options at
Autodiscover . Note: If you are upgrading from older versions, please make
sure there are no redundant partsas left-overs from the old manifests.
Deployment specification and its ConfigMaps might be the case. Everything
is deployed under the kube-system namespace by default. To changethe
namespace, modify the manifest file. To download the manifest file, run:
curl -L -O
https://raw.githubusercontent.com/elastic/beats/8.14/deploy/kubernetes/metricbeat-kubernetes.yaml
If you are using Kubernetes 1.7 or earlier: Metricbeat uses a hostPath
volume to persist internal data. It’s locatedunder /var/lib/metricbeat-data
. The manifest uses folder autocreation ( DirectoryOrCreate ), which was
introduced inKubernetes 1.8. You need to remove type: DirectoryOrCreate
from the manifest and create the host folder yourself. Settings By default,
Metricbeat sends events to an existing Elasticsearch deployment,if present.
To specify a different destination, change the following parametersin the
manifest file: - name: ELASTICSEARCH_HOST value: elasticsearch- name:
ELASTICSEARCH_PORT value: "9200"- name: ELASTICSEARCH_USERNAME value:
elastic- name: ELASTICSEARCH_PASSWORD value: changeme Running Metricbeat on
control plane nodes Kubernetes control plane nodes can use taints to limit
the workloads that can run on them. To run Metricbeat on control plane
nodes you may need toupdate the Daemonset spec to include proper
tolerations: spec: tolerations: - key:
node-role.kubernetes.io/control-plane effect: NoSchedule Red Hat OpenShift
configuration If you are using Red Hat OpenShift, you need to specify
additional settings inthe manifest file and grant the metricbeat service
account access to the privileged SCC: In the manifest file, edit the
metricbeat-daemonset-modules ConfigMap, andspecify the following settings
under kubernetes.yml in the data section: kubernetes.yml: |- - module:
kubernetes metricsets: - node - system - pod - container - volume period:
10s host: ${NODE_NAME} hosts: ["https://${NODE_NAME}:10250"]
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
ssl.certificate_authorities: - /path/to/kubelet-service-ca.crt - module:
kubernetes metricsets: - proxy period: 10s host: ${NODE_NAME} hosts:
["localhost:29101"] kubelet-service-ca.crt can be any CA bundle that
contains the issuer of the certificate used in the Kubelet API.According to
each specific installation of Openshift this can be found either in secrets
or in configmaps .In some installations it can be available as part of the
service account secret, in
/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt .In case of
using Openshift installer for GCP then the following configmap can be
mounted in Metricbeat Pod and use ca-bundle.crt in
ssl.certificate_authorities : Name: kubelet-serving-caNamespace:
openshift-kube-apiserverLabels: <none>Annotations: <none>
Data====ca-bundle.crt: If https is used to access kube-state-metrics , add
the following settings to the metricbeat-daemonset-config ConfigMap under
the kubernetes autodiscover configuration for the state_* metricsets:
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
ssl.certificate_authorities: -
/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt Grant the
metricbeat service account access to the privileged SCC: oc adm policy
add-scc-to-user privileged system:serviceaccount:kube-system:metricbeat
This command enables the container to be privileged as an administrator
forOpenShift. If the namespace where elastic-agent is running has the
"openshift.io/node-selector" annotation set, elastic-agentmight not run on
all nodes. In this case consider overriding the node selector for the
namespace to allow schedulingon any node: oc patch namespace kube-system -p
\'{"metadata": {"annotations": {"openshift.io/node-selector": ""}}}' This
command sets the node selector for the project to an empty string. If
youdon’t run this command, the default node selector will skip control
plane nodes. for openshift versions prior to the version 4.x additionally
you need to modify the DaemonSet container spec in the manifest file to
enable the container to run as privileged: securityContext: runAsUser: 0
privileged: true Load Kibana dashboards Metricbeat comes packaged with
various pre-built Kibana dashboardsthat you can use to visualize metrics
about your Kubernetes environment. If these dashboards are not already
loaded into Kibana, you must install Metricbeat on any system that can
connect to the Elastic Stack, and then run the setup command to load the
dashboards. To learn how,see Load Kibana dashboards . If you are using a
different output other than Elasticsearch, such as Logstash, youneed to
Load the index template manually and Load Kibana dashboards . Deploy
Metricbeat gets some metrics from kube-state-metrics .If kube-state-metrics
is not already running, deploy it now (see the Kubernetesdeployment docs).
To deploy Metricbeat to Kubernetes, run: kubectl create -f
metricbeat-kubernetes.yaml To check the status, run: $ kubectl
--namespace=kube-system get ds/metricbeat NAME DESIRED CURRENT READY
UP-TO-DATE AVAILABLE NODE-SELECTOR AGEmetricbeat 32 32 0 32 0 <none> 1m
Metrics should start flowing to Elasticsearch. Deploying Metricbeat to
collect cluster-level metrics in large clusters The size and the number of
nodes in a Kubernetes cluster can be fairly large at times, and in such
casesthe Pod that will be collecting cluster level metrics might face
performance issues due toresources limitations. In this case users might
consider to avoid using the leader election strategyand instead run a
dedicated, standalone Metricbeat instance using a Deployment in addition to
the DaemonSet.
10. GRANT ACCESS USING API KEYS
https://www.elastic.co/guide/en/beats/packetbeat/current/beats-api-keys.html
Dokumentation
Instead of using usernames and passwords, you can use API keys to
grantaccess to Elasticsearch resources. You can set API keys to expire at a
certain time,and you can explicitly invalidate them. Any user with the
manage_api_key or manage_own_api_key cluster privilege can create API keys.
Packetbeat instances typically send both collected data and
monitoringinformation to Elasticsearch. If you are sending both to the same
cluster, you can use the sameAPI key. For different clusters, you need to
use an API key per cluster. For security reasons, we recommend using a
unique API key per Packetbeat instance.You can create as many API keys per
user as necessary. Review Grant users access to secured resources before
creating API keys for Packetbeat. Create an API key for publishing To
create an API key to use for writing data to Elasticsearch, use the Create
API key API , for example: POST /_security/api_key{ "name":
"packetbeat_host001", "role_descriptors": { "packetbeat_writer": {
"cluster": ["monitor", "read_ilm", "read_pipeline"], "index": [ { "names":
["packetbeat-*"], "privileges": ["view_index_metadata", "create_doc",
"auto_configure"] } ] } }} See Create a publishing user for the list of
privileges required to publish events. The return value will look something
like this: { "id":"TiNAGG4BaaMdaH1tRfuU", "name":"packetbeat_host001",
"api_key":"KnR6yE41RrSowb0kQ0HWoA" } You can now use this API key in your
packetbeat.yml configuration file like this: output.elasticsearch: api_key:
TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA Create an API key for
monitoring To create an API key to use for sending monitoring data to
Elasticsearch, use the Create API key API , for example: POST
/_security/api_key{ "name": "packetbeat_host001", "role_descriptors": {
"packetbeat_monitoring": { "cluster": ["monitor"], "index": [ { "names":
[".monitoring-beats-*"], "privileges": ["create_index", "create"] } ] } }}
See Create a monitoring user for the list of privileges required to send
monitoring data. The return value will look something like this: {
"id":"TiNAGG4BaaMdaH1tRfuU", "name":"packetbeat_host001",
"api_key":"KnR6yE41RrSowb0kQ0HWoA" } You can now use this API key in your
packetbeat.yml configuration file like this: monitoring.elasticsearch:
api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA Learn more about API
keys See the Elasticsearch API key documentation for more information:
Create API key Get API key information Invalidate API key
11. ECS FIELDS
https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-ecs.html
Dokumentation
This section defines Elastic Common Schema (ECS) fields—a common set of
fieldsto be used when storing event data in Elasticsearch. This is an
exhaustive list, and fields listed here are not necessarily used by
Packetbeat.The goal of ECS is to enable and encourage users of
Elasticsearch to normalize their event data,so that they can better
analyze, visualize, and correlate the data represented in their events. See
the ECS reference for more information. @timestamp Date/time when the event
originated.This is the date/time extracted from the event, typically
representing when the event was generated by the source.If the event source
has no original timestamp, this value is typically populated by the first
time the event was received by the pipeline.Required field for all events.
type: date example: 2016-05-23T08:05:34.853Z required: True labels Custom
key/value pairs.Can be used to add meta information to events. Should not
contain nested objects. All values are stored as keyword.Example: docker
and k8s labels. type: object example: {"application": "foo-bar", "env":
"production"} message For log events the message field contains the log
message, optimized for viewing in a log viewer.For structured logs without
an original message field, other fields can be concatenated to form a
human-readable summary of the event.If multiple messages exist, they can be
combined into one message. type: match_only_text example: Hello World tags
List of keywords used to tag each event. type: keyword example:
["production", "env2"] agent The agent fields contain the data about the
software entity, if any, that collects, detects, or observes events on a
host, or takes measurements on a host.Examples include Beats. Agents may
also run on observers. ECS agent.* fields shall be populated with details
of the agent running on the host or observer where the event happened or
the measurement was taken. agent.build.original Extended build information
for the agent.This field is intended to contain any build information that
a data source may provide, no specific formatting is required. type:
keyword example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0
[6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000
UTC] agent.ephemeral_id Ephemeral identifier of this agent (if one
exists).This id normally changes across restarts, but agent.id does not.
type: keyword example: 8a4f500f agent.id Unique identifier of this agent
(if one exists).Example: For Beats this would be beat.id. type: keyword
example: 8a4f500d agent.name Custom name of the agent.This is a name that
can be given to an agent. This can be helpful if for example two Filebeat
instances are running on the same host but a human readable separation is
needed on which Filebeat instance data is coming from.If no name is given,
the name is often left empty. type: keyword example: foo agent.type Type of
the agent.The agent type always stays the same and should be given by the
agent used. In case of Filebeat the agent would always be Filebeat also if
two Filebeat instances are run on the same machine. type: keyword example:
filebeat agent.version Version of the agent. type: keyword example:
6.0.0-rc2 as An autonomous system (AS) is a collection of connected
Internet Protocol (IP) routing prefixes under the control of one or more
network operators on behalf of a single administrative entity or domain
that presents a common, clearly defined routing policy to the internet.
as.number Unique number allocated to the autonomous system. The autonomous
system number (ASN) uniquely identifies each network on the Internet. type:
long example: 15169 as.organization.name Organization name. type: keyword
example: Google LLC as.organization.name.text type: match_only_text client
A client is defined as the initiator of a network connection for events
regarding sessions, connections, or bidirectional flow records.For TCP
events, the client is the initiator of the TCP connection that sends the
SYN packet(s). For other protocols, the client is generally the initiator
or requestor in the network transaction. Some systems use the term
"originator" to refer the client in TCP connections. The client fields
describe details about the system acting as the client in the network
event. Client fields are usually populated in conjunction with server
fields. Client fields are generally not populated for packet-level
events.Client / server representations can add semantic context to an
exchange, which is helpful to visualize the data in certain situations. If
your context falls in that category, you should still ensure that source
and destination are filled appropriately. client.address Some event client
addresses are defined ambiguously. The event will sometimes list an IP, a
domain or a unix socket. You should always store the raw address in the
.address field.Then it should be duplicated to .ip or .domain , depending
on which one it is. type: keyword client.as.number Unique number allocated
to the autonomous system. The autonomous system number (ASN) uniquely
identifies each network on the Internet. type: long example: 15169
client.as.organization.name Organization name. type: keyword example:
Google LLC client.as.organization.name.text type: match_only_text
client.bytes Bytes sent from the client to the server. type: long example:
184 format: bytes client.domain The domain name of the client system.This
value may be a host name, a fully qualified domain name, or another host
naming format. The value may derive from the original event or be added
from enrichment. type: keyword example: foo.example.com
client.geo.city_name City name. type: keyword example: Montreal
client.geo.continent_code Two-letter code representing continent’s name.
type: keyword example: NA client.geo.continent_name Name of the continent.
type: keyword example: North America client.geo.country_iso_code Country
ISO code. type: keyword example: CA client.geo.country_name Country name.
type: keyword example: Canada client.geo.location Longitude and latitude.
type: geo_point example: { "lon": -73.614830, "lat": 45.505918 }
client.geo.name User-defined description of a location, at the level of
granularity they care about.Could be the name of their data centers, the
floor number, if this describes a local physical entity, city names.Not
typically used in automated geolocation. type: keyword example: boston-dc
client.geo.postal_code Postal code associated with the location.Values
appropriate for this field may also be known as a postcode or ZIP code and
will vary widely from country to country. type: keyword example: 94040
client.geo.region_iso_code Region ISO code. type: keyword example: CA-QC
client.geo.region_name Region name. type: keyword example: Quebec
client.geo.timezone The time zone of the location, such as IANA time zone
name. type: keyword example: America/Argentina/Buenos_Aires client.ip IP
address of the client (IPv4 or IPv6). type: ip client.mac MAC address of
the client.The notation format from RFC 7042 is suggested: Each octet (that
is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving
the value of the octet as an unsigned integer. Successive octets are
separated by a hyphen. type: keyword example: 00-00-5E-00-53-23
client.nat.ip Translated IP of source based NAT sessions (e.g. internal
client to internet).Typically connections traversing load balancers,
firewalls, or routers. type: ip client.nat.port Translated port of source
based NAT sessions (e.g. internal client to internet).Typically connections
traversing load balancers, firewalls, or routers. type: long format: string
client.packets Packets sent from the client to the server. type: long
example: 12 client.port Port of the client. type: long format: string
client.registered_domain The highest registered client domain, stripped of
the subdomain.For example, the registered domain for "foo.example.com" is
"example.com".This value can be determined precisely with a list like the
public suffix list ( http://publicsuffix.org ). Trying to approximate this
by simply taking the last two labels will not work well for TLDs such as
"co.uk". type: keyword example: example.com client.subdomain The subdomain
portion of a fully qualified domain name includes all of the names except
the host name under the registered_domain. In a partially qualified domain,
or if the the qualification level of the full name cannot be determined,
subdomain contains all of the names below the registered domain.For example
the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain
has multiple levels of subdomain, such as "sub2.sub1.example.com", the
subdomain field should contain "sub2.sub1", with no trailing period. type:
keyword example: east client.top_level_domain The effective top level
domain (eTLD), also known as the domain suffix, is the last part of the
domain name. For example, the top level domain for example.com is
"com".This value can be determined precisely with a list like the public
suffix list ( http://publicsuffix.org ). Trying to approximate this by
simply taking the last label will not work well for effective TLDs such as
"co.uk". type: keyword example: co.uk client.user.domain Name of the
directory the user is a member of.For example, an LDAP or Active Directory
domain name. type: keyword client.user.email User email address. type:
keyword client.user.full_name User’s full name, if available. type: keyword
example: Albert Einstein client.user.full_name.text type: match_only_text
client.user.group.domain Name of the directory the group is a member of.For
example, an LDAP or Active Directory domain name. type: keyword
client.user.group.id Unique identifier for the group on the
system/platform. type: keyword client.user.group.name Name of the group.
type: keyword client.user.hash Unique user hash to correlate information
for a user in anonymized form.Useful if user.id or user.name contain
confidential information and cannot be used. type: keyword client.user.id
Unique identifier of the user. type: keyword example:
S-1-5-21-202424912787-2692429404-2351956786-1000 client.user.name Short
name or login of the user. type: keyword example: a.einstein
client.user.name.text type: match_only_text client.user.roles Array of user
roles at the time of the event. type: keyword example: ["kibana_admin",
"reporting_user"] cloud Fields related to the cloud or infrastructure the
events are coming from. cloud.account.id The cloud account or organization
id used to identify different entities in a multi-tenant
environment.Examples: AWS account id, Google Cloud ORG Id, or other unique
identifier. type: keyword example: 666777888999 cloud.account.name The
cloud account name or alias used to identify different entities in a
multi-tenant environment.Examples: AWS account name, Google Cloud ORG
display name. type: keyword example: elastic-dev cloud.availability_zone
Availability zone in which this host, resource, or service is located.
type: keyword example: us-east-1c cloud.instance.id Instance ID of the host
machine. type: keyword example: i-1234567890abcdef0 cloud.instance.name
Instance name of the host machine. type: keyword cloud.machine.type Machine
type of the host machine. type: keyword example: t2.medium
cloud.origin.account.id The cloud account or organization id used to
identify different entities in a multi-tenant environment.Examples: AWS
account id, Google Cloud ORG Id, or other unique identifier. type: keyword
example: 666777888999 cloud.origin.account.name The cloud account name or
alias used to identify different entities in a multi-tenant
environment.Examples: AWS account name, Google Cloud ORG display name.
type: keyword example: elastic-dev cloud.origin.availability_zone
Availability zone in which this host, resource, or service is located.
type: keyword example: us-east-1c cloud.origin.instance.id Instance ID of
the host machine. type: keyword example: i-1234567890abcdef0
cloud.origin.instance.name Instance name of the host machine. type: keyword
cloud.origin.machine.type Machine type of the host machine. type: keyword
example: t2.medium cloud.origin.project.id The cloud project
identifier.Examples: Google Cloud Project id, Azure Project id. type:
keyword example: my-project cloud.origin.project.name The cloud project
name.Examples: Google Cloud Project name, Azure Project name. type: keyword
example: my project cloud.origin.provider Name of the cloud provider.
Example values are aws, azure, gcp, or digitalocean. type: keyword example:
aws cloud.origin.region Region in which this host, resource, or service is
located. type: keyword example: us-east-1 cloud.origin.service.name The
cloud service name is intended to distinguish services running on different
platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine,
Azure VM vs App Server.Examples: app engine, app service, cloud run,
fargate, lambda. type: keyword example: lambda cloud.project.id The cloud
project identifier.Examples: Google Cloud Project id, Azure Project id.
type: keyword example: my-project cloud.project.name The cloud project
name.Examples: Google Cloud Project name, Azure Project name. type: keyword
example: my project cloud.provider Name of the cloud provider. Example
values are aws, azure, gcp, or digitalocean. type: keyword example: aws
cloud.region Region in which this host, resource, or service is located.
type: keyword example: us-east-1 cloud.service.name The cloud service name
is intended to distinguish services running on different platforms within a
provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App
Server.Examples: app engine, app service, cloud run, fargate, lambda. type:
keyword example: lambda cloud.target.account.id The cloud account or
organization id used to identify different entities in a multi-tenant
environment.Examples: AWS account id, Google Cloud ORG Id, or other unique
identifier. type: keyword example: 666777888999 cloud.target.account.name
The cloud account name or alias used to identify different entities in a
multi-tenant environment.Examples: AWS account name, Google Cloud ORG
display name. type: keyword example: elastic-dev
cloud.target.availability_zone Availability zone in which this host,
resource, or service is located. type: keyword example: us-east-1c
cloud.target.instance.id Instance ID of the host machine. type: keyword
example: i-1234567890abcdef0 cloud.target.instance.name Instance name of
the host machine. type: keyword cloud.target.machine.type Machine type of
the host machine. type: keyword example: t2.medium cloud.target.project.id
The cloud project identifier.Examples: Google Cloud Project id, Azure
Project id. type: keyword example: my-project cloud.target.project.name The
cloud project name.Examples: Google Cloud Project name, Azure Project name.
type: keyword example: my project cloud.target.provider Name of the cloud
provider. Example values are aws, azure, gcp, or digitalocean. type:
keyword example: aws cloud.target.region Region in which this host,
resource, or service is located. type: keyword example: us-east-1
cloud.target.service.name The cloud service name is intended to distinguish
services running on different platforms within a provider, eg AWS EC2 vs
Lambda, GCP GCE vs App Engine, Azure VM vs App Server.Examples: app engine,
app service, cloud run, fargate, lambda. type: keyword example: lambda
code_signature These fields contain information about binary code
signatures. code_signature.digest_algorithm The hashing algorithm used to
sign the process.This value can distinguish signatures when a file is
signed multiple times by the same signer but with a different digest
algorithm. type: keyword example: sha256 code_signature.exists Boolean to
capture if a signature is present. type: boolean example: true
code_signature.signing_id The identifier used to sign the process.This is
used to identify the application manufactured by a software vendor. The
field is relevant to Apple *OS only. type: keyword example:
com.apple.xpc.proxy code_signature.status Additional information about the
certificate status.This is useful for logging cryptographic errors with the
certificate validity or trust status. Leave unpopulated if the validity or
trust of the certificate was unchecked. type: keyword example:
ERROR_UNTRUSTED_ROOT code_signature.subject_name Subject name of the code
signer type: keyword example: Microsoft Corporation code_signature.team_id
The team identifier used to sign the process.This is used to identify the
team or vendor of a software product. The field is relevant to Apple *OS
only. type: keyword example: EQHXZ8M8AV code_signature.timestamp Date and
time when the code signature was generated and signed. type: date example:
2021-01-01T12:10:30Z code_signature.trusted Stores the trust status of the
certificate chain.Validating the trust of the certificate chain may be
complicated, and this field should only be populated by tools that actively
check the status. type: boolean example: true code_signature.valid Boolean
to capture if the digital signature is verified against the binary
content.Leave unpopulated if a certificate was unchecked. type: boolean
example: true container Container fields are used for meta information
about the specific container that is the source of information. These
fields help correlate data based containers from any runtime.
container.cpu.usage Percent CPU used which is normalized by the number of
CPU cores and it ranges from 0 to 1. Scaling factor: 1000. type:
scaled_float container.disk.read.bytes The total number of bytes (gauge)
read successfully (aggregated from all disks) since the last metric
collection. type: long container.disk.write.bytes The total number of bytes
(gauge) written successfully (aggregated from all disks) since the last
metric collection. type: long container.id Unique container id. type:
keyword container.image.name Name of the image the container was built on.
type: keyword container.image.tag Container image tags. type: keyword
container.labels Image labels. type: object container.memory.usage Memory
usage percentage and it ranges from 0 to 1. Scaling factor: 1000. type:
scaled_float container.name Container name. type: keyword
container.network.egress.bytes The number of bytes (gauge) sent out on all
network interfaces by the container since the last metric collection. type:
long container.network.ingress.bytes The number of bytes received (gauge)
on all network interfaces by the container since the last metric
collection. type: long container.runtime Runtime managing this container.
type: keyword example: docker data_stream The data_stream fields take part
in defining the new data stream naming scheme.In the new data stream naming
scheme the value of the data stream fields combine to the name of the
actual data stream in the following manner:
{data_stream.type}-{data_stream.dataset}-{data_stream.namespace} . This
means the fields can only contain characters that are valid as part of
names of data streams. More details about this can be found in this blog
post .An Elasticsearch data stream consists of one or more backing indices,
and a data stream name forms part of the backing indices names. Due to this
convention, data streams must also follow index naming restrictions. For
example, data stream names cannot include \ , / , * , ? , " , < , > , | , `
` (space character), , , or # . Please see the Elasticsearch reference for
additional restrictions . data_stream.dataset The field can contain
anything that makes sense to signify the source of the data.Examples
include nginx.access , prometheus , endpoint etc. For data streams that
otherwise fit, but that do not have dataset set we use the value "generic"
for the dataset value. event.dataset should have the same value as
data_stream.dataset .Beyond the Elasticsearch data stream naming criteria
noted above, the dataset value has additional restrictions: * Must not
contain - * No longer than 100 characters type: constant_keyword example:
nginx.access data_stream.namespace A user defined namespace. Namespaces are
useful to allow grouping of data.Many users already organize their indices
this way, and the data stream naming scheme now provides this best practice
as a default. Many users will populate this field with default . If no
value is used, it falls back to default .Beyond the Elasticsearch index
naming criteria noted above, namespace value has the additional
restrictions: * Must not contain - * No longer than 100 characters type:
constant_keyword example: production data_stream.type An overarching type
for the data stream.Currently allowed values are "logs" and "metrics". We
expect to also add "traces" and "synthetics" in the near future. type:
constant_keyword example: logs destination Destination fields capture
details about the receiver of a network exchange/packet. These fields are
populated from a network event, packet, or other event containing details
of a network transaction.Destination fields are usually populated in
conjunction with source fields. The source and destination fields are
considered the baseline and should always be filled if an event contains
source and destination details from a network transaction. If the event
also contains identification of the client and server roles, then the
client and server fields should also be populated. destination.address Some
event destination addresses are defined ambiguously. The event will
sometimes list an IP, a domain or a unix socket. You should always store
the raw address in the .address field.Then it should be duplicated to .ip
or .domain , depending on which one it is. type: keyword
destination.as.number Unique number allocated to the autonomous system. The
autonomous system number (ASN) uniquely identifies each network on the
Internet. type: long example: 15169 destination.as.organization.name
Organization name. type: keyword example: Google LLC
destination.as.organization.name.text type: match_only_text
destination.bytes Bytes sent from the destination to the source. type: long
example: 184 format: bytes destination.domain The domain name of the
destination system.This value may be a host name, a fully qualified domain
name, or another host naming format. The value may derive from the original
event or be added from enrichment. type: keyword example: foo.example.com
destination.geo.city_name City name. type: keyword example: Montreal
destination.geo.continent_code Two-letter code representing continent’s
name. type: keyword example: NA destination.geo.continent_name Name of the
continent. type: keyword example: North America
destination.geo.country_iso_code Country ISO code. type: keyword example:
CA destination.geo.country_name Country name. type: keyword example: Canada
destination.geo.location Longitude and latitude. type: geo_point example: {
"lon": -73.614830, "lat": 45.505918 } destination.geo.name User-defined
description of a location, at the level of granularity they care
about.Could be the name of their data centers, the floor number, if this
describes a local physical entity, city names.Not typically used in
automated geolocation. type: keyword example: boston-dc
destination.geo.postal_code Postal code associated with the location.Values
appropriate for this field may also be known as a postcode or ZIP code and
will vary widely from country to country. type: keyword example: 94040
destination.geo.region_iso_code Region ISO code. type: keyword example:
CA-QC destination.geo.region_name Region name. type: keyword example:
Quebec destination.geo.timezone The time zone of the location, such as IANA
time zone name. type: keyword example: America/Argentina/Buenos_Aires
destination.ip IP address of the destination (IPv4 or IPv6). type: ip
destination.mac MAC address of the destination.The notation format from RFC
7042 is suggested: Each octet (that is, 8-bit byte) is represented by two
[uppercase] hexadecimal digits giving the value of the octet as an unsigned
integer. Successive octets are separated by a hyphen. type: keyword
example: 00-00-5E-00-53-23 destination.nat.ip Translated ip of destination
based NAT sessions (e.g. internet to private DMZ)Typically used with load
balancers, firewalls, or routers. type: ip destination.nat.port Port the
source session is translated to by NAT Device.Typically used with load
balancers, firewalls, or routers. type: long format: string
destination.packets Packets sent from the destination to the source. type:
long example: 12 destination.port Port of the destination. type: long
format: string destination.registered_domain The highest registered
destination domain, stripped of the subdomain.For example, the registered
domain for "foo.example.com" is "example.com".This value can be determined
precisely with a list like the public suffix list ( http://publicsuffix.org
). Trying to approximate this by simply taking the last two labels will not
work well for TLDs such as "co.uk". type: keyword example: example.com
destination.subdomain The subdomain portion of a fully qualified domain
name includes all of the names except the host name under the
registered_domain. In a partially qualified domain, or if the the
qualification level of the full name cannot be determined, subdomain
contains all of the names below the registered domain.For example the
subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has
multiple levels of subdomain, such as "sub2.sub1.example.com", the
subdomain field should contain "sub2.sub1", with no trailing period. type:
keyword example: east destination.top_level_domain The effective top level
domain (eTLD), also known as the domain suffix, is the last part of the
domain name. For example, the top level domain for example.com is
"com".This value can be determined precisely with a list like the public
suffix list ( http://publicsuffix.org ). Trying to approximate this by
simply taking the last label will not work well for effective TLDs such as
"co.uk". type: keyword example: co.uk destination.user.domain Name of the
directory the user is a member of.For example, an LDAP or Active Directory
domain name. type: keyword destination.user.email User email address. type:
keyword destination.user.full_name User’s full name, if available. type:
keyword example: Albert Einstein destination.user.full_name.text type:
match_only_text destination.user.group.domain Name of the directory the
group is a member of.For example, an LDAP or Active Directory domain name.
type: keyword destination.user.group.id Unique identifier for the group on
the system/platform. type: keyword destination.user.group.name Name of the
group. type: keyword destination.user.hash Unique user hash to correlate
information for a user in anonymized form.Useful if user.id or user.name
contain confidential information and cannot be used. type: keyword
destination.user.id Unique identifier of the user. type: keyword example:
S-1-5-21-202424912787-2692429404-2351956786-1000 destination.user.name
Short name or login of the user. type: keyword example: a.einstein
destination.user.name.text type: match_only_text destination.user.roles
Array of user roles at the time of the event. type: keyword example:
["kibana_admin", "reporting_user"] dll These fields contain information
about code libraries dynamically loaded into processes. Many operating
systems refer to "shared code libraries" with different names, but this
field set refers to all of the following:* Dynamic-link library ( .dll )
commonly used on Windows* Shared Object ( .so ) commonly used on Unix-like
operating systems* Dynamic library ( .dylib ) commonly used on macOS
dll.code_signature.digest_algorithm The hashing algorithm used to sign the
process.This value can distinguish signatures when a file is signed
multiple times by the same signer but with a different digest algorithm.
type: keyword example: sha256 dll.code_signature.exists Boolean to capture
if a signature is present. type: boolean example: true
dll.code_signature.signing_id The identifier used to sign the process.This
is used to identify the application manufactured by a software vendor. The
field is relevant to Apple *OS only. type: keyword example:
com.apple.xpc.proxy dll.code_signature.status Additional information about
the certificate status.This is useful for logging cryptographic errors with
the certificate validity or trust status. Leave unpopulated if the validity
or trust of the certificate was unchecked. type: keyword example:
ERROR_UNTRUSTED_ROOT dll.code_signature.subject_name Subject name of the
code signer type: keyword example: Microsoft Corporation
dll.code_signature.team_id The team identifier used to sign the
process.This is used to identify the team or vendor of a software product.
The field is relevant to Apple *OS only. type: keyword example: EQHXZ8M8AV
dll.code_signature.timestamp Date and time when the code signature was
generated and signed. type: date example: 2021-01-01T12:10:30Z
dll.code_signature.trusted Stores the trust status of the certificate
chain.Validating the trust of the certificate chain may be complicated, and
this field should only be populated by tools that actively check the
status. type: boolean example: true dll.code_signature.valid Boolean to
capture if the digital signature is verified against the binary
content.Leave unpopulated if a certificate was unchecked. type: boolean
example: true dll.hash.md5 MD5 hash. type: keyword dll.hash.sha1 SHA1 hash.
type: keyword dll.hash.sha256 SHA256 hash. type: keyword dll.hash.sha512
SHA512 hash. type: keyword dll.hash.ssdeep SSDEEP hash. type: keyword
dll.name Name of the library.This generally maps to the name of the file on
disk. type: keyword example: kernel32.dll dll.path Full file path of the
library. type: keyword example: C:\Windows\System32\kernel32.dll
dll.pe.architecture CPU architecture target for the file. type: keyword
example: x64 dll.pe.company Internal company name of the file, provided at
compile-time. type: keyword example: Microsoft Corporation
dll.pe.description Internal description of the file, provided at
compile-time. type: keyword example: Paint dll.pe.file_version Internal
version of the file, provided at compile-time. type: keyword example:
6.3.9600.17415 dll.pe.imphash A hash of the imports in a PE file. An
imphash — or import hash — can be used to fingerprint binaries even after
recompilation or other code-level transformations have occurred, which
would change more traditional hash values.Learn more at
https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
. type: keyword example: 0c6803c4e922103c4dca5963aad36ddf
dll.pe.original_file_name Internal name of the file, provided at
compile-time. type: keyword example: MSPAINT.EXE dll.pe.product Internal
product name of the file, provided at compile-time. type: keyword example:
Microsoft® Windows® Operating System dns Fields describing DNS queries and
answers.DNS events should either represent a single DNS query prior to
getting answers ( dns.type:query ) or they should represent a full exchange
and contain the query details as well as all of the answers that were
provided for this query ( dns.type:answer ). dns.answers An array
containing an object for each answer section returned by the server.The
main keys that should be present in these objects are defined by ECS.
Records that have more information may contain more keys than what ECS
defines.Not all DNS data sources give all details about DNS answers. At
minimum, answer objects must contain the data key. If more information is
available, map as much of it to ECS as possible, and add any additional
fields to the answer objects as custom fields. type: object
dns.answers.class The class of DNS data contained in this resource record.
type: keyword example: IN dns.answers.data The data describing the
resource.The meaning of this data depends on the type and class of the
resource record. type: keyword example: 10.10.10.10 dns.answers.name The
domain name to which this resource record pertains.If a chain of CNAME is
being resolved, each answer’s name should be the one that corresponds with
the answer’s data . It should not simply be the original question.name
repeated. type: keyword example: www.example.com dns.answers.ttl The time
interval in seconds that this resource record may be cached before it
should be discarded. Zero values mean that the data should not be cached.
type: long example: 180 dns.answers.type The type of data contained in this
resource record. type: keyword example: CNAME dns.header_flags Array of 2
letter DNS header flags.Expected values are: AA, TC, RD, RA, AD, CD, DO.
type: keyword example: ["RD", "RA"] dns.id The DNS packet identifier
assigned by the program that generated the query. The identifier is copied
to the response. type: keyword example: 62111 dns.op_code The DNS operation
code that specifies the kind of query in the message. This value is set by
the originator of a query and copied into the response. type: keyword
example: QUERY dns.question.class The class of records being queried. type:
keyword example: IN dns.question.name The name being queried.If the name
field contains non-printable characters (below 32 or above 126), those
characters should be represented as escaped base 10 integers (\DDD). Back
slashes and quotes should be escaped. Tabs, carriage returns, and line
feeds should be converted to \t, \r, and \n respectively. type: keyword
example: www.example.com dns.question.registered_domain The highest
registered domain, stripped of the subdomain.For example, the registered
domain for "foo.example.com" is "example.com".This value can be determined
precisely with a list like the public suffix list ( http://publicsuffix.org
). Trying to approximate this by simply taking the last two labels will not
work well for TLDs such as "co.uk". type: keyword example: example.com
dns.question.subdomain The subdomain is all of the labels under the
registered_domain.If the domain has multiple levels of subdomain, such as
"sub2.sub1.example.com", the subdomain field should contain "sub2.sub1",
with no trailing period. type: keyword example: www
dns.question.top_level_domain The effective top level domain (eTLD), also
known as the domain suffix, is the last part of the domain name. For
example, the top level domain for example.com is "com".This value can be
determined precisely with a list like the public suffix list (
http://publicsuffix.org ). Trying to approximate this by simply taking the
last label will not work well for effective TLDs such as "co.uk". type:
keyword example: co.uk dns.question.type The type of record being queried.
type: keyword example: AAAA dns.resolved_ip Array containing all IPs seen
in answers.data .The answers array can be difficult to use, because of the
variety of data formats it can contain. Extracting all IP addresses seen in
there to dns.resolved_ip makes it possible to index them as IP addresses,
and makes them easier to visualize and query for. type: ip example:
["10.10.10.10", "10.10.10.11"] dns.response_code The DNS response code.
type: keyword example: NOERROR dns.type The type of DNS event captured,
query or answer.If your source of DNS events only gives you DNS queries,
you should only create dns events of type dns.type:query .If your source of
DNS events gives you answers as well, you should create one event per query
(optionally as soon as the query is seen). And a second event containing
all query details as well as an array of answers. type: keyword example:
answer ecs Meta-information specific to ECS. ecs.version ECS version this
event conforms to. ecs.version is a required field and must exist in all
events.When querying across multiple indices — which may conform to
slightly different ECS versions — this field lets integrations adjust to
the schema version of the events. type: keyword example: 1.0.0 required:
True elf These fields contain Linux Executable Linkable Format (ELF)
metadata. elf.architecture Machine architecture of the ELF file. type:
keyword example: x86-64 elf.byte_order Byte sequence of ELF file. type:
keyword example: Little Endian elf.cpu_type CPU type of the ELF file. type:
keyword example: Intel elf.creation_date Extracted when possible from the
file’s metadata. Indicates when it was built or compiled. It can also be
faked by malware creators. type: date elf.exports List of exported element
names and types. type: flattened elf.header.abi_version Version of the ELF
Application Binary Interface (ABI). type: keyword elf.header.class Header
class of the ELF file. type: keyword elf.header.data Data table of the ELF
header. type: keyword elf.header.entrypoint Header entrypoint of the ELF
file. type: long format: string elf.header.object_version "0x1" for
original ELF files. type: keyword elf.header.os_abi Application Binary
Interface (ABI) of the Linux OS. type: keyword elf.header.type Header type
of the ELF file. type: keyword elf.header.version Version of the ELF
header. type: keyword elf.imports List of imported element names and types.
type: flattened elf.sections An array containing an object for each section
of the ELF file.The keys that should be present in these objects are
defined by sub-fields underneath elf.sections.* . type: nested
elf.sections.chi2 Chi-square probability distribution of the section. type:
long format: number elf.sections.entropy Shannon entropy calculation from
the section. type: long format: number elf.sections.flags ELF Section List
flags. type: keyword elf.sections.name ELF Section List name. type: keyword
elf.sections.physical_offset ELF Section List offset. type: keyword
elf.sections.physical_size ELF Section List physical size. type: long
format: bytes elf.sections.type ELF Section List type. type: keyword
elf.sections.virtual_address ELF Section List virtual address. type: long
format: string elf.sections.virtual_size ELF Section List virtual size.
type: long format: string elf.segments An array containing an object for
each segment of the ELF file.The keys that should be present in these
objects are defined by sub-fields underneath elf.segments.* . type: nested
elf.segments.sections ELF object segment sections. type: keyword
elf.segments.type ELF object segment type. type: keyword
elf.shared_libraries List of shared libraries used by this ELF object.
type: keyword elf.telfhash telfhash symbol hash for ELF file. type: keyword
error These fields can represent errors of any kind.Use them for errors
that happen while fetching events or in cases where the event itself
contains an error. error.code Error code describing the error. type:
keyword error.id Unique identifier for the error. type: keyword
error.message Error message. type: match_only_text error.stack_trace The
stack trace of this error in plain text. type: wildcard
error.stack_trace.text type: match_only_text error.type The type of the
error, for example the class name of the exception. type: keyword example:
java.lang.NullPointerException event The event fields are used for context
information about the log or metric event itself.A log is defined as an
event containing details of something that happened. Log events must
include the time at which the thing happened. Examples of log events
include a process starting on a host, a network packet being sent from a
source to a destination, or a network connection between a client and a
server being initiated or closed. A metric is defined as an event
containing one or more numerical measurements and the time at which the
measurement was taken. Examples of metric events include memory pressure
measured on a host and device temperature. See the event.kind definition in
this section for additional details about metric and state events.
event.action The action captured by the event.This describes the
information in the event. It is more specific than event.category .
Examples are group-add , process-started , file-created . The value is
normally defined by the implementer. type: keyword example:
user-password-change event.agent_id_status Agents are normally responsible
for populating the agent.id field value. If the system receiving events is
capable of validating the value based on authentication information for the
client then this field can be used to reflect the outcome of that
validation.For example if the agent’s connection is authenticated with mTLS
and the client cert contains the ID of the agent to which the cert was
issued then the agent.id value in events can be checked against the
certificate. If the values match then event.agent_id_status: verified is
added to the event, otherwise one of the other allowed values should be
used.If no validation is performed then the field should be omitted.The
allowed values are: verified - The agent.id field value matches expected
value obtained from auth metadata. mismatch - The agent.id field value does
not match the expected value obtained from auth metadata. missing - There
was no agent.id field in the event to validate. auth_metadata_missing -
There was no auth metadata or it was missing information about the agent
ID. type: keyword example: verified event.category This is one of four ECS
Categorization Fields, and indicates the second level in the ECS category
hierarchy. event.category represents the "big buckets" of ECS categories.
For example, filtering on event.category:process yields all events relating
to process activity. This field is closely related to event.type , which is
used as a subcategory.This field is an array. This will allow proper
categorization of some events that fall in multiple categories. type:
keyword example: authentication event.code Identification code for this
event, if one exists.Some event sources use event codes to identify
messages unambiguously, regardless of message language or wording
adjustments over time. An example of this is the Windows Event ID. type:
keyword example: 4648 event.created event.created contains the date/time
when the event was first read by an agent, or by your pipeline.This field
is distinct from @timestamp in that @timestamp typically contain the time
extracted from the original event.In most situations, these two timestamps
will be slightly different. The difference can be used to calculate the
delay between your source generating an event, and the time when your agent
first processed it. This can be used to monitor your agent’s or pipeline’s
ability to keep up with your event source.In case the two timestamps are
identical, @timestamp should be used. type: date example:
2016-05-23T08:05:34.857Z event.dataset Name of the dataset.If an event
source publishes more than one type of log or events (e.g. access log,
error log), the dataset is used to specify which one the event comes
from.It’s recommended but not required to start the dataset name with the
module name, followed by a dot, then the dataset name. type: keyword
example: apache.access event.duration Duration of the event in
nanoseconds.If event.start and event.end are known this value should be the
difference between the end and start time. type: long format: duration
event.end event.end contains the date when the event ended or when the
activity was last observed. type: date event.hash Hash (perhaps logstash
fingerprint) of raw field to be able to demonstrate log integrity. type:
keyword example: 123456789012345678901234567890ABCD event.id Unique ID to
describe the event. type: keyword example: 8a4f500d event.ingested
Timestamp when an event arrived in the central data store.This is different
from @timestamp , which is when the event originally occurred. It’s also
different from event.created , which is meant to capture the first time an
agent saw the event.In normal conditions, assuming no tampering, the
timestamps should chronologically look like this: @timestamp <
event.created < event.ingested . type: date example:
2016-05-23T08:05:35.101Z event.kind This is one of four ECS Categorization
Fields, and indicates the highest level in the ECS category hierarchy.
event.kind gives high-level information about what type of information the
event contains, without being specific to the contents of the event. For
example, values of this field distinguish alert events from metric
events.The value of this field can be used to inform how these kinds of
events should be handled. They may warrant different retention, different
access control, it may also help understand whether the data coming in at a
regular interval or not. type: keyword example: alert event.module Name of
the module this data is coming from.If your monitoring agent supports the
concept of modules or plugins to process events of a given source (e.g.
Apache logs), event.module should contain the name of this module. type:
keyword example: apache event.original Raw text message of entire event.
Used to demonstrate log integrity or where the full log message (before
splitting it up in multiple parts) may be required, e.g. for reindex.This
field is not indexed and doc_values are disabled. It cannot be searched,
but it can be retrieved from _source . If users wish to override this and
index this field, please see Field data types in the Elasticsearch
Reference . type: keyword example: Sep 19 08:26:10 host CEF:0|Security|
threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1
dst=2.1.2.2spt=1232 Field is not indexed. event.outcome This is one of four
ECS Categorization Fields, and indicates the lowest level in the ECS
category hierarchy. event.outcome simply denotes whether the event
represents a success or a failure from the perspective of the entity that
produced the event.Note that when a single transaction is described in
multiple events, each event may populate different values of event.outcome
, according to their perspective.Also note that in the case of a compound
event (a single event that contains multiple logical events), this field
should be populated with the value that best captures the overall success
or failure from the perspective of the event producer.Further note that not
all events will have an associated outcome. For example, this field is
generally not populated for metric events, events with event.type:info , or
any events for which an outcome does not make logical sense. type: keyword
example: success event.provider Source of the event.Event transports such
as Syslog or the Windows Event Log typically mention the source of an
event. It can be the name of the software that generated the event (e.g.
Sysmon, httpd), or of a subsystem of the operating system (kernel,
Microsoft-Windows-Security-Auditing). type: keyword example: kernel
event.reason Reason why this event happened, according to the source.This
describes the why of a particular action or outcome captured in the event.
Where event.action captures the action from the event, event.reason
describes why that action was taken. For example, a web proxy with an
event.action which denied the request may also populate event.reason with
the reason why (e.g. blocked site ). type: keyword example: Terminated an
unexpected process event.reference Reference URL linking to additional
information about this event.This URL links to a static definition of this
event. Alert events, indicated by event.kind:alert , are a common use case
for this field. type: keyword example:
https://system.example.com/event/#0001234 event.risk_score Risk score or
priority of the event (e.g. security solutions). Use your system’s original
value here. type: float event.risk_score_norm Normalized risk score or
priority of the event, on a scale of 0 to 100.This is mainly useful if you
use more than one system that assigns risk scores, and you want to see a
normalized value across all systems. type: float event.sequence Sequence
number of the event.The sequence number is a value published by some event
sources, to make the exact ordering of events unambiguous, regardless of
the timestamp precision. type: long format: string event.severity The
numeric severity of the event according to your event source.What the
different severity values mean can be different between sources and use
cases. It’s up to the implementer to make sure severities are consistent
across events from the same source.The Syslog severity belongs in
log.syslog.severity.code . event.severity is meant to represent the
severity according to the event source (e.g. firewall, IDS). If the event
source does not publish its own severity, you may optionally copy the
log.syslog.severity.code to event.severity . type: long example: 7 format:
string event.start event.start contains the date when the event started or
when the activity was first observed. type: date event.timezone This field
should be populated when the event’s timestamp does not include timezone
information already (e.g. default Syslog timestamps). It’s optional
otherwise.Acceptable timezone formats are: a canonical ID (e.g.
"Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential
(e.g. "-05:00"). type: keyword event.type This is one of four ECS
Categorization Fields, and indicates the third level in the ECS category
hierarchy. event.type represents a categorization "sub-bucket" that, when
used along with the event.category field values, enables filtering events
down to a level appropriate for single visualization.This field is an
array. This will allow proper categorization of some events that fall in
multiple event types. type: keyword event.url URL linking to an external
system to continue investigation of this event.This URL links to another
system where in-depth investigation of the specific occurrence of this
event can take place. Alert events, indicated by event.kind:alert , are a
common use case for this field. type: keyword example:
https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
faas The user fields describe information about the function as a service
that is relevant to the event. faas.coldstart Boolean value indicating a
cold start of a function. type: boolean faas.execution The execution ID of
the current function execution. type: keyword example:
af9d5aa4-a685-4c5f-a22b-444f80b3cc28 faas.trigger Details about the
function trigger. type: nested faas.trigger.request_id The ID of the
trigger request , message, event, etc. type: keyword example: 123456789
faas.trigger.type The trigger for the function execution.Expected values
are: * http * pubsub * datasource * timer * other type: keyword example:
http file A file is defined as a set of information that has been created
on, or has existed on a filesystem.File objects can be associated with host
events, network events, and/or file events (e.g., those produced by File
Integrity Monitoring [FIM] products or services). File fields provide
details about the affected file associated with the event or metric.
file.accessed Last time the file was accessed.Note that not all filesystems
keep track of access time. type: date file.attributes Array of file
attributes.Attributes names will vary by platform. Here’s a non-exhaustive
list of values that are expected in this field: archive, compressed,
directory, encrypted, execute, hidden, read, readonly, system, write. type:
keyword example: ["readonly", "system"]
file.code_signature.digest_algorithm The hashing algorithm used to sign the
process.This value can distinguish signatures when a file is signed
multiple times by the same signer but with a different digest algorithm.
type: keyword example: sha256 file.code_signature.exists Boolean to capture
if a signature is present. type: boolean example: true
file.code_signature.signing_id The identifier used to sign the process.This
is used to identify the application manufactured by a software vendor. The
field is relevant to Apple *OS only. type: keyword example:
com.apple.xpc.proxy file.code_signature.status Additional information about
the certificate status.This is useful for logging cryptographic errors with
the certificate validity or trust status. Leave unpopulated if the validity
or trust of the certificate was unchecked. type: keyword example:
ERROR_UNTRUSTED_ROOT file.code_signature.subject_name Subject name of the
code signer type: keyword example: Microsoft Corporation
file.code_signature.team_id The team identifier used to sign the
process.This is used to identify the team or vendor of a software product.
The field is relevant to Apple *OS only. type: keyword example: EQHXZ8M8AV
file.code_signature.timestamp Date and time when the code signature was
generated and signed. type: date example: 2021-01-01T12:10:30Z
file.code_signature.trusted Stores the trust status of the certificate
chain.Validating the trust of the certificate chain may be complicated, and
this field should only be populated by tools that actively check the
status. type: boolean example: true file.code_signature.valid Boolean to
capture if the digital signature is verified against the binary
content.Leave unpopulated if a certificate was unchecked. type: boolean
example: true file.created File creation time.Note that not all filesystems
store the creation time. type: date file.ctime Last time the file
attributes or metadata changed.Note that changes to the file content will
update mtime . This implies ctime will be adjusted at the same time, since
mtime is an attribute of the file. type: date file.device Device that is
the source of the file. type: keyword example: sda file.directory Directory
where the file is located. It should include the drive letter, when
appropriate. type: keyword example: /home/alice file.drive_letter Drive
letter where the file is located. This field is only relevant on
Windows.The value should be uppercase, and not include the colon. type:
keyword example: C file.elf.architecture Machine architecture of the ELF
file. type: keyword example: x86-64 file.elf.byte_order Byte sequence of
ELF file. type: keyword example: Little Endian file.elf.cpu_type CPU type
of the ELF file. type: keyword example: Intel file.elf.creation_date
Extracted when possible from the file’s metadata. Indicates when it was
built or compiled. It can also be faked by malware creators. type: date
file.elf.exports List of exported element names and types. type: flattened
file.elf.header.abi_version Version of the ELF Application Binary Interface
(ABI). type: keyword file.elf.header.class Header class of the ELF file.
type: keyword file.elf.header.data Data table of the ELF header. type:
keyword file.elf.header.entrypoint Header entrypoint of the ELF file. type:
long format: string file.elf.header.object_version "0x1" for original ELF
files. type: keyword file.elf.header.os_abi Application Binary Interface
(ABI) of the Linux OS. type: keyword file.elf.header.type Header type of
the ELF file. type: keyword file.elf.header.version Version of the ELF
header. type: keyword file.elf.imports List of imported element names and
types. type: flattened file.elf.sections An array containing an object for
each section of the ELF file.The keys that should be present in these
objects are defined by sub-fields underneath elf.sections.* . type: nested
file.elf.sections.chi2 Chi-square probability distribution of the section.
type: long format: number file.elf.sections.entropy Shannon entropy
calculation from the section. type: long format: number
file.elf.sections.flags ELF Section List flags. type: keyword
file.elf.sections.name ELF Section List name. type: keyword
file.elf.sections.physical_offset ELF Section List offset. type: keyword
file.elf.sections.physical_size ELF Section List physical size. type: long
format: bytes file.elf.sections.type ELF Section List type. type: keyword
file.elf.sections.virtual_address ELF Section List virtual address. type:
long format: string file.elf.sections.virtual_size ELF Section List virtual
size. type: long format: string file.elf.segments An array containing an
object for each segment of the ELF file.The keys that should be present in
these objects are defined by sub-fields underneath elf.segments.* . type:
nested file.elf.segments.sections ELF object segment sections. type:
keyword file.elf.segments.type ELF object segment type. type: keyword
file.elf.shared_libraries List of shared libraries used by this ELF object.
type: keyword file.elf.telfhash telfhash symbol hash for ELF file. type:
keyword file.extension File extension, excluding the leading dot.Note that
when the file name has multiple extensions (example.tar.gz), only the last
one should be captured ("gz", not "tar.gz"). type: keyword example: png
file.fork_name A fork is additional data associated with a filesystem
object.On Linux, a resource fork is used to store additional data with a
filesystem object. A file always has at least one fork for the data
portion, and additional forks may exist.On NTFS, this is analogous to an
Alternate Data Stream (ADS), and the default data stream for a file is just
called $DATA. Zone.Identifier is commonly used by Windows to track contents
downloaded from the Internet. An ADS is typically of the form:
C:\path\to\filename.extension:some_fork_name , and some_fork_name is the
value that should populate fork_name . filename.extension should populate
file.name , and extension should populate file.extension . The full path,
file.path , will include the fork name. type: keyword example:
Zone.Identifer file.gid Primary group ID (GID) of the file. type: keyword
example: 1001 file.group Primary group name of the file. type: keyword
example: alice file.hash.md5 MD5 hash. type: keyword file.hash.sha1 SHA1
hash. type: keyword file.hash.sha256 SHA256 hash. type: keyword
file.hash.sha512 SHA512 hash. type: keyword file.hash.ssdeep SSDEEP hash.
type: keyword file.inode Inode representing the file in the filesystem.
type: keyword example: 256383 file.mime_type MIME type should identify the
format of the file or stream of bytes using IANA official types , where
possible. When more than one type is applicable, the most specific type
should be used. type: keyword file.mode Mode of the file in octal
representation. type: keyword example: 0640 file.mtime Last time the file
content was modified. type: date file.name Name of the file including the
extension, without the directory. type: keyword example: example.png
file.owner File owner’s username. type: keyword example: alice file.path
Full path to the file, including the file name. It should include the drive
letter, when appropriate. type: keyword example: /home/alice/example.png
file.path.text type: match_only_text file.pe.architecture CPU architecture
target for the file. type: keyword example: x64 file.pe.company Internal
company name of the file, provided at compile-time. type: keyword example:
Microsoft Corporation file.pe.description Internal description of the file,
provided at compile-time. type: keyword example: Paint file.pe.file_version
Internal version of the file, provided at compile-time. type: keyword
example: 6.3.9600.17415 file.pe.imphash A hash of the imports in a PE file.
An imphash — or import hash — can be used to fingerprint binaries even
after recompilation or other code-level transformations have occurred,
which would change more traditional hash values.Learn more at
https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
. type: keyword example: 0c6803c4e922103c4dca5963aad36ddf
file.pe.original_file_name Internal name of the file, provided at
compile-time. type: keyword example: MSPAINT.EXE file.pe.product Internal
product name of the file, provided at compile-time. type: keyword example:
Microsoft® Windows® Operating System file.size File size in bytes.Only
relevant when file.type is "file". type: long example: 16384
file.target_path Target path for symlinks. type: keyword
file.target_path.text type: match_only_text file.type File type (file, dir,
or symlink). type: keyword example: file file.uid The user ID (UID) or
security identifier (SID) of the file owner. type: keyword example: 1001
file.x509.alternative_names List of subject alternative names (SAN). Name
types vary by certificate authority and certificate type but commonly
contain IP addresses, DNS names (and wildcards), and email addresses. type:
keyword example: *.elastic.co file.x509.issuer.common_name List of common
name (CN) of issuing certificate authority. type: keyword example: Example
SHA2 High Assurance Server CA file.x509.issuer.country List of country ©
codes type: keyword example: US file.x509.issuer.distinguished_name
Distinguished name (DN) of issuing certificate authority. type: keyword
example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High
Assurance Server CA file.x509.issuer.locality List of locality names (L)
type: keyword example: Mountain View file.x509.issuer.organization List of
organizations (O) of issuing certificate authority. type: keyword example:
Example Inc file.x509.issuer.organizational_unit List of organizational
units (OU) of issuing certificate authority. type: keyword example:
www.example.com file.x509.issuer.state_or_province List of state or
province names (ST, S, or P) type: keyword example: California
file.x509.not_after Time at which the certificate is no longer considered
valid. type: date example: 2020-07-16 03:15:39+00:00 file.x509.not_before
Time at which the certificate is first considered valid. type: date
example: 2019-08-16 01:40:25+00:00 file.x509.public_key_algorithm Algorithm
used to generate the public key. type: keyword example: RSA
file.x509.public_key_curve The curve used by the elliptic curve public key
algorithm. This is algorithm specific. type: keyword example: nistp521
file.x509.public_key_exponent Exponent used to derive the public key. This
is algorithm specific. type: long example: 65537 Field is not indexed.
file.x509.public_key_size The size of the public key space in bits. type:
long example: 2048 file.x509.serial_number Unique serial number issued by
the certificate authority. For consistency, if this value is alphanumeric,
it should be formatted without colons and uppercase characters. type:
keyword example: 55FBB9C7DEBF09809D12CCAA file.x509.signature_algorithm
Identifier for certificate signature algorithm. We recommend using names
found in Go Lang Crypto library. See
https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353
. type: keyword example: SHA256-RSA file.x509.subject.common_name List of
common names (CN) of subject. type: keyword example:
shared.global.example.net file.x509.subject.country List of country © code
type: keyword example: US file.x509.subject.distinguished_name
Distinguished name (DN) of the certificate subject entity. type: keyword
example: C=US, ST=California, L=San Francisco, O=Example, Inc.,
CN=shared.global.example.net file.x509.subject.locality List of locality
names (L) type: keyword example: San Francisco
file.x509.subject.organization List of organizations (O) of subject. type:
keyword example: Example, Inc. file.x509.subject.organizational_unit List
of organizational units (OU) of subject. type: keyword
file.x509.subject.state_or_province List of state or province names (ST, S,
or P) type: keyword example: California file.x509.version_number Version of
x509 format. type: keyword example: 3 geo Geo fields can carry data about a
specific location related to an event.This geolocation information can be
derived from techniques such as Geo IP, or be user-supplied. geo.city_name
City name. type: keyword example: Montreal geo.continent_code Two-letter
code representing continent’s name. type: keyword example: NA
geo.continent_name Name of the continent. type: keyword example: North
America geo.country_iso_code Country ISO code. type: keyword example: CA
geo.country_name Country name. type: keyword example: Canada geo.location
Longitude and latitude. type: geo_point example: { "lon": -73.614830,
"lat": 45.505918 } geo.name User-defined description of a location, at the
level of granularity they care about.Could be the name of their data
centers, the floor number, if this describes a local physical entity, city
names.Not typically used in automated geolocation. type: keyword example:
boston-dc geo.postal_code Postal code associated with the location.Values
appropriate for this field may also be known as a postcode or ZIP code and
will vary widely from country to country. type: keyword example: 94040
geo.region_iso_code Region ISO code. type: keyword example: CA-QC
geo.region_name Region name. type: keyword example: Quebec geo.timezone The
time zone of the location, such as IANA time zone name. type: keyword
example: America/Argentina/Buenos_Aires group The group fields are meant to
represent groups that are relevant to the event. group.domain Name of the
directory the group is a member of.For example, an LDAP or Active Directory
domain name. type: keyword group.id Unique identifier for the group on the
system/platform. type: keyword group.name Name of the group. type: keyword
hash The hash fields represent different bitwise hash algorithms and their
values.Field names for common hashes (e.g. MD5, SHA1) are predefined. Add
fields for other hashes by lowercasing the hash algorithm name and using
underscore separators as appropriate (snake case, e.g. sha3_512).Note that
this fieldset is used for common hashes that may be computed over a range
of generic bytes. Entity-specific hashes such as ja3 or imphash are placed
in the fieldsets to which they relate (tls and pe, respectively). hash.md5
MD5 hash. type: keyword hash.sha1 SHA1 hash. type: keyword hash.sha256
SHA256 hash. type: keyword hash.sha512 SHA512 hash. type: keyword
hash.ssdeep SSDEEP hash. type: keyword host A host is defined as a general
computing instance.ECS host.* fields should be populated with details about
the host on which the event happened, or from which the measurement was
taken. Host types include hardware, virtual machines, Docker containers,
and Kubernetes nodes. host.architecture Operating system architecture.
type: keyword example: x86_64 host.cpu.usage Percent CPU used which is
normalized by the number of CPU cores and it ranges from 0 to 1.Scaling
factor: 1000.For example: For a two core host, this value should be the
average of the two cores, between 0 and 1. type: scaled_float
host.disk.read.bytes The total number of bytes (gauge) read successfully
(aggregated from all disks) since the last metric collection. type: long
host.disk.write.bytes The total number of bytes (gauge) written
successfully (aggregated from all disks) since the last metric collection.
type: long host.domain Name of the domain of which the host is a member.For
example, on Windows this could be the host’s Active Directory domain or
NetBIOS domain name. For Linux this could be the domain of the host’s LDAP
provider. type: keyword example: CONTOSO host.geo.city_name City name.
type: keyword example: Montreal host.geo.continent_code Two-letter code
representing continent’s name. type: keyword example: NA
host.geo.continent_name Name of the continent. type: keyword example: North
America host.geo.country_iso_code Country ISO code. type: keyword example:
CA host.geo.country_name Country name. type: keyword example: Canada
host.geo.location Longitude and latitude. type: geo_point example: { "lon":
-73.614830, "lat": 45.505918 } host.geo.name User-defined description of a
location, at the level of granularity they care about.Could be the name of
their data centers, the floor number, if this describes a local physical
entity, city names.Not typically used in automated geolocation. type:
keyword example: boston-dc host.geo.postal_code Postal code associated with
the location.Values appropriate for this field may also be known as a
postcode or ZIP code and will vary widely from country to country. type:
keyword example: 94040 host.geo.region_iso_code Region ISO code. type:
keyword example: CA-QC host.geo.region_name Region name. type: keyword
example: Quebec host.geo.timezone The time zone of the location, such as
IANA time zone name. type: keyword example: America/Argentina/Buenos_Aires
host.hostname Hostname of the host.It normally contains what the hostname
command returns on the host machine. type: keyword host.id Unique host
id.As hostname is not always unique, use values that are meaningful in your
environment.Example: The current usage of beat.name . type: keyword host.ip
Host ip addresses. type: ip host.mac Host MAC addresses.The notation format
from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented
by two [uppercase] hexadecimal digits giving the value of the octet as an
unsigned integer. Successive octets are separated by a hyphen. type:
keyword example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"] host.name Name
of the host.It can contain what hostname returns on Unix systems, the fully
qualified domain name, or a name specified by the user. The sender decides
which value to use. type: keyword host.network.egress.bytes The number of
bytes (gauge) sent out on all network interfaces by the host since the last
metric collection. type: long host.network.egress.packets The number of
packets (gauge) sent out on all network interfaces by the host since the
last metric collection. type: long host.network.ingress.bytes The number of
bytes received (gauge) on all network interfaces by the host since the last
metric collection. type: long host.network.ingress.packets The number of
packets (gauge) received on all network interfaces by the host since the
last metric collection. type: long host.os.family OS family (such as
redhat, debian, freebsd, windows). type: keyword example: debian
host.os.full Operating system name, including the version or code name.
type: keyword example: Mac OS Mojave host.os.full.text type:
match_only_text host.os.kernel Operating system kernel version as a raw
string. type: keyword example: 4.4.0-112-generic host.os.name Operating
system name, without the version. type: keyword example: Mac OS X
host.os.name.text type: match_only_text host.os.platform Operating system
platform (such centos, ubuntu, windows). type: keyword example: darwin
host.os.type Use the os.type field to categorize the operating system into
one of the broad commercial families.One of these following values should
be used (lowercase): linux, macos, unix, windows.If the OS you’re dealing
with is not in the list, the field should not be populated. Please let us
know by opening an issue with ECS, to propose its addition. type: keyword
example: macos host.os.version Operating system version as a raw string.
type: keyword example: 10.14.1 host.type Type of host.For Cloud providers
this can be the machine type like t2.medium . If vm, this could be the
container, for example, or other information meaningful in your
environment. type: keyword host.uptime Seconds the host has been up. type:
long example: 1325 http Fields related to HTTP activity. Use the url field
set to store the url of the request. http.request.body.bytes Size in bytes
of the request body. type: long example: 887 format: bytes
http.request.body.content The full HTTP request body. type: wildcard
example: Hello world http.request.body.content.text type: match_only_text
http.request.bytes Total size in bytes of the request (body and headers).
type: long example: 1437 format: bytes http.request.id A unique identifier
for each HTTP request to correlate logs between clients and servers in
transactions.The id may be contained in a non-standard HTTP header, such as
X-Request-ID or X-Correlation-ID . type: keyword example:
123e4567-e89b-12d3-a456-426614174000 http.request.method HTTP request
method.The value should retain its casing from the original event. For
example, GET , get , and GeT are all considered valid values for this
field. type: keyword example: POST http.request.mime_type Mime type of the
body of the request.This value must only be populated based on the content
of the request body, not on the Content-Type header. Comparing the mime
type of a request with the request’s Content-Type header can be helpful in
detecting threats or misconfigured clients. type: keyword example:
image/gif http.request.referrer Referrer for this HTTP request. type:
keyword example: https://blog.example.com/ http.response.body.bytes Size in
bytes of the response body. type: long example: 887 format: bytes
http.response.body.content The full HTTP response body. type: wildcard
example: Hello world http.response.body.content.text type: match_only_text
http.response.bytes Total size in bytes of the response (body and headers).
type: long example: 1437 format: bytes http.response.mime_type Mime type of
the body of the response.This value must only be populated based on the
content of the response body, not on the Content-Type header. Comparing the
mime type of a response with the response’s Content-Type header can be
helpful in detecting misconfigured servers. type: keyword example:
image/gif http.response.status_code HTTP response status code. type: long
example: 404 format: string http.version HTTP version. type: keyword
example: 1.1 interface The interface fields are used to record ingress and
egress interface information when reported by an observer (e.g. firewall,
router, load balancer) in the context of the observer handling a network
connection. In the case of a single observer interface (e.g. network sensor
on a span port) only the observer.ingress information should be populated.
interface.alias Interface alias as reported by the system, typically used
in firewall implementations for e.g. inside, outside, or dmz logical
interface naming. type: keyword example: outside interface.id Interface ID
as reported by an observer (typically SNMP interface ID). type: keyword
example: 10 interface.name Interface name as reported by the system. type:
keyword example: eth0 log Details about the event’s logging mechanism or
logging transport.The log.* fields are typically populated with details
about the logging mechanism used to create and/or transport the event. For
example, syslog details belong under log.syslog.* .The details specific to
your event source are typically not logged under log.* , but rather in
event.* or in other ECS fields. log.file.path Full path to the log file
this event came from, including the file name. It should include the drive
letter, when appropriate.If the event wasn’t read from a log file, do not
populate this field. type: keyword example: /var/log/fun-times.log
log.level Original log level of the log event.If the source of the event
provides a log level or textual severity, this is the one that goes in
log.level . If your source doesn’t specify one, you may put your event
transport’s severity here (e.g. Syslog severity).Some examples are warn ,
err , i , informational . type: keyword example: error log.logger The name
of the logger inside an application. This is usually the name of the class
which initialized the logger, or can be a custom name. type: keyword
example: org.elasticsearch.bootstrap.Bootstrap log.origin.file.line The
line number of the file containing the source code which originated the log
event. type: long example: 42 log.origin.file.name The name of the file
containing the source code which originated the log event.Note that this
field is not meant to capture the log file. The correct field to capture
the log file is log.file.path . type: keyword example: Bootstrap.java
log.origin.function The name of the function or method which originated the
log event. type: keyword example: init log.syslog The Syslog metadata of
the event, if the event was transmitted via Syslog. Please see RFCs 5424 or
3164. type: object log.syslog.facility.code The Syslog numeric facility of
the log event, if available.According to RFCs 5424 and 3164, this value
should be an integer between 0 and 23. type: long example: 23 format:
string log.syslog.facility.name The Syslog text-based facility of the log
event, if available. type: keyword example: local7 log.syslog.priority
Syslog numeric priority of the event, if available.According to RFCs 5424
and 3164, the priority is 8 * facility + severity. This number is therefore
expected to contain a value between 0 and 191. type: long example: 135
format: string log.syslog.severity.code The Syslog numeric severity of the
log event, if available.If the event source publishing via Syslog provides
a different numeric severity value (e.g. firewall, IDS), your source’s
numeric severity should go to event.severity . If the event source does not
specify a distinct severity, you can optionally copy the Syslog severity to
event.severity . type: long example: 3 log.syslog.severity.name The Syslog
numeric severity of the log event, if available.If the event source
publishing via Syslog provides a different severity value (e.g. firewall,
IDS), your source’s text severity should go to log.level . If the event
source does not specify a distinct severity, you can optionally copy the
Syslog severity to log.level . type: keyword example: Error network The
network is defined as the communication path over which a host or network
event happens.The network.* fields should be populated with details about
the network activity associated with an event. network.application When a
specific application or service is identified from network connection
details (source/dest IPs, ports, certificates, or wire format), this field
captures the application’s or service’s name.For example, the original
event identifies the network connection being from a specific web service
in a https network connection, like facebook or twitter .The field value
must be normalized to lowercase for querying. type: keyword example: aim
network.bytes Total bytes transferred in both directions.If source.bytes
and destination.bytes are known, network.bytes is their sum. type: long
example: 368 format: bytes network.community_id A hash of source and
destination IPs and ports, as well as the protocol used in a communication.
This is a tool-agnostic standard to identify flows.Learn more at
https://github.com/corelight/community-id-spec . type: keyword example:
1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= network.direction Direction of the network
traffic.Recommended values are: * ingress * egress * inbound * outbound *
internal * external * unknown When mapping events from a host-based
monitoring context, populate this field from the host’s point of view,
using the values "ingress" or "egress".When mapping events from a network
or perimeter-based monitoring context, populate this field from the point
of view of the network perimeter, using the values "inbound", "outbound",
"internal" or "external".Note that "internal" is not crossing perimeter
boundaries, and is meant to describe communication between two hosts within
the perimeter. Note also that "external" is meant to describe traffic
between two hosts that are external to the perimeter. This could for
example be useful for ISPs or VPN service providers. type: keyword example:
inbound network.forwarded_ip Host IP address when the source IP address is
the proxy. type: ip example: 192.1.1.2 network.iana_number IANA Protocol
Number (
https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml ).
Standardized list of protocols. This aligns well with NetFlow and sFlow
related logs which use the IANA Protocol Number. type: keyword example: 6
network.inner Network.inner fields are added in addition to network.vlan
fields to describe the innermost VLAN when q-in-q VLAN tagging is present.
Allowed fields include vlan.id and vlan.name. Inner vlan fields are
typically used when sending traffic with multiple 802.1q encapsulations to
a network sensor (e.g. Zeek, Wireshark.) type: object network.inner.vlan.id
VLAN ID as reported by the observer. type: keyword example: 10
network.inner.vlan.name Optional VLAN name as reported by the observer.
type: keyword example: outside network.name Name given by operators to
sections of their network. type: keyword example: Guest Wifi
network.packets Total packets transferred in both directions.If
source.packets and destination.packets are known, network.packets is their
sum. type: long example: 24 network.protocol In the OSI Model this would be
the Application Layer protocol. For example, http , dns , or ssh .The field
value must be normalized to lowercase for querying. type: keyword example:
http network.transport Same as network.iana_number, but instead using the
Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)The field
value must be normalized to lowercase for querying. type: keyword example:
tcp network.type In the OSI Model this would be the Network Layer. ipv4,
ipv6, ipsec, pim, etcThe field value must be normalized to lowercase for
querying. type: keyword example: ipv4 network.vlan.id VLAN ID as reported
by the observer. type: keyword example: 10 network.vlan.name Optional VLAN
name as reported by the observer. type: keyword example: outside observer
An observer is defined as a special network, security, or application
device used to detect, observe, or create network, security, or
application-related events and metrics.This could be a custom hardware
appliance or a server that has been configured to run special network,
security, or application software. Examples include firewalls, web proxies,
intrusion detection/prevention systems, network monitoring sensors, web
application firewalls, data loss prevention systems, and APM servers. The
observer.* fields shall be populated with details of the system, if any,
that detects, observes and/or creates a network, security, or application
event or metric. Message queues and ETL components used in processing
events or metrics are not considered observers in ECS. observer.egress
Observer.egress holds information like interface number and name, vlan, and
zone information to classify egress traffic. Single armed monitoring such
as a network sensor on a span port should only use observer.ingress to
categorize traffic. type: object observer.egress.interface.alias Interface
alias as reported by the system, typically used in firewall implementations
for e.g. inside, outside, or dmz logical interface naming. type: keyword
example: outside observer.egress.interface.id Interface ID as reported by
an observer (typically SNMP interface ID). type: keyword example: 10
observer.egress.interface.name Interface name as reported by the system.
type: keyword example: eth0 observer.egress.vlan.id VLAN ID as reported by
the observer. type: keyword example: 10 observer.egress.vlan.name Optional
VLAN name as reported by the observer. type: keyword example: outside
observer.egress.zone Network zone of outbound traffic as reported by the
observer to categorize the destination area of egress traffic, e.g.
Internal, External, DMZ, HR, Legal, etc. type: keyword example:
Public_Internet observer.geo.city_name City name. type: keyword example:
Montreal observer.geo.continent_code Two-letter code representing
continent’s name. type: keyword example: NA observer.geo.continent_name
Name of the continent. type: keyword example: North America
observer.geo.country_iso_code Country ISO code. type: keyword example: CA
observer.geo.country_name Country name. type: keyword example: Canada
observer.geo.location Longitude and latitude. type: geo_point example: {
"lon": -73.614830, "lat": 45.505918 } observer.geo.name User-defined
description of a location, at the level of granularity they care
about.Could be the name of their data centers, the floor number, if this
describes a local physical entity, city names.Not typically used in
automated geolocation. type: keyword example: boston-dc
observer.geo.postal_code Postal code associated with the location.Values
appropriate for this field may also be known as a postcode or ZIP code and
will vary widely from country to country. type: keyword example: 94040
observer.geo.region_iso_code Region ISO code. type: keyword example: CA-QC
observer.geo.region_name Region name. type: keyword example: Quebec
observer.geo.timezone The time zone of the location, such as IANA time zone
name. type: keyword example: America/Argentina/Buenos_Aires
observer.hostname Hostname of the observer. type: keyword observer.ingress
Observer.ingress holds information like interface number and name, vlan,
and zone information to classify ingress traffic. Single armed monitoring
such as a network sensor on a span port should only use observer.ingress to
categorize traffic. type: object observer.ingress.interface.alias Interface
alias as reported by the system, typically used in firewall implementations
for e.g. inside, outside, or dmz logical interface naming. type: keyword
example: outside observer.ingress.interface.id Interface ID as reported by
an observer (typically SNMP interface ID). type: keyword example: 10
observer.ingress.interface.name Interface name as reported by the system.
type: keyword example: eth0 observer.ingress.vlan.id VLAN ID as reported by
the observer. type: keyword example: 10 observer.ingress.vlan.name Optional
VLAN name as reported by the observer. type: keyword example: outside
observer.ingress.zone Network zone of incoming traffic as reported by the
observer to categorize the source area of ingress traffic. e.g. internal,
External, DMZ, HR, Legal, etc. type: keyword example: DMZ observer.ip IP
addresses of the observer. type: ip observer.mac MAC addresses of the
observer.The notation format from RFC 7042 is suggested: Each octet (that
is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving
the value of the octet as an unsigned integer. Successive octets are
separated by a hyphen. type: keyword example: ["00-00-5E-00-53-23",
"00-00-5E-00-53-24"] observer.name Custom name of the observer.This is a
name that can be given to an observer. This can be helpful for example if
multiple firewalls of the same model are used in an organization.If no
custom name is needed, the field can be left empty. type: keyword example:
1_proxySG observer.os.family OS family (such as redhat, debian, freebsd,
windows). type: keyword example: debian observer.os.full Operating system
name, including the version or code name. type: keyword example: Mac OS
Mojave observer.os.full.text type: match_only_text observer.os.kernel
Operating system kernel version as a raw string. type: keyword example:
4.4.0-112-generic observer.os.name Operating system name, without the
version. type: keyword example: Mac OS X observer.os.name.text type:
match_only_text observer.os.platform Operating system platform (such
centos, ubuntu, windows). type: keyword example: darwin observer.os.type
Use the os.type field to categorize the operating system into one of the
broad commercial families.One of these following values should be used
(lowercase): linux, macos, unix, windows.If the OS you’re dealing with is
not in the list, the field should not be populated. Please let us know by
opening an issue with ECS, to propose its addition. type: keyword example:
macos observer.os.version Operating system version as a raw string. type:
keyword example: 10.14.1 observer.product The product name of the observer.
type: keyword example: s200 observer.serial_number Observer serial number.
type: keyword observer.type The type of the observer the data is coming
from.There is no predefined list of observer types. Some examples are
forwarder , firewall , ids , ips , proxy , poller , sensor , APM server .
type: keyword example: firewall observer.vendor Vendor name of the
observer. type: keyword example: Symantec observer.version Observer
version. type: keyword orchestrator Fields that describe the resources
which container orchestrators manage or act upon. orchestrator.api_version
API version being used to carry out the action type: keyword example:
v1beta1 orchestrator.cluster.name Name of the cluster. type: keyword
orchestrator.cluster.url URL of the API used to manage the cluster. type:
keyword orchestrator.cluster.version The version of the cluster. type:
keyword orchestrator.namespace Namespace in which the action is taking
place. type: keyword example: kube-system orchestrator.organization
Organization affected by the event (for multi-tenant orchestrator setups).
type: keyword example: elastic orchestrator.resource.name Name of the
resource being acted upon. type: keyword example: test-pod-cdcws
orchestrator.resource.type Type of resource being acted upon. type: keyword
example: service orchestrator.type Orchestrator cluster type (e.g.
kubernetes, nomad or cloudfoundry). type: keyword example: kubernetes
organization The organization fields enrich data with information about the
company or entity the data is associated with.These fields help you arrange
or filter data stored in an index by one or multiple organizations.
organization.id Unique identifier for the organization. type: keyword
organization.name Organization name. type: keyword organization.name.text
type: match_only_text os The OS fields contain information about the
operating system. os.family OS family (such as redhat, debian, freebsd,
windows). type: keyword example: debian os.full Operating system name,
including the version or code name. type: keyword example: Mac OS Mojave
os.full.text type: match_only_text os.kernel Operating system kernel
version as a raw string. type: keyword example: 4.4.0-112-generic os.name
Operating system name, without the version. type: keyword example: Mac OS X
os.name.text type: match_only_text os.platform Operating system platform
(such centos, ubuntu, windows). type: keyword example: darwin os.type Use
the os.type field to categorize the operating system into one of the broad
commercial families.One of these following values should be used
(lowercase): linux, macos, unix, windows.If the OS you’re dealing with is
not in the list, the field should not be populated. Please let us know by
opening an issue with ECS, to propose its addition. type: keyword example:
macos os.version Operating system version as a raw string. type: keyword
example: 10.14.1 package These fields contain information about an
installed software package. It contains general information about a
package, such as name, version or size. It also contains installation
details, such as time or location. package.architecture Package
architecture. type: keyword example: x86_64 package.build_version
Additional information about the build version of the installed package.For
example use the commit SHA of a non-released package. type: keyword
example: 36f4f7e89dd61b0988b12ee000b98966867710cd package.checksum Checksum
of the installed package for verification. type: keyword example:
68b329da9893e34099c7d8ad5cb9c940 package.description Description of the
package. type: keyword example: Open source programming language to build
simple/reliable/efficient software. package.install_scope Indicating how
the package was installed, e.g. user-local, global. type: keyword example:
global package.installed Time when package was installed. type: date
package.license License under which the package was released.Use a short
name, e.g. the license identifier from SPDX License List where possible (
https://spdx.org/licenses/ ). type: keyword example: Apache License 2.0
package.name Package name type: keyword example: go package.path Path where
the package is installed. type: keyword example:
/usr/local/Cellar/go/1.12.9/ package.reference Home page or reference URL
of the software in this package, if available. type: keyword example:
https://golang.org package.size Package size in bytes. type: long example:
62231 format: string package.type Type of package.This should contain the
package file type, rather than the package manager name. Examples: rpm,
dpkg, brew, npm, gem, nupkg, jar. type: keyword example: rpm
package.version Package version type: keyword example: 1.12.9 pe These
fields contain Windows Portable Executable (PE) metadata. pe.architecture
CPU architecture target for the file. type: keyword example: x64 pe.company
Internal company name of the file, provided at compile-time. type: keyword
example: Microsoft Corporation pe.description Internal description of the
file, provided at compile-time. type: keyword example: Paint
pe.file_version Internal version of the file, provided at compile-time.
type: keyword example: 6.3.9600.17415 pe.imphash A hash of the imports in a
PE file. An imphash — or import hash — can be used to fingerprint binaries
even after recompilation or other code-level transformations have occurred,
which would change more traditional hash values.Learn more at
https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
. type: keyword example: 0c6803c4e922103c4dca5963aad36ddf
pe.original_file_name Internal name of the file, provided at compile-time.
type: keyword example: MSPAINT.EXE pe.product Internal product name of the
file, provided at compile-time. type: keyword example: Microsoft® Windows®
Operating System process These fields contain information about a
process.These fields can help you correlate metrics information with a
process id/name from a log message. The process.pid often stays in the
metric itself and is copied to the global field for correlation.
process.args Array of process arguments, starting with the absolute path to
the executable.May be filtered to protect sensitive information. type:
keyword example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]
process.args_count Length of the process.args array.This field can be
useful for querying or performing bucket analysis on how many arguments
were provided to start a process. More arguments may be an indication of
suspicious activity. type: long example: 4
process.code_signature.digest_algorithm The hashing algorithm used to sign
the process.This value can distinguish signatures when a file is signed
multiple times by the same signer but with a different digest algorithm.
type: keyword example: sha256 process.code_signature.exists Boolean to
capture if a signature is present. type: boolean example: true
process.code_signature.signing_id The identifier used to sign the
process.This is used to identify the application manufactured by a software
vendor. The field is relevant to Apple *OS only. type: keyword example:
com.apple.xpc.proxy process.code_signature.status Additional information
about the certificate status.This is useful for logging cryptographic
errors with the certificate validity or trust status. Leave unpopulated if
the validity or trust of the certificate was unchecked. type: keyword
example: ERROR_UNTRUSTED_ROOT process.code_signature.subject_name Subject
name of the code signer type: keyword example: Microsoft Corporation
process.code_signature.team_id The team identifier used to sign the
process.This is used to identify the team or vendor of a software product.
The field is relevant to Apple *OS only. type: keyword example: EQHXZ8M8AV
process.code_signature.timestamp Date and time when the code signature was
generated and signed. type: date example: 2021-01-01T12:10:30Z
process.code_signature.trusted Stores the trust status of the certificate
chain.Validating the trust of the certificate chain may be complicated, and
this field should only be populated by tools that actively check the
status. type: boolean example: true process.code_signature.valid Boolean to
capture if the digital signature is verified against the binary
content.Leave unpopulated if a certificate was unchecked. type: boolean
example: true process.command_line Full command line that started the
process, including the absolute path to the executable, and all
arguments.Some arguments may be filtered to protect sensitive information.
type: wildcard example: /usr/bin/ssh -l user 10.0.0.16
process.command_line.text type: match_only_text process.elf.architecture
Machine architecture of the ELF file. type: keyword example: x86-64
process.elf.byte_order Byte sequence of ELF file. type: keyword example:
Little Endian process.elf.cpu_type CPU type of the ELF file. type: keyword
example: Intel process.elf.creation_date Extracted when possible from the
file’s metadata. Indicates when it was built or compiled. It can also be
faked by malware creators. type: date process.elf.exports List of exported
element names and types. type: flattened process.elf.header.abi_version
Version of the ELF Application Binary Interface (ABI). type: keyword
process.elf.header.class Header class of the ELF file. type: keyword
process.elf.header.data Data table of the ELF header. type: keyword
process.elf.header.entrypoint Header entrypoint of the ELF file. type: long
format: string process.elf.header.object_version "0x1" for original ELF
files. type: keyword process.elf.header.os_abi Application Binary Interface
(ABI) of the Linux OS. type: keyword process.elf.header.type Header type of
the ELF file. type: keyword process.elf.header.version Version of the ELF
header. type: keyword process.elf.imports List of imported element names
and types. type: flattened process.elf.sections An array containing an
object for each section of the ELF file.The keys that should be present in
these objects are defined by sub-fields underneath elf.sections.* . type:
nested process.elf.sections.chi2 Chi-square probability distribution of the
section. type: long format: number process.elf.sections.entropy Shannon
entropy calculation from the section. type: long format: number
process.elf.sections.flags ELF Section List flags. type: keyword
process.elf.sections.name ELF Section List name. type: keyword
process.elf.sections.physical_offset ELF Section List offset. type: keyword
process.elf.sections.physical_size ELF Section List physical size. type:
long format: bytes process.elf.sections.type ELF Section List type. type:
keyword process.elf.sections.virtual_address ELF Section List virtual
address. type: long format: string process.elf.sections.virtual_size ELF
Section List virtual size. type: long format: string process.elf.segments
An array containing an object for each segment of the ELF file.The keys
that should be present in these objects are defined by sub-fields
underneath elf.segments.* . type: nested process.elf.segments.sections ELF
object segment sections. type: keyword process.elf.segments.type ELF object
segment type. type: keyword process.elf.shared_libraries List of shared
libraries used by this ELF object. type: keyword process.elf.telfhash
telfhash symbol hash for ELF file. type: keyword process.end The time the
process ended. type: date example: 2016-05-23T08:05:34.853Z
process.entity_id Unique identifier for the process.The implementation of
this is specified by the data source, but some examples of what could be
used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of
some uniquely identifying components of a process.Constructing a globally
unique identifier is a common practice to mitigate PID reuse as well as to
identify a specific process over time, across multiple monitored hosts.
type: keyword example: c2c455d9f99375d process.executable Absolute path to
the process executable. type: keyword example: /usr/bin/ssh
process.executable.text type: match_only_text process.exit_code The exit
code of the process, if this is a termination event.The field should be
absent if there is no exit code for the event (e.g. process start). type:
long example: 137 process.hash.md5 MD5 hash. type: keyword
process.hash.sha1 SHA1 hash. type: keyword process.hash.sha256 SHA256 hash.
type: keyword process.hash.sha512 SHA512 hash. type: keyword
process.hash.ssdeep SSDEEP hash. type: keyword process.name Process
name.Sometimes called program name or similar. type: keyword example: ssh
process.name.text type: match_only_text process.parent.args Array of
process arguments, starting with the absolute path to the executable.May be
filtered to protect sensitive information. type: keyword example:
["/usr/bin/ssh", "-l", "user", "10.0.0.16"] process.parent.args_count
Length of the process.args array.This field can be useful for querying or
performing bucket analysis on how many arguments were provided to start a
process. More arguments may be an indication of suspicious activity. type:
long example: 4 process.parent.code_signature.digest_algorithm The hashing
algorithm used to sign the process.This value can distinguish signatures
when a file is signed multiple times by the same signer but with a
different digest algorithm. type: keyword example: sha256
process.parent.code_signature.exists Boolean to capture if a signature is
present. type: boolean example: true
process.parent.code_signature.signing_id The identifier used to sign the
process.This is used to identify the application manufactured by a software
vendor. The field is relevant to Apple *OS only. type: keyword example:
com.apple.xpc.proxy process.parent.code_signature.status Additional
information about the certificate status.This is useful for logging
cryptographic errors with the certificate validity or trust status. Leave
unpopulated if the validity or trust of the certificate was unchecked.
type: keyword example: ERROR_UNTRUSTED_ROOT
process.parent.code_signature.subject_name Subject name of the code signer
type: keyword example: Microsoft Corporation
process.parent.code_signature.team_id The team identifier used to sign the
process.This is used to identify the team or vendor of a software product.
The field is relevant to Apple *OS only. type: keyword example: EQHXZ8M8AV
process.parent.code_signature.timestamp Date and time when the code
signature was generated and signed. type: date example:
2021-01-01T12:10:30Z process.parent.code_signature.trusted Stores the trust
status of the certificate chain.Validating the trust of the certificate
chain may be complicated, and this field should only be populated by tools
that actively check the status. type: boolean example: true
process.parent.code_signature.valid Boolean to capture if the digital
signature is verified against the binary content.Leave unpopulated if a
certificate was unchecked. type: boolean example: true
process.parent.command_line Full command line that started the process,
including the absolute path to the executable, and all arguments.Some
arguments may be filtered to protect sensitive information. type: wildcard
example: /usr/bin/ssh -l user 10.0.0.16 process.parent.command_line.text
type: match_only_text process.parent.elf.architecture Machine architecture
of the ELF file. type: keyword example: x86-64
process.parent.elf.byte_order Byte sequence of ELF file. type: keyword
example: Little Endian process.parent.elf.cpu_type CPU type of the ELF
file. type: keyword example: Intel process.parent.elf.creation_date
Extracted when possible from the file’s metadata. Indicates when it was
built or compiled. It can also be faked by malware creators. type: date
process.parent.elf.exports List of exported element names and types. type:
flattened process.parent.elf.header.abi_version Version of the ELF
Application Binary Interface (ABI). type: keyword
process.parent.elf.header.class Header class of the ELF file. type: keyword
process.parent.elf.header.data Data table of the ELF header. type: keyword
process.parent.elf.header.entrypoint Header entrypoint of the ELF file.
type: long format: string process.parent.elf.header.object_version "0x1"
for original ELF files. type: keyword process.parent.elf.header.os_abi
Application Binary Interface (ABI) of the Linux OS. type: keyword
process.parent.elf.header.type Header type of the ELF file. type: keyword
process.parent.elf.header.version Version of the ELF header. type: keyword
process.parent.elf.imports List of imported element names and types. type:
flattened process.parent.elf.sections An array containing an object for
each section of the ELF file.The keys that should be present in these
objects are defined by sub-fields underneath elf.sections.* . type: nested
process.parent.elf.sections.chi2 Chi-square probability distribution of the
section. type: long format: number process.parent.elf.sections.entropy
Shannon entropy calculation from the section. type: long format: number
process.parent.elf.sections.flags ELF Section List flags. type: keyword
process.parent.elf.sections.name ELF Section List name. type: keyword
process.parent.elf.sections.physical_offset ELF Section List offset. type:
keyword process.parent.elf.sections.physical_size ELF Section List physical
size. type: long format: bytes process.parent.elf.sections.type ELF Section
List type. type: keyword process.parent.elf.sections.virtual_address ELF
Section List virtual address. type: long format: string
process.parent.elf.sections.virtual_size ELF Section List virtual size.
type: long format: string process.parent.elf.segments An array containing
an object for each segment of the ELF file.The keys that should be present
in these objects are defined by sub-fields underneath elf.segments.* .
type: nested process.parent.elf.segments.sections ELF object segment
sections. type: keyword process.parent.elf.segments.type ELF object segment
type. type: keyword process.parent.elf.shared_libraries List of shared
libraries used by this ELF object. type: keyword
process.parent.elf.telfhash telfhash symbol hash for ELF file. type:
keyword process.parent.end The time the process ended. type: date example:
2016-05-23T08:05:34.853Z process.parent.entity_id Unique identifier for the
process.The implementation of this is specified by the data source, but
some examples of what could be used here are a process-generated UUID,
Sysmon Process GUIDs, or a hash of some uniquely identifying components of
a process.Constructing a globally unique identifier is a common practice to
mitigate PID reuse as well as to identify a specific process over time,
across multiple monitored hosts. type: keyword example: c2c455d9f99375d
process.parent.executable Absolute path to the process executable. type:
keyword example: /usr/bin/ssh process.parent.executable.text type:
match_only_text process.parent.exit_code The exit code of the process, if
this is a termination event.The field should be absent if there is no exit
code for the event (e.g. process start). type: long example: 137
process.parent.hash.md5 MD5 hash. type: keyword process.parent.hash.sha1
SHA1 hash. type: keyword process.parent.hash.sha256 SHA256 hash. type:
keyword process.parent.hash.sha512 SHA512 hash. type: keyword
process.parent.hash.ssdeep SSDEEP hash. type: keyword process.parent.name
Process name.Sometimes called program name or similar. type: keyword
example: ssh process.parent.name.text type: match_only_text
process.parent.pe.architecture CPU architecture target for the file. type:
keyword example: x64 process.parent.pe.company Internal company name of the
file, provided at compile-time. type: keyword example: Microsoft
Corporation process.parent.pe.description Internal description of the file,
provided at compile-time. type: keyword example: Paint
process.parent.pe.file_version Internal version of the file, provided at
compile-time. type: keyword example: 6.3.9600.17415
process.parent.pe.imphash A hash of the imports in a PE file. An
imphash — or import hash — can be used to fingerprint binaries even after
recompilation or other code-level transformations have occurred, which
would change more traditional hash values.Learn more at
https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
. type: keyword example: 0c6803c4e922103c4dca5963aad36ddf
process.parent.pe.original_file_name Internal name of the file, provided at
compile-time. type: keyword example: MSPAINT.EXE process.parent.pe.product
Internal product name of the file, provided at compile-time. type: keyword
example: Microsoft® Windows® Operating System process.parent.pgid
Identifier of the group of processes the process belongs to. type: long
format: string process.parent.pid Process id. type: long example: 4242
format: string process.parent.start The time the process started. type:
date example: 2016-05-23T08:05:34.853Z process.parent.thread.id Thread ID.
type: long example: 4242 format: string process.parent.thread.name Thread
name. type: keyword example: thread-0 process.parent.title Process
title.The proctitle, some times the same as process name. Can also be
different: for example a browser setting its title to the web page
currently opened. type: keyword process.parent.title.text type:
match_only_text process.parent.uptime Seconds the process has been up.
type: long example: 1325 process.parent.working_directory The working
directory of the process. type: keyword example: /home/alice
process.parent.working_directory.text type: match_only_text
process.pe.architecture CPU architecture target for the file. type: keyword
example: x64 process.pe.company Internal company name of the file, provided
at compile-time. type: keyword example: Microsoft Corporation
process.pe.description Internal description of the file, provided at
compile-time. type: keyword example: Paint process.pe.file_version Internal
version of the file, provided at compile-time. type: keyword example:
6.3.9600.17415 process.pe.imphash A hash of the imports in a PE file. An
imphash — or import hash — can be used to fingerprint binaries even after
recompilation or other code-level transformations have occurred, which
would change more traditional hash values.Learn more at
https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
. type: keyword example: 0c6803c4e922103c4dca5963aad36ddf
process.pe.original_file_name Internal name of the file, provided at
compile-time. type: keyword example: MSPAINT.EXE process.pe.product
Internal product name of the file, provided at compile-time. type: keyword
example: Microsoft® Windows® Operating System process.pgid Identifier of
the group of processes the process belongs to. type: long format: string
process.pid Process id. type: long example: 4242 format: string
process.start The time the process started. type: date example:
2016-05-23T08:05:34.853Z process.thread.id Thread ID. type: long example:
4242 format: string process.thread.name Thread name. type: keyword example:
thread-0 process.title Process title.The proctitle, some times the same as
process name. Can also be different: for example a browser setting its
title to the web page currently opened. type: keyword process.title.text
type: match_only_text process.uptime Seconds the process has been up. type:
long example: 1325 process.working_directory The working directory of the
process. type: keyword example: /home/alice process.working_directory.text
type: match_only_text registry Fields related to Windows Registry
operations. registry.data.bytes Original bytes written with base64
encoding.For Windows registry operations, such as SetValueEx and
RegQueryValueEx, this corresponds to the data pointed by lp_data . This is
optional but provides better recoverability and should be populated for
REG_BINARY encoded values. type: keyword example:
ZQBuAC0AVQBTAAAAZQBuAAAAAAA= registry.data.strings Content when writing
string types.Populated as an array when writing string data to the
registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this
should be an array with one string. For sequences of string with
REG_MULTI_SZ, this array will be variable length. For numeric data, such as
REG_DWORD and REG_QWORD, this should be populated with the decimal
representation (e.g "1" ). type: wildcard example:
["C:\rta\red_ttp\bin\myapp.exe"] registry.data.type Standard registry type
for encoding contents type: keyword example: REG_SZ registry.hive
Abbreviated name for the hive. type: keyword example: HKLM registry.key
Hive-relative path of keys. type: keyword example:
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\winword.exe registry.path Full path, including hive, key and value
type: keyword example: HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
registry.value Name of the value written. type: keyword example: Debugger
related This field set is meant to facilitate pivoting around a piece of
data.Some pieces of information can be seen in many places in an ECS event.
To facilitate searching for them, store an array of all seen values to
their corresponding field in related. .A concrete example is IP addresses,
which can be under host, observer, source, destination, client, server, and
network.forwarded_ip. If you append all IPs to related.ip , you can then
search for a given IP trivially, no matter where it appeared, by querying
related.ip:192.0.2.15 . related.hash All the hashes seen on your event.
Populating this field, then using it to search for hashes can help in
situations where you’re unsure what the hash algorithm is (and therefore
which key name to search). type: keyword related.hosts All hostnames or
other host identifiers seen on your event. Example identifiers include
FQDNs, domain names, workstation names, or aliases. type: keyword
related.ip All of the IPs seen on your event. type: ip related.user All the
user names or other user identifiers seen on the event. type: keyword rule
Rule fields are used to capture the specifics of any observer or agent
rules that generate alerts or other notable events.Examples of data sources
that would populate the rule fields include: network admission control
platforms, network or host IDS/IPS, network firewalls, web application
firewalls, url filters, endpoint detection and response (EDR) systems, etc.
rule.author Name, organization, or pseudonym of the author or authors who
created the rule used to generate this event. type: keyword example:
["Star-Lord"] rule.category A categorization value keyword used by the
entity using the rule for detection of this event. type: keyword example:
Attempted Information Leak rule.description The description of the rule
generating the event. type: keyword example: Block requests to public DNS
over HTTPS / TLS protocols rule.id A rule ID that is unique within the
scope of an agent, observer, or other entity using the rule for detection
of this event. type: keyword example: 101 rule.license Name of the license
under which the rule used to generate this event is made available. type:
keyword example: Apache 2.0 rule.name The name of the rule or signature
generating the event. type: keyword example: BLOCK_DNS_over_TLS
rule.reference Reference URL to additional information about the rule used
to generate this event.The URL can point to the vendor’s documentation
about the rule. If that’s not available, it can also be a link to a more
general page describing this type of alert. type: keyword example:
https://en.wikipedia.org/wiki/DNS_over_TLS rule.ruleset Name of the
ruleset, policy, group, or parent category in which the rule used to
generate this event is a member. type: keyword example:
Standard_Protocol_Filters rule.uuid A rule ID that is unique within the
scope of a set or group of agents, observers, or other entities using the
rule for detection of this event. type: keyword example: 1100110011
rule.version The version / revision of the rule being used for analysis.
type: keyword example: 1.1 server A Server is defined as the responder in a
network connection for events regarding sessions, connections, or
bidirectional flow records.For TCP events, the server is the receiver of
the initial SYN packet(s) of the TCP connection. For other protocols, the
server is generally the responder in the network transaction. Some systems
actually use the term "responder" to refer the server in TCP connections.
The server fields describe details about the system acting as the server in
the network event. Server fields are usually populated in conjunction with
client fields. Server fields are generally not populated for packet-level
events.Client / server representations can add semantic context to an
exchange, which is helpful to visualize the data in certain situations. If
your context falls in that category, you should still ensure that source
and destination are filled appropriately. server.address Some event server
addresses are defined ambiguously. The event will sometimes list an IP, a
domain or a unix socket. You should always store the raw address in the
.address field.Then it should be duplicated to .ip or .domain , depending
on which one it is. type: keyword server.as.number Unique number allocated
to the autonomous system. The autonomous system number (ASN) uniquely
identifies each network on the Internet. type: long example: 15169
server.as.organization.name Organization name. type: keyword example:
Google LLC server.as.organization.name.text type: match_only_text
server.bytes Bytes sent from the server to the client. type: long example:
184 format: bytes server.domain The domain name of the server system.This
value may be a host name, a fully qualified domain name, or another host
naming format. The value may derive from the original event or be added
from enrichment. type: keyword example: foo.example.com
server.geo.city_name City name. type: keyword example: Montreal
server.geo.continent_code Two-letter code representing continent’s name.
type: keyword example: NA server.geo.continent_name Name of the continent.
type: keyword example: North America server.geo.country_iso_code Country
ISO code. type: keyword example: CA server.geo.country_name Country name.
type: keyword example: Canada server.geo.location Longitude and latitude.
type: geo_point example: { "lon": -73.614830, "lat": 45.505918 }
server.geo.name User-defined description of a location, at the level of
granularity they care about.Could be the name of their data centers, the
floor number, if this describes a local physical entity, city names.Not
typically used in automated geolocation. type: keyword example: boston-dc
server.geo.postal_code Postal code associated with the location.Values
appropriate for this field may also be known as a postcode or ZIP code and
will vary widely from country to country. type: keyword example: 94040
server.geo.region_iso_code Region ISO code. type: keyword example: CA-QC
server.geo.region_name Region name. type: keyword example: Quebec
server.geo.timezone The time zone of the location, such as IANA time zone
name. type: keyword example: America/Argentina/Buenos_Aires server.ip IP
address of the server (IPv4 or IPv6). type: ip server.mac MAC address of
the server.The notation format from RFC 7042 is suggested: Each octet (that
is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving
the value of the octet as an unsigned integer. Successive octets are
separated by a hyphen. type: keyword example: 00-00-5E-00-53-23
server.nat.ip Translated ip of destination based NAT sessions (e.g.
internet to private DMZ)Typically used with load balancers, firewalls, or
routers. type: ip server.nat.port Translated port of destination based NAT
sessions (e.g. internet to private DMZ)Typically used with load balancers,
firewalls, or routers. type: long format: string server.packets Packets
sent from the server to the client. type: long example: 12 server.port Port
of the server. type: long format: string server.registered_domain The
highest registered server domain, stripped of the subdomain.For example,
the registered domain for "foo.example.com" is "example.com".This value can
be determined precisely with a list like the public suffix list (
http://publicsuffix.org ). Trying to approximate this by simply taking the
last two labels will not work well for TLDs such as "co.uk". type: keyword
example: example.com server.subdomain The subdomain portion of a fully
qualified domain name includes all of the names except the host name under
the registered_domain. In a partially qualified domain, or if the the
qualification level of the full name cannot be determined, subdomain
contains all of the names below the registered domain.For example the
subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has
multiple levels of subdomain, such as "sub2.sub1.example.com", the
subdomain field should contain "sub2.sub1", with no trailing period. type:
keyword example: east server.top_level_domain The effective top level
domain (eTLD), also known as the domain suffix, is the last part of the
domain name. For example, the top level domain for example.com is
"com".This value can be determined precisely with a list like the public
suffix list ( http://publicsuffix.org ). Trying to approximate this by
simply taking the last label will not work well for effective TLDs such as
"co.uk". type: keyword example: co.uk server.user.domain Name of the
directory the user is a member of.For example, an LDAP or Active Directory
domain name. type: keyword server.user.email User email address. type:
keyword server.user.full_name User’s full name, if available. type: keyword
example: Albert Einstein server.user.full_name.text type: match_only_text
server.user.group.domain Name of the directory the group is a member of.For
example, an LDAP or Active Directory domain name. type: keyword
server.user.group.id Unique identifier for the group on the
system/platform. type: keyword server.user.group.name Name of the group.
type: keyword server.user.hash Unique user hash to correlate information
for a user in anonymized form.Useful if user.id or user.name contain
confidential information and cannot be used. type: keyword server.user.id
Unique identifier of the user. type: keyword example:
S-1-5-21-202424912787-2692429404-2351956786-1000 server.user.name Short
name or login of the user. type: keyword example: a.einstein
server.user.name.text type: match_only_text server.user.roles Array of user
roles at the time of the event. type: keyword example: ["kibana_admin",
"reporting_user"] service The service fields describe the service for or
from which the data was collected.These fields help you find and correlate
logs for a specific service and version. service.address Address where data
about this service was collected from.This should be a URI, network address
(ipv4:port or [ipv6]:port) or a resource path (sockets). type: keyword
example: 172.26.0.2:5432 service.environment Identifies the environment
where the service is running.If the same service runs in different
environments (production, staging, QA, development, etc.), the environment
can identify other instances of the same service. Can also group services
and applications from the same environment. type: keyword example:
production service.ephemeral_id Ephemeral identifier of this service (if
one exists).This id normally changes across restarts, but service.id does
not. type: keyword example: 8a4f500f service.id Unique identifier of the
running service. If the service is comprised of many nodes, the service.id
should be the same for all nodes.This id should uniquely identify the
service. This makes it possible to correlate logs and metrics for one
specific service, no matter which particular node emitted the event.Note
that if you need to see the events from one specific host of the service,
you should filter on that host.name or host.id instead. type: keyword
example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 service.name Name of the
service data is collected from.The name of the service is normally user
given. This allows for distributed services that run on multiple hosts to
correlate the related instances based on the name.In the case of
Elasticsearch the service.name could contain the cluster name. For Beats
the service.name is by default a copy of the service.type field if no name
is specified. type: keyword example: elasticsearch-metrics
service.node.name Name of a service node.This allows for two nodes of the
same service running on the same host to be differentiated. Therefore,
service.node.name should typically be unique across nodes of a given
service.In the case of Elasticsearch, the service.node.name could contain
the unique node name within the Elasticsearch cluster. In cases where the
service doesn’t have the concept of a node name, the host name or container
name can be used to distinguish running instances that make up this
service. If those do not provide uniqueness (e.g. multiple instances of the
service running on the same host) - the node name can be manually set.
type: keyword example: instance-0000000016 service.origin.address Address
where data about this service was collected from.This should be a URI,
network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
type: keyword example: 172.26.0.2:5432 service.origin.environment
Identifies the environment where the service is running.If the same service
runs in different environments (production, staging, QA, development,
etc.), the environment can identify other instances of the same service.
Can also group services and applications from the same environment. type:
keyword example: production service.origin.ephemeral_id Ephemeral
identifier of this service (if one exists).This id normally changes across
restarts, but service.id does not. type: keyword example: 8a4f500f
service.origin.id Unique identifier of the running service. If the service
is comprised of many nodes, the service.id should be the same for all
nodes.This id should uniquely identify the service. This makes it possible
to correlate logs and metrics for one specific service, no matter which
particular node emitted the event.Note that if you need to see the events
from one specific host of the service, you should filter on that host.name
or host.id instead. type: keyword example:
d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 service.origin.name Name of the
service data is collected from.The name of the service is normally user
given. This allows for distributed services that run on multiple hosts to
correlate the related instances based on the name.In the case of
Elasticsearch the service.name could contain the cluster name. For Beats
the service.name is by default a copy of the service.type field if no name
is specified. type: keyword example: elasticsearch-metrics
service.origin.node.name Name of a service node.This allows for two nodes
of the same service running on the same host to be differentiated.
Therefore, service.node.name should typically be unique across nodes of a
given service.In the case of Elasticsearch, the service.node.name could
contain the unique node name within the Elasticsearch cluster. In cases
where the service doesn’t have the concept of a node name, the host name or
container name can be used to distinguish running instances that make up
this service. If those do not provide uniqueness (e.g. multiple instances
of the service running on the same host) - the node name can be manually
set. type: keyword example: instance-0000000016 service.origin.state
Current state of the service. type: keyword service.origin.type The type of
the service data is collected from.The type can be used to group and
correlate logs and metrics from one service type.Example: If logs or
metrics are collected from Elasticsearch, service.type would be
elasticsearch . type: keyword example: elasticsearch service.origin.version
Version of the service the data was collected from.This allows to look at a
data set only for a specific version of a service. type: keyword example:
3.2.4 service.state Current state of the service. type: keyword
service.target.address Address where data about this service was collected
from.This should be a URI, network address (ipv4:port or [ipv6]:port) or a
resource path (sockets). type: keyword example: 172.26.0.2:5432
service.target.environment Identifies the environment where the service is
running.If the same service runs in different environments (production,
staging, QA, development, etc.), the environment can identify other
instances of the same service. Can also group services and applications
from the same environment. type: keyword example: production
service.target.ephemeral_id Ephemeral identifier of this service (if one
exists).This id normally changes across restarts, but service.id does not.
type: keyword example: 8a4f500f service.target.id Unique identifier of the
running service. If the service is comprised of many nodes, the service.id
should be the same for all nodes.This id should uniquely identify the
service. This makes it possible to correlate logs and metrics for one
specific service, no matter which particular node emitted the event.Note
that if you need to see the events from one specific host of the service,
you should filter on that host.name or host.id instead. type: keyword
example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 service.target.name Name
of the service data is collected from.The name of the service is normally
user given. This allows for distributed services that run on multiple hosts
to correlate the related instances based on the name.In the case of
Elasticsearch the service.name could contain the cluster name. For Beats
the service.name is by default a copy of the service.type field if no name
is specified. type: keyword example: elasticsearch-metrics
service.target.node.name Name of a service node.This allows for two nodes
of the same service running on the same host to be differentiated.
Therefore, service.node.name should typically be unique across nodes of a
given service.In the case of Elasticsearch, the service.node.name could
contain the unique node name within the Elasticsearch cluster. In cases
where the service doesn’t have the concept of a node name, the host name or
container name can be used to distinguish running instances that make up
this service. If those do not provide uniqueness (e.g. multiple instances
of the service running on the same host) - the node name can be manually
set. type: keyword example: instance-0000000016 service.target.state
Current state of the service. type: keyword service.target.type The type of
the service data is collected from.The type can be used to group and
correlate logs and metrics from one service type.Example: If logs or
metrics are collected from Elasticsearch, service.type would be
elasticsearch . type: keyword example: elasticsearch service.target.version
Version of the service the data was collected from.This allows to look at a
data set only for a specific version of a service. type: keyword example:
3.2.4 service.type The type of the service data is collected from.The type
can be used to group and correlate logs and metrics from one service
type.Example: If logs or metrics are collected from Elasticsearch,
service.type would be elasticsearch . type: keyword example: elasticsearch
service.version Version of the service the data was collected from.This
allows to look at a data set only for a specific version of a service.
type: keyword example: 3.2.4 source Source fields capture details about the
sender of a network exchange/packet. These fields are populated from a
network event, packet, or other event containing details of a network
transaction.Source fields are usually populated in conjunction with
destination fields. The source and destination fields are considered the
baseline and should always be filled if an event contains source and
destination details from a network transaction. If the event also contains
identification of the client and server roles, then the client and server
fields should also be populated. source.address Some event source addresses
are defined ambiguously. The event will sometimes list an IP, a domain or a
unix socket. You should always store the raw address in the .address
field.Then it should be duplicated to .ip or .domain , depending on which
one it is. type: keyword source.as.number Unique number allocated to the
autonomous system. The autonomous system number (ASN) uniquely identifies
each network on the Internet. type: long example: 15169
source.as.organization.name Organization name. type: keyword example:
Google LLC source.as.organization.name.text type: match_only_text
source.bytes Bytes sent from the source to the destination. type: long
example: 184 format: bytes source.domain The domain name of the source
system.This value may be a host name, a fully qualified domain name, or
another host naming format. The value may derive from the original event or
be added from enrichment. type: keyword example: foo.example.com
source.geo.city_name City name. type: keyword example: Montreal
source.geo.continent_code Two-letter code representing continent’s name.
type: keyword example: NA source.geo.continent_name Name of the continent.
type: keyword example: North America source.geo.country_iso_code Country
ISO code. type: keyword example: CA source.geo.country_name Country name.
type: keyword example: Canada source.geo.location Longitude and latitude.
type: geo_point example: { "lon": -73.614830, "lat": 45.505918 }
source.geo.name User-defined description of a location, at the level of
granularity they care about.Could be the name of their data centers, the
floor number, if this describes a local physical entity, city names.Not
typically used in automated geolocation. type: keyword example: boston-dc
source.geo.postal_code Postal code associated with the location.Values
appropriate for this field may also be known as a postcode or ZIP code and
will vary widely from country to country. type: keyword example: 94040
source.geo.region_iso_code Region ISO code. type: keyword example: CA-QC
source.geo.region_name Region name. type: keyword example: Quebec
source.geo.timezone The time zone of the location, such as IANA time zone
name. type: keyword example: America/Argentina/Buenos_Aires source.ip IP
address of the source (IPv4 or IPv6). type: ip source.mac MAC address of
the source.The notation format from RFC 7042 is suggested: Each octet (that
is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving
the value of the octet as an unsigned integer. Successive octets are
separated by a hyphen. type: keyword example: 00-00-5E-00-53-23
source.nat.ip Translated ip of source based NAT sessions (e.g. internal
client to internet)Typically connections traversing load balancers,
firewalls, or routers. type: ip source.nat.port Translated port of source
based NAT sessions. (e.g. internal client to internet)Typically used with
load balancers, firewalls, or routers. type: long format: string
source.packets Packets sent from the source to the destination. type: long
example: 12 source.port Port of the source. type: long format: string
source.registered_domain The highest registered source domain, stripped of
the subdomain.For example, the registered domain for "foo.example.com" is
"example.com".This value can be determined precisely with a list like the
public suffix list ( http://publicsuffix.org ). Trying to approximate this
by simply taking the last two labels will not work well for TLDs such as
"co.uk". type: keyword example: example.com source.subdomain The subdomain
portion of a fully qualified domain name includes all of the names except
the host name under the registered_domain. In a partially qualified domain,
or if the the qualification level of the full name cannot be determined,
subdomain contains all of the names below the registered domain.For example
the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain
has multiple levels of subdomain, such as "sub2.sub1.example.com", the
subdomain field should contain "sub2.sub1", with no trailing period. type:
keyword example: east source.top_level_domain The effective top level
domain (eTLD), also known as the domain suffix, is the last part of the
domain name. For example, the top level domain for example.com is
"com".This value can be determined precisely with a list like the public
suffix list ( http://publicsuffix.org ). Trying to approximate this by
simply taking the last label will not work well for effective TLDs such as
"co.uk". type: keyword example: co.uk source.user.domain Name of the
directory the user is a member of.For example, an LDAP or Active Directory
domain name. type: keyword source.user.email User email address. type:
keyword source.user.full_name User’s full name, if available. type: keyword
example: Albert Einstein source.user.full_name.text type: match_only_text
source.user.group.domain Name of the directory the group is a member of.For
example, an LDAP or Active Directory domain name. type: keyword
source.user.group.id Unique identifier for the group on the
system/platform. type: keyword source.user.group.name Name of the group.
type: keyword source.user.hash Unique user hash to correlate information
for a user in anonymized form.Useful if user.id or user.name contain
confidential information and cannot be used. type: keyword source.user.id
Unique identifier of the user. type: keyword example:
S-1-5-21-202424912787-2692429404-2351956786-1000 source.user.name Short
name or login of the user. type: keyword example: a.einstein
source.user.name.text type: match_only_text source.user.roles Array of user
roles at the time of the event. type: keyword example: ["kibana_admin",
"reporting_user"] threat Fields to classify events and alerts according to
a threat taxonomy such as the MITRE ATT&CK® framework.These fields are for
users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.)
within a common taxonomy. The threat.tactic.* fields are meant to capture
the high level category of the threat (e.g. "impact"). The
threat.technique.* fields are meant to capture which kind of approach is
used by this detected threat, to accomplish the goal (e.g. "endpoint denial
of service"). threat.enrichments A list of associated indicators objects
enriching the event, and the context of that association/enrichment. type:
nested threat.enrichments.indicator Object containing associated indicators
enriching the event. type: object threat.enrichments.indicator.as.number
Unique number allocated to the autonomous system. The autonomous system
number (ASN) uniquely identifies each network on the Internet. type: long
example: 15169 threat.enrichments.indicator.as.organization.name
Organization name. type: keyword example: Google LLC
threat.enrichments.indicator.as.organization.name.text type:
match_only_text threat.enrichments.indicator.confidence
Identifies the vendor-neutral confidence rating using the
None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework.
Vendor-specific confidence scales may be added as custom fields.Expected
values are: * Not Specified * None * Low * Medium * High type: keyword
example: Medium threat.enrichments.indicator.description Describes the type
of action conducted by the threat. type: keyword example: IP x.x.x.x was
observed delivering the Angler EK.
threat.enrichments.indicator.email.address Identifies a threat indicator as
an email address (irrespective of direction). type: keyword example:
phish@example.com threat.enrichments.indicator.file.accessed Last time the
file was accessed.Note that not all filesystems keep track of access time.
type: date threat.enrichments.indicator.file.attributes Array of file
attributes.Attributes names will vary by platform. Here’s a non-exhaustive
list of values that are expected in this field: archive, compressed,
directory, encrypted, execute, hidden, read, readonly, system, write. type:
keyword example: ["readonly", "system"]
threat.enrichments.indicator.file.code_signature.digest_algorithm The
hashing algorithm used to sign the process.This value can distinguish
signatures when a file is signed multiple times by the same signer but with
a different digest algorithm. type: keyword example: sha256
threat.enrichments.indicator.file.code_signature.exists Boolean to capture
if a signature is present. type: boolean example: true
threat.enrichments.indicator.file.code_signature.signing_id The identifier
used to sign the process.This is used to identify the application
manufactured by a software vendor. The field is relevant to Apple *OS only.
type: keyword example: com.apple.xpc.proxy
threat.enrichments.indicator.file.code_signature.status Additional
information about the certificate status.This is useful for logging
cryptographic errors with the certificate validity or trust status. Leave
unpopulated if the validity or trust of the certificate was unchecked.
type: keyword example: ERROR_UNTRUSTED_ROOT
threat.enrichments.indicator.file.code_signature.subject_name Subject name
of the code signer type: keyword example: Microsoft Corporation
threat.enrichments.indicator.file.code_signature.team_id The team
identifier used to sign the process.This is used to identify the team or
vendor of a software product. The field is relevant to Apple *OS only.
type: keyword example: EQHXZ8M8AV
threat.enrichments.indicator.file.code_signature.timestamp Date and time
when the code signature was generated and signed. type: date example:
2021-01-01T12:10:30Z
threat.enrichments.indicator.file.code_signature.trusted Stores the trust
status of the certificate chain.Validating the trust of the certificate
chain may be complicated, and this field should only be populated by tools
that actively check the status. type: boolean example: true
threat.enrichments.indicator.file.code_signature.valid Boolean to capture
if the digital signature is verified against the binary content.Leave
unpopulated if a certificate was unchecked. type: boolean example: true
threat.enrichments.indicator.file.created File creation time.Note that not
all filesystems store the creation time. type: date
threat.enrichments.indicator.file.ctime Last time the file attributes or
metadata changed.Note that changes to the file content will update mtime .
This implies ctime will be adjusted at the same time, since mtime is an
attribute of the file. type: date threat.enrichments.indicator.file.device
Device that is the source of the file. type: keyword example: sda
threat.enrichments.indicator.file.directory Directory where the file is
located. It should include the drive letter, when appropriate. type:
keyword example: /home/alice threat.enrichments.indicator.file.drive_letter
Drive letter where the file is located. This field is only relevant on
Windows.The value should be uppercase, and not include the colon. type:
keyword example: C threat.enrichments.indicator.file.elf.architecture
Machine architecture of the ELF file. type: keyword example: x86-64
threat.enrichments.indicator.file.elf.byte_order Byte sequence of ELF file.
type: keyword example: Little Endian
threat.enrichments.indicator.file.elf.cpu_type CPU type of the ELF file.
type: keyword example: Intel
threat.enrichments.indicator.file.elf.creation_date Extracted when possible
from the file’s metadata. Indicates when it was built or compiled. It can
also be faked by malware creators. type: date
threat.enrichments.indicator.file.elf.exports List of exported element
names and types. type: flattened
threat.enrichments.indicator.file.elf.header.abi_version Version of the ELF
Application Binary Interface (ABI). type: keyword
threat.enrichments.indicator.file.elf.header.class Header class of the ELF
file. type: keyword threat.enrichments.indicator.file.elf.header.data Data
table of the ELF header. type: keyword
threat.enrichments.indicator.file.elf.header.entrypoint Header entrypoint
of the ELF file. type: long format: string
threat.enrichments.indicator.file.elf.header.object_version "0x1" for
original ELF files. type: keyword
threat.enrichments.indicator.file.elf.header.os_abi Application Binary
Interface (ABI) of the Linux OS. type: keyword
threat.enrichments.indicator.file.elf.header.type Header type of the ELF
file. type: keyword threat.enrichments.indicator.file.elf.header.version
Version of the ELF header. type: keyword
threat.enrichments.indicator.file.elf.imports List of imported element
names and types. type: flattened
threat.enrichments.indicator.file.elf.sections An array containing an
object for each section of the ELF file.The keys that should be present in
these objects are defined by sub-fields underneath elf.sections.* . type:
nested threat.enrichments.indicator.file.elf.sections.chi2 Chi-square
probability distribution of the section. type: long format: number
threat.enrichments.indicator.file.elf.sections.entropy Shannon entropy
calculation from the section. type: long format: number
threat.enrichments.indicator.file.elf.sections.flags ELF Section List
flags. type: keyword threat.enrichments.indicator.file.elf.sections.name
ELF Section List name. type: keyword
threat.enrichments.indicator.file.elf.sections.physical_offset ELF Section
List offset. type: keyword
threat.enrichments.indicator.file.elf.sections.physical_size ELF Section
List physical size. type: long format: bytes
threat.enrichments.indicator.file.elf.sections.type ELF Section List type.
type: keyword
threat.enrichments.indicator.file.elf.sections.virtual_address ELF Section
List virtual address. type: long format: string
threat.enrichments.indicator.file.elf.sections.virtual_size ELF Section
List virtual size. type: long format: string
threat.enrichments.indicator.file.elf.segments An array containing an
object for each segment of the ELF file.The keys that should be present in
these objects are defined by sub-fields underneath elf.segments.* . type:
nested threat.enrichments.indicator.file.elf.segments.sections ELF object
segment sections. type: keyword
threat.enrichments.indicator.file.elf.segments.type ELF object segment
type. type: keyword threat.enrichments.indicator.file.elf.shared_libraries
List of shared libraries used by this ELF object. type: keyword
threat.enrichments.indicator.file.elf.telfhash telfhash symbol hash for ELF
file. type: keyword threat.enrichments.indicator.file.extension File
extension, excluding the leading dot.Note that when the file name has
multiple extensions (example.tar.gz), only the last one should be captured
("gz", not "tar.gz"). type: keyword example: png
threat.enrichments.indicator.file.fork_name A fork is additional data
associated with a filesystem object.On Linux, a resource fork is used to
store additional data with a filesystem object. A file always has at least
one fork for the data portion, and additional forks may exist.On NTFS, this
is analogous to an Alternate Data Stream (ADS), and the default data stream
for a file is just called $DATA. Zone.Identifier is commonly used by
Windows to track contents downloaded from the Internet. An ADS is typically
of the form: C:\path\to\filename.extension:some_fork_name , and
some_fork_name is the value that should populate fork_name .
filename.extension should populate file.name , and extension should
populate file.extension . The full path, file.path , will include the fork
name. type: keyword example: Zone.Identifer
threat.enrichments.indicator.file.gid Primary group ID (GID) of the file.
type: keyword example: 1001 threat.enrichments.indicator.file.group Primary
group name of the file. type: keyword example: alice
threat.enrichments.indicator.file.hash.md5 MD5 hash. type: keyword
threat.enrichments.indicator.file.hash.sha1 SHA1 hash. type: keyword
threat.enrichments.indicator.file.hash.sha256 SHA256 hash. type: keyword
threat.enrichments.indicator.file.hash.sha512 SHA512 hash. type: keyword
threat.enrichments.indicator.file.hash.ssdeep SSDEEP hash. type: keyword
threat.enrichments.indicator.file.inode Inode representing the file in the
filesystem. type: keyword example: 256383
threat.enrichments.indicator.file.mime_type MIME type should identify the
format of the file or stream of bytes using IANA official types , where
possible. When more than one type is applicable, the most specific type
should be used. type: keyword threat.enrichments.indicator.file.mode Mode
of the file in octal representation. type: keyword example: 0640
threat.enrichments.indicator.file.mtime Last time the file content was
modified. type: date threat.enrichments.indicator.file.name Name of the
file including the extension, without the directory. type: keyword example:
example.png threat.enrichments.indicator.file.owner File owner’s username.
type: keyword example: alice threat.enrichments.indicator.file.path Full
path to the file, including the file name. It should include the drive
letter, when appropriate. type: keyword example: /home/alice/example.png
threat.enrichments.indicator.file.path.text type: match_only_text
threat.enrichments.indicator.file.pe.architecture CPU architecture target
for the file. type: keyword example: x64
threat.enrichments.indicator.file.pe.company Internal company name of the
file, provided at compile-time. type: keyword example: Microsoft
Corporation threat.enrichments.indicator.file.pe.description Internal
description of the file, provided at compile-time. type: keyword example:
Paint threat.enrichments.indicator.file.pe.file_version Internal version of
the file, provided at compile-time. type: keyword example: 6.3.9600.17415
threat.enrichments.indicator.file.pe.imphash A hash of the imports in a PE
file. An imphash — or import hash — can be used to fingerprint binaries
even after recompilation or other code-level transformations have occurred,
which would change more traditional hash values.Learn more at
https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
. type: keyword example: 0c6803c4e922103c4dca5963aad36ddf
threat.enrichments.indicator.file.pe.original_file_name Internal name of
the file, provided at compile-time. type: keyword example: MSPAINT.EXE
threat.enrichments.indicator.file.pe.product Internal product name of the
file, provided at compile-time. type: keyword example: Microsoft® Windows®
Operating System threat.enrichments.indicator.file.size File size in
bytes.Only relevant when file.type is "file". type: long example: 16384
threat.enrichments.indicator.file.target_path Target path for symlinks.
type: keyword threat.enrichments.indicator.file.target_path.text type:
match_only_text threat.enrichments.indicator.file.type File type (file,
dir, or symlink). type: keyword example: file
threat.enrichments.indicator.file.uid The user ID (UID) or security
identifier (SID) of the file owner. type: keyword example: 1001
threat.enrichments.indicator.file.x509.alternative_names List of subject
alternative names (SAN). Name types vary by certificate authority and
certificate type but commonly contain IP addresses, DNS names (and
wildcards), and email addresses. type: keyword example: *.elastic.co
threat.enrichments.indicator.file.x509.issuer.common_name List of common
name (CN) of issuing certificate authority. type: keyword example: Example
SHA2 High Assurance Server CA
threat.enrichments.indicator.file.x509.issuer.country List of country ©
codes type: keyword example: US
threat.enrichments.indicator.file.x509.issuer.distinguished_name
Distinguished name (DN) of issuing certificate authority. type: keyword
example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High
Assurance Server CA threat.enrichments.indicator.file.x509.issuer.locality
List of locality names (L) type: keyword example: Mountain View
threat.enrichments.indicator.file.x509.issuer.organization List of
organizations (O) of issuing certificate authority. type: keyword example:
Example Inc
threat.enrichments.indicator.file.x509.issuer.organizational_unit List of
organizational units (OU) of issuing certificate authority. type: keyword
example: www.example.com
threat.enrichments.indicator.file.x509.issuer.state_or_province List of
state or province names (ST, S, or P) type: keyword example: California
threat.enrichments.indicator.file.x509.not_after Time at which the
certificate is no longer considered valid. type: date example: 2020-07-16
03:15:39+00:00 threat.enrichments.indicator.file.x509.not_before Time at
which the certificate is first considered valid. type: date example:
2019-08-16 01:40:25+00:00
threat.enrichments.indicator.file.x509.public_key_algorithm Algorithm used
to generate the public key. type: keyword example: RSA
threat.enrichments.indicator.file.x509.public_key_curve The curve used by
the elliptic curve public key algorithm. This is algorithm specific. type:
keyword example: nistp521
threat.enrichments.indicator.file.x509.public_key_exponent Exponent used to
derive the public key. This is algorithm specific. type: long example:
65537 Field is not indexed.
threat.enrichments.indicator.file.x509.public_key_size The size of the
public key space in bits. type: long example: 2048
threat.enrichments.indicator.file.x509.serial_number Unique serial number
issued by the certificate authority. For consistency, if this value is
alphanumeric, it should be formatted without colons and uppercase
characters. type: keyword example: 55FBB9C7DEBF09809D12CCAA
threat.enrichments.indicator.file.x509.signature_algorithm Identifier for
certificate signature algorithm. We recommend using names found in Go Lang
Crypto library. See
https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353
. type: keyword example: SHA256-RSA
threat.enrichments.indicator.file.x509.subject.common_name List of common
names (CN) of subject. type: keyword example: shared.global.example.net
threat.enrichments.indicator.file.x509.subject.country List of country ©
code type: keyword example: US
threat.enrichments.indicator.file.x509.subject.distinguished_name
Distinguished name (DN) of the certificate subject entity. type: keyword
example: C=US, ST=California, L=San Francisco, O=Example, Inc.,
CN=shared.global.example.net
threat.enrichments.indicator.file.x509.subject.locality List of locality
names (L) type: keyword example: San Francisco
threat.enrichments.indicator.file.x509.subject.organization List of
organizations (O) of subject. type: keyword example: Example, Inc.
threat.enrichments.indicator.file.x509.subject.organizational_unit List of
organizational units (OU) of subject. type: keyword
threat.enrichments.indicator.file.x509.subject.state_or_province List of
state or province names (ST, S, or P) type: keyword example: California
threat.enrichments.indicator.file.x509.version_number Version of x509
format. type: keyword example: 3 threat.enrichments.indicator.first_seen
The date and time when intelligence source first reported sighting this
indicator. type: date example: 2020-11-05T17:25:47.000Z
threat.enrichments.indicator.geo.city_name City name. type: keyword
example: Montreal threat.enrichments.indicator.geo.continent_code
Two-letter code representing continent’s name. type: keyword example: NA
threat.enrichments.indicator.geo.continent_name Name of the continent.
type: keyword example: North America
threat.enrichments.indicator.geo.country_iso_code Country ISO code. type:
keyword example: CA threat.enrichments.indicator.geo.country_name Country
name. type: keyword example: Canada
threat.enrichments.indicator.geo.location Longitude and latitude. type:
geo_point example: { "lon": -73.614830, "lat": 45.505918 }
threat.enrichments.indicator.geo.name User-defined description of a
location, at the level of granularity they care about.Could be the name of
their data centers, the floor number, if this describes a local physical
entity, city names.Not typically used in automated geolocation. type:
keyword example: boston-dc threat.enrichments.indicator.geo.postal_code
Postal code associated with the location.Values appropriate for this field
may also be known as a postcode or ZIP code and will vary widely from
country to country. type: keyword example: 94040
threat.enrichments.indicator.geo.region_iso_code Region ISO code. type:
keyword example: CA-QC threat.enrichments.indicator.geo.region_name Region
name. type: keyword example: Quebec
threat.enrichments.indicator.geo.timezone The time zone of the location,
such as IANA time zone name. type: keyword example:
America/Argentina/Buenos_Aires threat.enrichments.indicator.ip Identifies a
threat indicator as an IP address (irrespective of direction). type: ip
example: 1.2.3.4 threat.enrichments.indicator.last_seen The date and time
when intelligence source last reported sighting this indicator. type: date
example: 2020-11-05T17:25:47.000Z threat.enrichments.indicator.marking.tlp
Traffic Light Protocol sharing markings. Recommended values are: * WHITE *
GREEN * AMBER * RED type: keyword example: White
threat.enrichments.indicator.modified_at The date and time when
intelligence source last modified information for this indicator. type:
date example: 2020-11-05T17:25:47.000Z threat.enrichments.indicator.port
Identifies a threat indicator as a port number (irrespective of direction).
type: long example: 443 threat.enrichments.indicator.provider The name of
the indicator’s provider. type: keyword example: lrz_urlhaus
threat.enrichments.indicator.reference Reference URL linking to additional
information about this indicator. type: keyword example:
https://system.example.com/indicator/0001234
threat.enrichments.indicator.registry.data.bytes Original bytes written
with base64 encoding.For Windows registry operations, such as SetValueEx
and RegQueryValueEx, this corresponds to the data pointed by lp_data . This
is optional but provides better recoverability and should be populated for
REG_BINARY encoded values. type: keyword example:
ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
threat.enrichments.indicator.registry.data.strings Content when writing
string types.Populated as an array when writing string data to the
registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this
should be an array with one string. For sequences of string with
REG_MULTI_SZ, this array will be variable length. For numeric data, such as
REG_DWORD and REG_QWORD, this should be populated with the decimal
representation (e.g "1" ). type: wildcard example:
["C:\rta\red_ttp\bin\myapp.exe"]
threat.enrichments.indicator.registry.data.type Standard registry type for
encoding contents type: keyword example: REG_SZ
threat.enrichments.indicator.registry.hive Abbreviated name for the hive.
type: keyword example: HKLM threat.enrichments.indicator.registry.key
Hive-relative path of keys. type: keyword example:
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\winword.exe threat.enrichments.indicator.registry.path Full path,
including hive, key and value type: keyword example:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\winword.exe\Debugger threat.enrichments.indicator.registry.value
Name of the value written. type: keyword example: Debugger
threat.enrichments.indicator.scanner_stats Count of AV/EDR vendors that
successfully detected malicious file or URL. type: long example: 4
threat.enrichments.indicator.sightings Number of times this indicator was
observed conducting threat activity. type: long example: 20
threat.enrichments.indicator.type Type of indicator as represented by Cyber
Observable in STIX 2.0. Recommended values: * autonomous-system * artifact
* directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr *
mac-addr * mutex * port * process * software * url * user-account *
windows-registry-key * x509-certificate type: keyword example: ipv4-addr
threat.enrichments.indicator.url.domain Domain of the url, such as
"www.elastic.co".In some cases a URL may refer to an IP and/or port
directly, without a domain name. In this case, the IP address would go to
the domain field.If the URL contains a literal IPv6 address enclosed by [
and ] (IETF RFC 2732), the [ and ] characters should also be captured in
the domain field. type: keyword example: www.elastic.co
threat.enrichments.indicator.url.extension The field contains the file
extension from the original request url, excluding the leading dot.The file
extension is only set if it exists, as not every url has a file
extension.The leading period must not be included. For example, the value
must be "png", not ".png".Note that when the file name has multiple
extensions (example.tar.gz), only the last one should be captured ("gz",
not "tar.gz"). type: keyword example: png
threat.enrichments.indicator.url.fragment Portion of the url after the # ,
such as "top".The # is not part of the fragment. type: keyword
threat.enrichments.indicator.url.full If full URLs are important to your
use case, they should be stored in url.full , whether this field is
reconstructed or present in the event source. type: wildcard example:
https://www.elastic.co:443/search?q=elasticsearch#top
threat.enrichments.indicator.url.full.text type: match_only_text
threat.enrichments.indicator.url.original Unmodified original url as seen
in the event source.Note that in network monitoring, the observed URL may
be a full URL, whereas in access logs, the URL is often just represented as
a path.This field is meant to represent the URL as it was observed,
complete or not. type: wildcard example:
https://www.elastic.co:443/search?q=elasticsearch#top or
/search?q=elasticsearch threat.enrichments.indicator.url.original.text
type: match_only_text threat.enrichments.indicator.url.password Password of
the request. type: keyword threat.enrichments.indicator.url.path Path of
the request, such as "/search". type: wildcard
threat.enrichments.indicator.url.port Port of the request, such as 443.
type: long example: 443 format: string
threat.enrichments.indicator.url.query The query field describes the query
string of the request, such as "q=elasticsearch".The ? is excluded from the
query string. If a URL contains no ? , there is no query field. If there is
a ? but no query, the query field exists with an empty string. The exists
query can be used to differentiate between the two cases. type: keyword
threat.enrichments.indicator.url.registered_domain The highest registered
url domain, stripped of the subdomain.For example, the registered domain
for "foo.example.com" is "example.com".This value can be determined
precisely with a list like the public suffix list ( http://publicsuffix.org
). Trying to approximate this by simply taking the last two labels will not
work well for TLDs such as "co.uk". type: keyword example: example.com
threat.enrichments.indicator.url.scheme Scheme of the request, such as
"https".Note: The : is not part of the scheme. type: keyword example: https
threat.enrichments.indicator.url.subdomain The subdomain portion of a fully
qualified domain name includes all of the names except the host name under
the registered_domain. In a partially qualified domain, or if the the
qualification level of the full name cannot be determined, subdomain
contains all of the names below the registered domain.For example the
subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has
multiple levels of subdomain, such as "sub2.sub1.example.com", the
subdomain field should contain "sub2.sub1", with no trailing period. type:
keyword example: east threat.enrichments.indicator.url.top_level_domain The
effective top level domain (eTLD), also known as the domain suffix, is the
last part of the domain name. For example, the top level domain for
example.com is "com".This value can be determined precisely with a list
like the public suffix list ( http://publicsuffix.org ). Trying to
approximate this by simply taking the last label will not work well for
effective TLDs such as "co.uk". type: keyword example: co.uk
threat.enrichments.indicator.url.username Username of the request. type:
keyword threat.enrichments.indicator.x509.alternative_names List of subject
alternative names (SAN). Name types vary by certificate authority and
certificate type but commonly contain IP addresses, DNS names (and
wildcards), and email addresses. type: keyword example: *.elastic.co
threat.enrichments.indicator.x509.issuer.common_name List of common name
(CN) of issuing certificate authority. type: keyword example: Example SHA2
High Assurance Server CA threat.enrichments.indicator.x509.issuer.country
List of country © codes type: keyword example: US
threat.enrichments.indicator.x509.issuer.distinguished_name Distinguished
name (DN) of issuing certificate authority. type: keyword example: C=US,
O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
threat.enrichments.indicator.x509.issuer.locality List of locality names
(L) type: keyword example: Mountain View
threat.enrichments.indicator.x509.issuer.organization List of organizations
(O) of issuing certificate authority. type: keyword example: Example Inc
threat.enrichments.indicator.x509.issuer.organizational_unit List of
organizational units (OU) of issuing certificate authority. type: keyword
example: www.example.com
threat.enrichments.indicator.x509.issuer.state_or_province List of state or
province names (ST, S, or P) type: keyword example: California
threat.enrichments.indicator.x509.not_after Time at which the certificate
is no longer considered valid. type: date example: 2020-07-16
03:15:39+00:00 threat.enrichments.indicator.x509.not_before Time at which
the certificate is first considered valid. type: date example: 2019-08-16
01:40:25+00:00 threat.enrichments.indicator.x509.public_key_algorithm
Algorithm used to generate the public key. type: keyword example: RSA
threat.enrichments.indicator.x509.public_key_curve The curve used by the
elliptic curve public key algorithm. This is algorithm specific. type:
keyword example: nistp521
threat.enrichments.indicator.x509.public_key_exponent Exponent used to
derive the public key. This is algorithm specific. type: long example:
65537 Field is not indexed.
threat.enrichments.indicator.x509.public_key_size The size of the public
key space in bits. type: long example: 2048
threat.enrichments.indicator.x509.serial_number Unique serial number issued
by the certificate authority. For consistency, if this value is
alphanumeric, it should be formatted without colons and uppercase
characters. type: keyword example: 55FBB9C7DEBF09809D12CCAA
threat.enrichments.indicator.x509.signature_algorithm Identifier for
certificate signature algorithm. We recommend using names found in Go Lang
Crypto library. See
https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353
. type: keyword example: SHA256-RSA
threat.enrichments.indicator.x509.subject.common_name List of common names
(CN) of subject. type: keyword example: shared.global.example.net
threat.enrichments.indicator.x509.subject.country List of country © code
type: keyword example: US
threat.enrichments.indicator.x509.subject.distinguished_name Distinguished
name (DN) of the certificate subject entity. type: keyword example: C=US,
ST=California, L=San Francisco, O=Example, Inc.,
CN=shared.global.example.net
threat.enrichments.indicator.x509.subject.locality List of locality names
(L) type: keyword example: San Francisco
threat.enrichments.indicator.x509.subject.organization List of
organizations (O) of subject. type: keyword example: Example, Inc.
threat.enrichments.indicator.x509.subject.organizational_unit List of
organizational units (OU) of subject. type: keyword
threat.enrichments.indicator.x509.subject.state_or_province List of state
or province names (ST, S, or P) type: keyword example: California
threat.enrichments.indicator.x509.version_number Version of x509 format.
type: keyword example: 3 threat.enrichments.matched.atomic Identifies the
atomic indicator value that matched a local environment endpoint or network
event. type: keyword example: bad-domain.com
threat.enrichments.matched.field Identifies the field of the atomic
indicator that matched a local environment endpoint or network event. type:
keyword example: file.hash.sha256 threat.enrichments.matched.id Identifies
the _id of the indicator document enriching the event. type: keyword
example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5
threat.enrichments.matched.index Identifies the _index of the indicator
document enriching the event. type: keyword example:
filebeat-8.0.0-2021.05.23-000011 threat.enrichments.matched.type Identifies
the type of match that caused the event to be enriched with the given
indicator type: keyword example: indicator_match_rule threat.framework Name
of the threat framework used to further categorize and classify the tactic
and technique of the reported threat. Framework classification can be
provided by detecting systems, evaluated at ingest time, or retrospectively
tagged to events. type: keyword example: MITRE ATT&CK threat.group.alias
The alias(es) of the group for a set of related intrusion activity that are
tracked by a common name in the security community.While not required, you
can use a MITRE ATT&CK® group alias(es). type: keyword example: [ "Magecart
Group 6" ] threat.group.id The id of the group for a set of related
intrusion activity that are tracked by a common name in the security
community.While not required, you can use a MITRE ATT&CK® group id. type:
keyword example: G0037 threat.group.name The name of the group for a set of
related intrusion activity that are tracked by a common name in the
security community.While not required, you can use a MITRE ATT&CK® group
name. type: keyword example: FIN6 threat.group.reference The reference URL
of the group for a set of related intrusion activity that are tracked by a
common name in the security community.While not required, you can use a
MITRE ATT&CK® group reference URL. type: keyword example:
https://attack.mitre.org/groups/G0037/ threat.indicator.as.number Unique
number allocated to the autonomous system. The autonomous system number
(ASN) uniquely identifies each network on the Internet. type: long example:
15169 threat.indicator.as.organization.name Organization name. type:
keyword example: Google LLC threat.indicator.as.organization.name.text
type: match_only_text threat.indicator.confidence
Identifies the vendor-neutral confidence rating using the
None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework.
Vendor-specific confidence scales may be added as custom fields.Expected
values are: * Not Specified * None * Low * Medium * High type: keyword
example: Medium threat.indicator.description Describes the type of action
conducted by the threat. type: keyword example: IP x.x.x.x was observed
delivering the Angler EK. threat.indicator.email.address Identifies a
threat indicator as an email address (irrespective of direction). type:
keyword example: phish@example.com threat.indicator.file.accessed Last time
the file was accessed.Note that not all filesystems keep track of access
time. type: date threat.indicator.file.attributes Array of file
attributes.Attributes names will vary by platform. Here’s a non-exhaustive
list of values that are expected in this field: archive, compressed,
directory, encrypted, execute, hidden, read, readonly, system, write. type:
keyword example: ["readonly", "system"]
threat.indicator.file.code_signature.digest_algorithm The hashing algorithm
used to sign the process.This value can distinguish signatures when a file
is signed multiple times by the same signer but with a different digest
algorithm. type: keyword example: sha256
threat.indicator.file.code_signature.exists Boolean to capture if a
signature is present. type: boolean example: true
threat.indicator.file.code_signature.signing_id The identifier used to sign
the process.This is used to identify the application manufactured by a
software vendor. The field is relevant to Apple *OS only. type: keyword
example: com.apple.xpc.proxy threat.indicator.file.code_signature.status
Additional information about the certificate status.This is useful for
logging cryptographic errors with the certificate validity or trust status.
Leave unpopulated if the validity or trust of the certificate was
unchecked. type: keyword example: ERROR_UNTRUSTED_ROOT
threat.indicator.file.code_signature.subject_name Subject name of the code
signer type: keyword example: Microsoft Corporation
threat.indicator.file.code_signature.team_id The team identifier used to
sign the process.This is used to identify the team or vendor of a software
product. The field is relevant to Apple *OS only. type: keyword example:
EQHXZ8M8AV threat.indicator.file.code_signature.timestamp Date and time
when the code signature was generated and signed. type: date example:
2021-01-01T12:10:30Z threat.indicator.file.code_signature.trusted Stores
the trust status of the certificate chain.Validating the trust of the
certificate chain may be complicated, and this field should only be
populated by tools that actively check the status. type: boolean example:
true threat.indicator.file.code_signature.valid Boolean to capture if the
digital signature is verified against the binary content.Leave unpopulated
if a certificate was unchecked. type: boolean example: true
threat.indicator.file.created File creation time.Note that not all
filesystems store the creation time. type: date threat.indicator.file.ctime
Last time the file attributes or metadata changed.Note that changes to the
file content will update mtime . This implies ctime will be adjusted at the
same time, since mtime is an attribute of the file. type: date
threat.indicator.file.device Device that is the source of the file. type:
keyword example: sda threat.indicator.file.directory Directory where the
file is located. It should include the drive letter, when appropriate.
type: keyword example: /home/alice threat.indicator.file.drive_letter Drive
letter where the file is located. This field is only relevant on
Windows.The value should be uppercase, and not include the colon. type:
keyword example: C threat.indicator.file.elf.architecture Machine
architecture of the ELF file. type: keyword example: x86-64
threat.indicator.file.elf.byte_order Byte sequence of ELF file. type:
keyword example: Little Endian threat.indicator.file.elf.cpu_type CPU type
of the ELF file. type: keyword example: Intel
threat.indicator.file.elf.creation_date Extracted when possible from the
file’s metadata. Indicates when it was built or compiled. It can also be
faked by malware creators. type: date threat.indicator.file.elf.exports
List of exported element names and types. type: flattened
threat.indicator.file.elf.header.abi_version Version of the ELF Application
Binary Interface (ABI). type: keyword
threat.indicator.file.elf.header.class Header class of the ELF file. type:
keyword threat.indicator.file.elf.header.data Data table of the ELF header.
type: keyword threat.indicator.file.elf.header.entrypoint Header entrypoint
of the ELF file. type: long format: string
threat.indicator.file.elf.header.object_version "0x1" for original ELF
files. type: keyword threat.indicator.file.elf.header.os_abi Application
Binary Interface (ABI) of the Linux OS. type: keyword
threat.indicator.file.elf.header.type Header type of the ELF file. type:
keyword threat.indicator.file.elf.header.version Version of the ELF header.
type: keyword threat.indicator.file.elf.imports List of imported element
names and types. type: flattened threat.indicator.file.elf.sections An
array containing an object for each section of the ELF file.The keys that
should be present in these objects are defined by sub-fields underneath
elf.sections.* . type: nested threat.indicator.file.elf.sections.chi2
Chi-square probability distribution of the section. type: long format:
number threat.indicator.file.elf.sections.entropy Shannon entropy
calculation from the section. type: long format: number
threat.indicator.file.elf.sections.flags ELF Section List flags. type:
keyword threat.indicator.file.elf.sections.name ELF Section List name.
type: keyword threat.indicator.file.elf.sections.physical_offset ELF
Section List offset. type: keyword
threat.indicator.file.elf.sections.physical_size ELF Section List physical
size. type: long format: bytes threat.indicator.file.elf.sections.type ELF
Section List type. type: keyword
threat.indicator.file.elf.sections.virtual_address ELF Section List virtual
address. type: long format: string
threat.indicator.file.elf.sections.virtual_size ELF Section List virtual
size. type: long format: string threat.indicator.file.elf.segments An array
containing an object for each segment of the ELF file.The keys that should
be present in these objects are defined by sub-fields underneath
elf.segments.* . type: nested threat.indicator.file.elf.segments.sections
ELF object segment sections. type: keyword
threat.indicator.file.elf.segments.type ELF object segment type. type:
keyword threat.indicator.file.elf.shared_libraries List of shared libraries
used by this ELF object. type: keyword threat.indicator.file.elf.telfhash
telfhash symbol hash for ELF file. type: keyword
threat.indicator.file.extension File extension, excluding the leading
dot.Note that when the file name has multiple extensions (example.tar.gz),
only the last one should be captured ("gz", not "tar.gz"). type: keyword
example: png threat.indicator.file.fork_name A fork is additional data
associated with a filesystem object.On Linux, a resource fork is used to
store additional data with a filesystem object. A file always has at least
one fork for the data portion, and additional forks may exist.On NTFS, this
is analogous to an Alternate Data Stream (ADS), and the default data stream
for a file is just called $DATA. Zone.Identifier is commonly used by
Windows to track contents downloaded from the Internet. An ADS is typically
of the form: C:\path\to\filename.extension:some_fork_name , and
some_fork_name is the value that should populate fork_name .
filename.extension should populate file.name , and extension should
populate file.extension . The full path, file.path , will include the fork
name. type: keyword example: Zone.Identifer threat.indicator.file.gid
Primary group ID (GID) of the file. type: keyword example: 1001
threat.indicator.file.group Primary group name of the file. type: keyword
example: alice threat.indicator.file.hash.md5 MD5 hash. type: keyword
threat.indicator.file.hash.sha1 SHA1 hash. type: keyword
threat.indicator.file.hash.sha256 SHA256 hash. type: keyword
threat.indicator.file.hash.sha512 SHA512 hash. type: keyword
threat.indicator.file.hash.ssdeep SSDEEP hash. type: keyword
threat.indicator.file.inode Inode representing the file in the filesystem.
type: keyword example: 256383 threat.indicator.file.mime_type MIME type
should identify the format of the file or stream of bytes using IANA
official types , where possible. When more than one type is applicable, the
most specific type should be used. type: keyword threat.indicator.file.mode
Mode of the file in octal representation. type: keyword example: 0640
threat.indicator.file.mtime Last time the file content was modified. type:
date threat.indicator.file.name Name of the file including the extension,
without the directory. type: keyword example: example.png
threat.indicator.file.owner File owner’s username. type: keyword example:
alice threat.indicator.file.path Full path to the file, including the file
name. It should include the drive letter, when appropriate. type: keyword
example: /home/alice/example.png threat.indicator.file.path.text type:
match_only_text threat.indicator.file.pe.architecture CPU architecture
target for the file. type: keyword example: x64
threat.indicator.file.pe.company Internal company name of the file,
provided at compile-time. type: keyword example: Microsoft Corporation
threat.indicator.file.pe.description Internal description of the file,
provided at compile-time. type: keyword example: Paint
threat.indicator.file.pe.file_version Internal version of the file,
provided at compile-time. type: keyword example: 6.3.9600.17415
threat.indicator.file.pe.imphash A hash of the imports in a PE file. An
imphash — or import hash — can be used to fingerprint binaries even after
recompilation or other code-level transformations have occurred, which
would change more traditional hash values.Learn more at
https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
. type: keyword example: 0c6803c4e922103c4dca5963aad36ddf
threat.indicator.file.pe.original_file_name Internal name of the file,
provided at compile-time. type: keyword example: MSPAINT.EXE
threat.indicator.file.pe.product Internal product name of the file,
provided at compile-time. type: keyword example: Microsoft® Windows®
Operating System threat.indicator.file.size File size in bytes.Only
relevant when file.type is "file". type: long example: 16384
threat.indicator.file.target_path Target path for symlinks. type: keyword
threat.indicator.file.target_path.text type: match_only_text
threat.indicator.file.type File type (file, dir, or symlink). type: keyword
example: file threat.indicator.file.uid The user ID (UID) or security
identifier (SID) of the file owner. type: keyword example: 1001
threat.indicator.file.x509.alternative_names List of subject alternative
names (SAN). Name types vary by certificate authority and certificate type
but commonly contain IP addresses, DNS names (and wildcards), and email
addresses. type: keyword example: *.elastic.co
threat.indicator.file.x509.issuer.common_name List of common name (CN) of
issuing certificate authority. type: keyword example: Example SHA2 High
Assurance Server CA threat.indicator.file.x509.issuer.country List of
country © codes type: keyword example: US
threat.indicator.file.x509.issuer.distinguished_name Distinguished name
(DN) of issuing certificate authority. type: keyword example: C=US,
O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
threat.indicator.file.x509.issuer.locality List of locality names (L) type:
keyword example: Mountain View
threat.indicator.file.x509.issuer.organization List of organizations (O) of
issuing certificate authority. type: keyword example: Example Inc
threat.indicator.file.x509.issuer.organizational_unit List of
organizational units (OU) of issuing certificate authority. type: keyword
example: www.example.com
threat.indicator.file.x509.issuer.state_or_province List of state or
province names (ST, S, or P) type: keyword example: California
threat.indicator.file.x509.not_after Time at which the certificate is no
longer considered valid. type: date example: 2020-07-16 03:15:39+00:00
threat.indicator.file.x509.not_before Time at which the certificate is
first considered valid. type: date example: 2019-08-16 01:40:25+00:00
threat.indicator.file.x509.public_key_algorithm Algorithm used to generate
the public key. type: keyword example: RSA
threat.indicator.file.x509.public_key_curve The curve used by the elliptic
curve public key algorithm. This is algorithm specific. type: keyword
example: nistp521 threat.indicator.file.x509.public_key_exponent Exponent
used to derive the public key. This is algorithm specific. type: long
example: 65537 Field is not indexed.
threat.indicator.file.x509.public_key_size The size of the public key space
in bits. type: long example: 2048 threat.indicator.file.x509.serial_number
Unique serial number issued by the certificate authority. For consistency,
if this value is alphanumeric, it should be formatted without colons and
uppercase characters. type: keyword example: 55FBB9C7DEBF09809D12CCAA
threat.indicator.file.x509.signature_algorithm Identifier for certificate
signature algorithm. We recommend using names found in Go Lang Crypto
library. See
https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353
. type: keyword example: SHA256-RSA
threat.indicator.file.x509.subject.common_name List of common names (CN) of
subject. type: keyword example: shared.global.example.net
threat.indicator.file.x509.subject.country List of country © code type:
keyword example: US threat.indicator.file.x509.subject.distinguished_name
Distinguished name (DN) of the certificate subject entity. type: keyword
example: C=US, ST=California, L=San Francisco, O=Example, Inc.,
CN=shared.global.example.net threat.indicator.file.x509.subject.locality
List of locality names (L) type: keyword example: San Francisco
threat.indicator.file.x509.subject.organization List of organizations (O)
of subject. type: keyword example: Example, Inc.
threat.indicator.file.x509.subject.organizational_unit List of
organizational units (OU) of subject. type: keyword
threat.indicator.file.x509.subject.state_or_province List of state or
province names (ST, S, or P) type: keyword example: California
threat.indicator.file.x509.version_number Version of x509 format. type:
keyword example: 3 threat.indicator.first_seen The date and time when
intelligence source first reported sighting this indicator. type: date
example: 2020-11-05T17:25:47.000Z threat.indicator.geo.city_name City name.
type: keyword example: Montreal threat.indicator.geo.continent_code
Two-letter code representing continent’s name. type: keyword example: NA
threat.indicator.geo.continent_name Name of the continent. type: keyword
example: North America threat.indicator.geo.country_iso_code Country ISO
code. type: keyword example: CA threat.indicator.geo.country_name Country
name. type: keyword example: Canada threat.indicator.geo.location Longitude
and latitude. type: geo_point example: { "lon": -73.614830, "lat":
45.505918 } threat.indicator.geo.name User-defined description of a
location, at the level of granularity they care about.Could be the name of
their data centers, the floor number, if this describes a local physical
entity, city names.Not typically used in automated geolocation. type:
keyword example: boston-dc threat.indicator.geo.postal_code Postal code
associated with the location.Values appropriate for this field may also be
known as a postcode or ZIP code and will vary widely from country to
country. type: keyword example: 94040 threat.indicator.geo.region_iso_code
Region ISO code. type: keyword example: CA-QC
threat.indicator.geo.region_name Region name. type: keyword example: Quebec
threat.indicator.geo.timezone The time zone of the location, such as IANA
time zone name. type: keyword example: America/Argentina/Buenos_Aires
threat.indicator.ip Identifies a threat indicator as an IP address
(irrespective of direction). type: ip example: 1.2.3.4
threat.indicator.last_seen The date and time when intelligence source last
reported sighting this indicator. type: date example:
2020-11-05T17:25:47.000Z threat.indicator.marking.tlp Traffic Light
Protocol sharing markings.Recommended values are: * WHITE * GREEN * AMBER *
RED type: keyword example: WHITE threat.indicator.modified_at The date and
time when intelligence source last modified information for this indicator.
type: date example: 2020-11-05T17:25:47.000Z threat.indicator.port
Identifies a threat indicator as a port number (irrespective of direction).
type: long example: 443 threat.indicator.provider The name of the
indicator’s provider. type: keyword example: lrz_urlhaus
threat.indicator.reference Reference URL linking to additional information
about this indicator. type: keyword example:
https://system.example.com/indicator/0001234
threat.indicator.registry.data.bytes Original bytes written with base64
encoding.For Windows registry operations, such as SetValueEx and
RegQueryValueEx, this corresponds to the data pointed by lp_data . This is
optional but provides better recoverability and should be populated for
REG_BINARY encoded values. type: keyword example:
ZQBuAC0AVQBTAAAAZQBuAAAAAAA= threat.indicator.registry.data.strings Content
when writing string types.Populated as an array when writing string data to
the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ),
this should be an array with one string. For sequences of string with
REG_MULTI_SZ, this array will be variable length. For numeric data, such as
REG_DWORD and REG_QWORD, this should be populated with the decimal
representation (e.g "1" ). type: wildcard example:
["C:\rta\red_ttp\bin\myapp.exe"] threat.indicator.registry.data.type
Standard registry type for encoding contents type: keyword example: REG_SZ
threat.indicator.registry.hive Abbreviated name for the hive. type: keyword
example: HKLM threat.indicator.registry.key Hive-relative path of keys.
type: keyword example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\winword.exe threat.indicator.registry.path Full
path, including hive, key and value type: keyword example:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\winword.exe\Debugger threat.indicator.registry.value Name of the
value written. type: keyword example: Debugger
threat.indicator.scanner_stats Count of AV/EDR vendors that successfully
detected malicious file or URL. type: long example: 4
threat.indicator.sightings Number of times this indicator was observed
conducting threat activity. type: long example: 20 threat.indicator.type
Type of indicator as represented by Cyber Observable in STIX
2.0.Recommended values: * autonomous-system * artifact * directory *
domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex
* port * process * software * url * user-account * windows-registry-key *
x509-certificate type: keyword example: ipv4-addr
threat.indicator.url.domain Domain of the url, such as "www.elastic.co".In
some cases a URL may refer to an IP and/or port directly, without a domain
name. In this case, the IP address would go to the domain field.If the URL
contains a literal IPv6 address enclosed by [ and ] (IETF RFC 2732), the [
and ] characters should also be captured in the domain field. type: keyword
example: www.elastic.co threat.indicator.url.extension The field contains
the file extension from the original request url, excluding the leading
dot.The file extension is only set if it exists, as not every url has a
file extension.The leading period must not be included. For example, the
value must be "png", not ".png".Note that when the file name has multiple
extensions (example.tar.gz), only the last one should be captured ("gz",
not "tar.gz"). type: keyword example: png threat.indicator.url.fragment
Portion of the url after the # , such as "top".The # is not part of the
fragment. type: keyword threat.indicator.url.full If full URLs are
important to your use case, they should be stored in url.full , whether
this field is reconstructed or present in the event source. type: wildcard
example: https://www.elastic.co:443/search?q=elasticsearch#top
threat.indicator.url.full.text type: match_only_text
threat.indicator.url.original Unmodified original url as seen in the event
source.Note that in network monitoring, the observed URL may be a full URL,
whereas in access logs, the URL is often just represented as a path.This
field is meant to represent the URL as it was observed, complete or not.
type: wildcard example:
https://www.elastic.co:443/search?q=elasticsearch#top or
/search?q=elasticsearch threat.indicator.url.original.text type:
match_only_text threat.indicator.url.password Password of the request.
type: keyword threat.indicator.url.path Path of the request, such as
"/search". type: wildcard threat.indicator.url.port Port of the request,
such as 443. type: long example: 443 format: string
threat.indicator.url.query The query field describes the query string of
the request, such as "q=elasticsearch".The ? is excluded from the query
string. If a URL contains no ? , there is no query field. If there is a ?
but no query, the query field exists with an empty string. The exists query
can be used to differentiate between the two cases. type: keyword
threat.indicator.url.registered_domain The highest registered url domain,
stripped of the subdomain.For example, the registered domain for
"foo.example.com" is "example.com".This value can be determined precisely
with a list like the public suffix list ( http://publicsuffix.org ). Trying
to approximate this by simply taking the last two labels will not work well
for TLDs such as "co.uk". type: keyword example: example.com
threat.indicator.url.scheme Scheme of the request, such as "https".Note:
The : is not part of the scheme. type: keyword example: https
threat.indicator.url.subdomain The subdomain portion of a fully qualified
domain name includes all of the names except the host name under the
registered_domain. In a partially qualified domain, or if the the
qualification level of the full name cannot be determined, subdomain
contains all of the names below the registered domain.For example the
subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has
multiple levels of subdomain, such as "sub2.sub1.example.com", the
subdomain field should contain "sub2.sub1", with no trailing period. type:
keyword example: east threat.indicator.url.top_level_domain The effective
top level domain (eTLD), also known as the domain suffix, is the last part
of the domain name. For example, the top level domain for example.com is
"com".This value can be determined precisely with a list like the public
suffix list ( http://publicsuffix.org ). Trying to approximate this by
simply taking the last label will not work well for effective TLDs such as
"co.uk". type: keyword example: co.uk threat.indicator.url.username
Username of the request. type: keyword
threat.indicator.x509.alternative_names List of subject alternative names
(SAN). Name types vary by certificate authority and certificate type but
commonly contain IP addresses, DNS names (and wildcards), and email
addresses. type: keyword example: *.elastic.co
threat.indicator.x509.issuer.common_name List of common name (CN) of
issuing certificate authority. type: keyword example: Example SHA2 High
Assurance Server CA threat.indicator.x509.issuer.country List of country ©
codes type: keyword example: US
threat.indicator.x509.issuer.distinguished_name Distinguished name (DN) of
issuing certificate authority. type: keyword example: C=US, O=Example Inc,
OU=www.example.com, CN=Example SHA2 High Assurance Server CA
threat.indicator.x509.issuer.locality List of locality names (L) type:
keyword example: Mountain View threat.indicator.x509.issuer.organization
List of organizations (O) of issuing certificate authority. type: keyword
example: Example Inc threat.indicator.x509.issuer.organizational_unit List
of organizational units (OU) of issuing certificate authority. type:
keyword example: www.example.com
threat.indicator.x509.issuer.state_or_province List of state or province
names (ST, S, or P) type: keyword example: California
threat.indicator.x509.not_after Time at which the certificate is no longer
considered valid. type: date example: 2020-07-16 03:15:39+00:00
threat.indicator.x509.not_before Time at which the certificate is first
considered valid. type: date example: 2019-08-16 01:40:25+00:00
threat.indicator.x509.public_key_algorithm Algorithm used to generate the
public key. type: keyword example: RSA
threat.indicator.x509.public_key_curve The curve used by the elliptic curve
public key algorithm. This is algorithm specific. type: keyword example:
nistp521 threat.indicator.x509.public_key_exponent Exponent used to derive
the public key. This is algorithm specific. type: long example: 65537 Field
is not indexed. threat.indicator.x509.public_key_size The size of the
public key space in bits. type: long example: 2048
threat.indicator.x509.serial_number Unique serial number issued by the
certificate authority. For consistency, if this value is alphanumeric, it
should be formatted without colons and uppercase characters. type: keyword
example: 55FBB9C7DEBF09809D12CCAA threat.indicator.x509.signature_algorithm
Identifier for certificate signature algorithm. We recommend using names
found in Go Lang Crypto library. See
https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353
. type: keyword example: SHA256-RSA
threat.indicator.x509.subject.common_name List of common names (CN) of
subject. type: keyword example: shared.global.example.net
threat.indicator.x509.subject.country List of country © code type: keyword
example: US threat.indicator.x509.subject.distinguished_name Distinguished
name (DN) of the certificate subject entity. type: keyword example: C=US,
ST=California, L=San Francisco, O=Example, Inc.,
CN=shared.global.example.net threat.indicator.x509.subject.locality List of
locality names (L) type: keyword example: San Francisco
threat.indicator.x509.subject.organization List of organizations (O) of
subject. type: keyword example: Example, Inc.
threat.indicator.x509.subject.organizational_unit List of organizational
units (OU) of subject. type: keyword
threat.indicator.x509.subject.state_or_province List of state or province
names (ST, S, or P) type: keyword example: California
threat.indicator.x509.version_number Version of x509 format. type: keyword
example: 3 threat.software.alias The alias(es) of the software for a set of
related intrusion activity that are tracked by a common name in the
security community.While not required, you can use a MITRE ATT&CK®
associated software description. type: keyword example: [ "X-Agent" ]
threat.software.id The id of the software used by this threat to conduct
behavior commonly modeled using MITRE ATT&CK®.While not required, you can
use a MITRE ATT&CK® software id. type: keyword example: S0552
threat.software.name The name of the software used by this threat to
conduct behavior commonly modeled using MITRE ATT&CK®.While not required,
you can use a MITRE ATT&CK® software name. type: keyword example: AdFind
threat.software.platforms The platforms of the software used by this threat
to conduct behavior commonly modeled using MITRE ATT&CK®.Recommended
Values: * AWS * Azure * Azure AD * GCP * Linux * macOS * Network * Office
365 * SaaS * Windows While not required, you can use a MITRE ATT&CK®
software platforms. type: keyword example: [ "Windows" ]
threat.software.reference The reference URL of the software used by this
threat to conduct behavior commonly modeled using MITRE ATT&CK®.While not
required, you can use a MITRE ATT&CK® software reference URL. type: keyword
example: https://attack.mitre.org/software/S0552/ threat.software.type The
type of software used by this threat to conduct behavior commonly modeled
using MITRE ATT&CK®.Recommended values * Malware * Tool While not required,
you can use a MITRE ATT&CK® software type. type: keyword example: Tool
threat.tactic.id The id of tactic used by this threat. You can use a MITRE
ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/
) type: keyword example: TA0002 threat.tactic.name Name of the type of
tactic used by this threat. You can use a MITRE ATT&CK® tactic, for
example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword
example: Execution threat.tactic.reference The reference url of tactic used
by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex.
https://attack.mitre.org/tactics/TA0002/ ) type: keyword example:
https://attack.mitre.org/tactics/TA0002/ threat.technique.id The id of
technique used by this threat. You can use a MITRE ATT&CK® technique, for
example. (ex. https://attack.mitre.org/techniques/T1059/ ) type: keyword
example: T1059 threat.technique.name The name of technique used by this
threat. You can use a MITRE ATT&CK® technique, for example. (ex.
https://attack.mitre.org/techniques/T1059/ ) type: keyword example: Command
and Scripting Interpreter threat.technique.name.text type: match_only_text
threat.technique.reference The reference url of technique used by this
threat. You can use a MITRE ATT&CK® technique, for example. (ex.
https://attack.mitre.org/techniques/T1059/ ) type: keyword example:
https://attack.mitre.org/techniques/T1059/ threat.technique.subtechnique.id
The full id of subtechnique used by this threat. You can use a MITRE
ATT&CK® subtechnique, for example. (ex.
https://attack.mitre.org/techniques/T1059/001/ ) type: keyword example:
T1059.001 threat.technique.subtechnique.name The name of subtechnique used
by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex.
https://attack.mitre.org/techniques/T1059/001/ ) type: keyword example:
PowerShell threat.technique.subtechnique.name.text type: match_only_text
threat.technique.subtechnique.reference The reference url of subtechnique
used by this threat. You can use a MITRE ATT&CK® subtechnique, for example.
(ex. https://attack.mitre.org/techniques/T1059/001/ ) type: keyword
example: https://attack.mitre.org/techniques/T1059/001/ tls Fields related
to a TLS connection. These fields focus on the TLS protocol itself and
intentionally avoids in-depth analysis of the related x.509 certificate
files. tls.cipher String indicating the cipher used during the current
connection. type: keyword example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
tls.client.certificate PEM-encoded stand-alone certificate offered by the
client. This is usually mutually-exclusive of client.certificate_chain
since this value also exists in that list. type: keyword example: MII…
tls.client.certificate_chain Array of PEM-encoded certificates that make up
the certificate chain offered by the client. This is usually
mutually-exclusive of client.certificate since that value should be the
first certificate in the chain. type: keyword example: ["MII… ", "MII… "]
tls.client.hash.md5 Certificate fingerprint using the MD5 digest of
DER-encoded version of certificate offered by the client. For consistency
with other hash values, this value should be formatted as an uppercase
hash. type: keyword example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
tls.client.hash.sha1 Certificate fingerprint using the SHA1 digest of
DER-encoded version of certificate offered by the client. For consistency
with other hash values, this value should be formatted as an uppercase
hash. type: keyword example: 9E393D93138888D288266C2D915214D1D1CCEB2A
tls.client.hash.sha256 Certificate fingerprint using the SHA256 digest of
DER-encoded version of certificate offered by the client. For consistency
with other hash values, this value should be formatted as an uppercase
hash. type: keyword example:
0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
tls.client.issuer Distinguished name of subject of the issuer of the x.509
certificate presented by the client. type: keyword example: CN=Example Root
CA, OU=Infrastructure Team, DC=example, DC=com tls.client.ja3 A hash that
identifies clients based on how they perform an SSL/TLS handshake. type:
keyword example: d4e5b18d6b55c71272893221c96ba240 tls.client.not_after
Date/Time indicating when client certificate is no longer considered valid.
type: date example: 2021-01-01T00:00:00.000Z tls.client.not_before
Date/Time indicating when client certificate is first considered valid.
type: date example: 1970-01-01T00:00:00.000Z tls.client.server_name Also
called an SNI, this tells the server which hostname to which the client is
attempting to connect to. When this value is available, it should get
copied to destination.domain . type: keyword example: www.elastic.co
tls.client.subject Distinguished name of subject of the x.509 certificate
presented by the client. type: keyword example: CN=myclient,
OU=Documentation Team, DC=example, DC=com tls.client.supported_ciphers
Array of ciphers offered by the client during the client hello. type:
keyword example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "… "]
tls.client.x509.alternative_names List of subject alternative names (SAN).
Name types vary by certificate authority and certificate type but commonly
contain IP addresses, DNS names (and wildcards), and email addresses. type:
keyword example: *.elastic.co tls.client.x509.issuer.common_name List of
common name (CN) of issuing certificate authority. type: keyword example:
Example SHA2 High Assurance Server CA tls.client.x509.issuer.country List
of country © codes type: keyword example: US
tls.client.x509.issuer.distinguished_name Distinguished name (DN) of
issuing certificate authority. type: keyword example: C=US, O=Example Inc,
OU=www.example.com, CN=Example SHA2 High Assurance Server CA
tls.client.x509.issuer.locality List of locality names (L) type: keyword
example: Mountain View tls.client.x509.issuer.organization List of
organizations (O) of issuing certificate authority. type: keyword example:
Example Inc tls.client.x509.issuer.organizational_unit List of
organizational units (OU) of issuing certificate authority. type: keyword
example: www.example.com tls.client.x509.issuer.state_or_province List of
state or province names (ST, S, or P) type: keyword example: California
tls.client.x509.not_after Time at which the certificate is no longer
considered valid. type: date example: 2020-07-16 03:15:39+00:00
tls.client.x509.not_before Time at which the certificate is first
considered valid. type: date example: 2019-08-16 01:40:25+00:00
tls.client.x509.public_key_algorithm Algorithm used to generate the public
key. type: keyword example: RSA tls.client.x509.public_key_curve The curve
used by the elliptic curve public key algorithm. This is algorithm
specific. type: keyword example: nistp521
tls.client.x509.public_key_exponent Exponent used to derive the public key.
This is algorithm specific. type: long example: 65537 Field is not indexed.
tls.client.x509.public_key_size The size of the public key space in bits.
type: long example: 2048 tls.client.x509.serial_number Unique serial number
issued by the certificate authority. For consistency, if this value is
alphanumeric, it should be formatted without colons and uppercase
characters. type: keyword example: 55FBB9C7DEBF09809D12CCAA
tls.client.x509.signature_algorithm Identifier for certificate signature
algorithm. We recommend using names found in Go Lang Crypto library. See
https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353
. type: keyword example: SHA256-RSA tls.client.x509.subject.common_name
List of common names (CN) of subject. type: keyword example:
shared.global.example.net tls.client.x509.subject.country List of country ©
code type: keyword example: US tls.client.x509.subject.distinguished_name
Distinguished name (DN) of the certificate subject entity. type: keyword
example: C=US, ST=California, L=San Francisco, O=Example, Inc.,
CN=shared.global.example.net tls.client.x509.subject.locality List of
locality names (L) type: keyword example: San Francisco
tls.client.x509.subject.organization List of organizations (O) of subject.
type: keyword example: Example, Inc.
tls.client.x509.subject.organizational_unit List of organizational units
(OU) of subject. type: keyword tls.client.x509.subject.state_or_province
List of state or province names (ST, S, or P) type: keyword example:
California tls.client.x509.version_number Version of x509 format. type:
keyword example: 3 tls.curve String indicating the curve used for the given
cipher, when applicable. type: keyword example: secp256r1 tls.established
Boolean flag indicating if the TLS negotiation was successful and
transitioned to an encrypted tunnel. type: boolean tls.next_protocol String
indicating the protocol being tunneled. Per the values in the IANA registry
(
https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
), this string should be lower case. type: keyword example: http/1.1
tls.resumed Boolean flag indicating if this TLS connection was resumed from
an existing TLS negotiation. type: boolean tls.server.certificate
PEM-encoded stand-alone certificate offered by the server. This is usually
mutually-exclusive of server.certificate_chain since this value also exists
in that list. type: keyword example: MII… tls.server.certificate_chain
Array of PEM-encoded certificates that make up the certificate chain
offered by the server. This is usually mutually-exclusive of
server.certificate since that value should be the first certificate in the
chain. type: keyword example: ["MII… ", "MII… "] tls.server.hash.md5
Certificate fingerprint using the MD5 digest of DER-encoded version of
certificate offered by the server. For consistency with other hash values,
this value should be formatted as an uppercase hash. type: keyword example:
0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC tls.server.hash.sha1 Certificate
fingerprint using the SHA1 digest of DER-encoded version of certificate
offered by the server. For consistency with other hash values, this value
should be formatted as an uppercase hash. type: keyword example:
9E393D93138888D288266C2D915214D1D1CCEB2A tls.server.hash.sha256 Certificate
fingerprint using the SHA256 digest of DER-encoded version of certificate
offered by the server. For consistency with other hash values, this value
should be formatted as an uppercase hash. type: keyword example:
0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
tls.server.issuer Subject of the issuer of the x.509 certificate presented
by the server. type: keyword example: CN=Example Root CA, OU=Infrastructure
Team, DC=example, DC=com tls.server.ja3s A hash that identifies servers
based on how they perform an SSL/TLS handshake. type: keyword example:
394441ab65754e2207b1e1b457b3641d tls.server.not_after Timestamp indicating
when server certificate is no longer considered valid. type: date example:
2021-01-01T00:00:00.000Z tls.server.not_before Timestamp indicating when
server certificate is first considered valid. type: date example:
1970-01-01T00:00:00.000Z tls.server.subject Subject of the x.509
certificate presented by the server. type: keyword example:
CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
tls.server.x509.alternative_names List of subject alternative names (SAN).
Name types vary by certificate authority and certificate type but commonly
contain IP addresses, DNS names (and wildcards), and email addresses. type:
keyword example: *.elastic.co tls.server.x509.issuer.common_name List of
common name (CN) of issuing certificate authority. type: keyword example:
Example SHA2 High Assurance Server CA tls.server.x509.issuer.country List
of country © codes type: keyword example: US
tls.server.x509.issuer.distinguished_name Distinguished name (DN) of
issuing certificate authority. type: keyword example: C=US, O=Example Inc,
OU=www.example.com, CN=Example SHA2 High Assurance Server CA
tls.server.x509.issuer.locality List of locality names (L) type: keyword
example: Mountain View tls.server.x509.issuer.organization List of
organizations (O) of issuing certificate authority. type: keyword example:
Example Inc tls.server.x509.issuer.organizational_unit List of
organizational units (OU) of issuing certificate authority. type: keyword
example: www.example.com tls.server.x509.issuer.state_or_province List of
state or province names (ST, S, or P) type: keyword example: California
tls.server.x509.not_after Time at which the certificate is no longer
considered valid. type: date example: 2020-07-16 03:15:39+00:00
tls.server.x509.not_before Time at which the certificate is first
considered valid. type: date example: 2019-08-16 01:40:25+00:00
tls.server.x509.public_key_algorithm Algorithm used to generate the public
key. type: keyword example: RSA tls.server.x509.public_key_curve The curve
used by the elliptic curve public key algorithm. This is algorithm
specific. type: keyword example: nistp521
tls.server.x509.public_key_exponent Exponent used to derive the public key.
This is algorithm specific. type: long example: 65537 Field is not indexed.
tls.server.x509.public_key_size The size of the public key space in bits.
type: long example: 2048 tls.server.x509.serial_number Unique serial number
issued by the certificate authority. For consistency, if this value is
alphanumeric, it should be formatted without colons and uppercase
characters. type: keyword example: 55FBB9C7DEBF09809D12CCAA
tls.server.x509.signature_algorithm Identifier for certificate signature
algorithm. We recommend using names found in Go Lang Crypto library. See
https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353
. type: keyword example: SHA256-RSA tls.server.x509.subject.common_name
List of common names (CN) of subject. type: keyword example:
shared.global.example.net tls.server.x509.subject.country List of country ©
code type: keyword example: US tls.server.x509.subject.distinguished_name
Distinguished name (DN) of the certificate subject entity. type: keyword
example: C=US, ST=California, L=San Francisco, O=Example, Inc.,
CN=shared.global.example.net tls.server.x509.subject.locality List of
locality names (L) type: keyword example: San Francisco
tls.server.x509.subject.organization List of organizations (O) of subject.
type: keyword example: Example, Inc.
tls.server.x509.subject.organizational_unit List of organizational units
(OU) of subject. type: keyword tls.server.x509.subject.state_or_province
List of state or province names (ST, S, or P) type: keyword example:
California tls.server.x509.version_number Version of x509 format. type:
keyword example: 3 tls.version Numeric part of the version parsed from the
original string. type: keyword example: 1.2 tls.version_protocol Normalized
lowercase protocol name parsed from original string. type: keyword example:
tls span.id Unique identifier of the span within the scope of its trace.A
span represents an operation within a transaction, such as a request to
another service, or a database query. type: keyword example:
3ff9a8981b7ccd5a trace.id Unique identifier of the trace.A trace groups
multiple events like transactions that belong together. For example, a user
request handled by multiple inter-connected services. type: keyword
example: 4bf92f3577b34da6a3ce929d0e0e4736 transaction.id Unique identifier
of the transaction within the scope of its trace.A transaction is the
highest level of work measured within a service, such as a request to a
server. type: keyword example: 00f067aa0ba902b7 url URL fields provide
support for complete or partial URLs, and supports the breaking down into
scheme, domain, path, and so on. url.domain Domain of the url, such as
"www.elastic.co".In some cases a URL may refer to an IP and/or port
directly, without a domain name. In this case, the IP address would go to
the domain field.If the URL contains a literal IPv6 address enclosed by [
and ] (IETF RFC 2732), the [ and ] characters should also be captured in
the domain field. type: keyword example: www.elastic.co url.extension The
field contains the file extension from the original request url, excluding
the leading dot.The file extension is only set if it exists, as not every
url has a file extension.The leading period must not be included. For
example, the value must be "png", not ".png".Note that when the file name
has multiple extensions (example.tar.gz), only the last one should be
captured ("gz", not "tar.gz"). type: keyword example: png url.fragment
Portion of the url after the # , such as "top".The # is not part of the
fragment. type: keyword url.full If full URLs are important to your use
case, they should be stored in url.full , whether this field is
reconstructed or present in the event source. type: wildcard example:
https://www.elastic.co:443/search?q=elasticsearch#top url.full.text type:
match_only_text url.original Unmodified original url as seen in the event
source.Note that in network monitoring, the observed URL may be a full URL,
whereas in access logs, the URL is often just represented as a path.This
field is meant to represent the URL as it was observed, complete or not.
type: wildcard example:
https://www.elastic.co:443/search?q=elasticsearch#top or
/search?q=elasticsearch url.original.text type: match_only_text
url.password Password of the request. type: keyword url.path Path of the
request, such as "/search". type: wildcard url.port Port of the request,
such as 443. type: long example: 443 format: string url.query The query
field describes the query string of the request, such as
"q=elasticsearch".The ? is excluded from the query string. If a URL
contains no ? , there is no query field. If there is a ? but no query, the
query field exists with an empty string. The exists query can be used to
differentiate between the two cases. type: keyword url.registered_domain
The highest registered url domain, stripped of the subdomain.For example,
the registered domain for "foo.example.com" is "example.com".This value can
be determined precisely with a list like the public suffix list (
http://publicsuffix.org ). Trying to approximate this by simply taking the
last two labels will not work well for TLDs such as "co.uk". type: keyword
example: example.com url.scheme Scheme of the request, such as
"https".Note: The : is not part of the scheme. type: keyword example: https
url.subdomain The subdomain portion of a fully qualified domain name
includes all of the names except the host name under the registered_domain.
In a partially qualified domain, or if the the qualification level of the
full name cannot be determined, subdomain contains all of the names below
the registered domain.For example the subdomain portion of
"www.east.mydomain.co.uk" is "east". If the domain has multiple levels of
subdomain, such as "sub2.sub1.example.com", the subdomain field should
contain "sub2.sub1", with no trailing period. type: keyword example: east
url.top_level_domain The effective top level domain (eTLD), also known as
the domain suffix, is the last part of the domain name. For example, the
top level domain for example.com is "com".This value can be determined
precisely with a list like the public suffix list ( http://publicsuffix.org
). Trying to approximate this by simply taking the last label will not work
well for effective TLDs such as "co.uk". type: keyword example: co.uk
url.username Username of the request. type: keyword user The user fields
describe information about the user that is relevant to the event.Fields
can have one entry or multiple entries. If a user has more than one id,
provide an array that includes all of them. user.changes.domain Name of the
directory the user is a member of.For example, an LDAP or Active Directory
domain name. type: keyword user.changes.email User email address. type:
keyword user.changes.full_name User’s full name, if available. type:
keyword example: Albert Einstein user.changes.full_name.text type:
match_only_text user.changes.group.domain Name of the directory the group
is a member of.For example, an LDAP or Active Directory domain name. type:
keyword user.changes.group.id Unique identifier for the group on the
system/platform. type: keyword user.changes.group.name Name of the group.
type: keyword user.changes.hash Unique user hash to correlate information
for a user in anonymized form.Useful if user.id or user.name contain
confidential information and cannot be used. type: keyword user.changes.id
Unique identifier of the user. type: keyword example:
S-1-5-21-202424912787-2692429404-2351956786-1000 user.changes.name Short
name or login of the user. type: keyword example: a.einstein
user.changes.name.text type: match_only_text user.changes.roles Array of
user roles at the time of the event. type: keyword example:
["kibana_admin", "reporting_user"] user.domain Name of the directory the
user is a member of.For example, an LDAP or Active Directory domain name.
type: keyword user.effective.domain Name of the directory the user is a
member of.For example, an LDAP or Active Directory domain name. type:
keyword user.effective.email User email address. type: keyword
user.effective.full_name User’s full name, if available. type: keyword
example: Albert Einstein user.effective.full_name.text type:
match_only_text user.effective.group.domain Name of the directory the group
is a member of.For example, an LDAP or Active Directory domain name. type:
keyword user.effective.group.id Unique identifier for the group on the
system/platform. type: keyword user.effective.group.name Name of the group.
type: keyword user.effective.hash Unique user hash to correlate information
for a user in anonymized form.Useful if user.id or user.name contain
confidential information and cannot be used. type: keyword
user.effective.id Unique identifier of the user. type: keyword example:
S-1-5-21-202424912787-2692429404-2351956786-1000 user.effective.name Short
name or login of the user. type: keyword example: a.einstein
user.effective.name.text type: match_only_text user.effective.roles Array
of user roles at the time of the event. type: keyword example:
["kibana_admin", "reporting_user"] user.email User email address. type:
keyword user.full_name User’s full name, if available. type: keyword
example: Albert Einstein user.full_name.text type: match_only_text
user.group.domain Name of the directory the group is a member of.For
example, an LDAP or Active Directory domain name. type: keyword
user.group.id Unique identifier for the group on the system/platform. type:
keyword user.group.name Name of the group. type: keyword user.hash Unique
user hash to correlate information for a user in anonymized form.Useful if
user.id or user.name contain confidential information and cannot be used.
type: keyword user.id Unique identifier of the user. type: keyword example:
S-1-5-21-202424912787-2692429404-2351956786-1000 user.name Short name or
login of the user. type: keyword example: a.einstein user.name.text type:
match_only_text user.roles Array of user roles at the time of the event.
type: keyword example: ["kibana_admin", "reporting_user"]
user.target.domain Name of the directory the user is a member of.For
example, an LDAP or Active Directory domain name. type: keyword
user.target.email User email address. type: keyword user.target.full_name
User’s full name, if available. type: keyword example: Albert Einstein
user.target.full_name.text type: match_only_text user.target.group.domain
Name of the directory the group is a member of.For example, an LDAP or
Active Directory domain name. type: keyword user.target.group.id Unique
identifier for the group on the system/platform. type: keyword
user.target.group.name Name of the group. type: keyword user.target.hash
Unique user hash to correlate information for a user in anonymized
form.Useful if user.id or user.name contain confidential information and
cannot be used. type: keyword user.target.id Unique identifier of the user.
type: keyword example: S-1-5-21-202424912787-2692429404-2351956786-1000
user.target.name Short name or login of the user. type: keyword example:
a.einstein user.target.name.text type: match_only_text user.target.roles
Array of user roles at the time of the event. type: keyword example:
["kibana_admin", "reporting_user"] user_agent The user_agent fields
normally come from a browser request.They often show up in web service logs
coming from the parsed user agent string. user_agent.device.name Name of
the device. type: keyword example: iPhone user_agent.name Name of the user
agent. type: keyword example: Safari user_agent.original Unparsed
user_agent string. type: keyword example: Mozilla/5.0 (iPhone; CPU iPhone
OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko)
Version/12.0 Mobile/15E148 Safari/604.1 user_agent.original.text type:
match_only_text user_agent.os.family OS family (such as redhat, debian,
freebsd, windows). type: keyword example: debian user_agent.os.full
Operating system name, including the version or code name. type: keyword
example: Mac OS Mojave user_agent.os.full.text type: match_only_text
user_agent.os.kernel Operating system kernel version as a raw string. type:
keyword example: 4.4.0-112-generic user_agent.os.name Operating system
name, without the version. type: keyword example: Mac OS X
user_agent.os.name.text type: match_only_text user_agent.os.platform
Operating system platform (such centos, ubuntu, windows). type: keyword
example: darwin user_agent.os.type Use the os.type field to categorize the
operating system into one of the broad commercial families.One of these
following values should be used (lowercase): linux, macos, unix, windows.If
the OS you’re dealing with is not in the list, the field should not be
populated. Please let us know by opening an issue with ECS, to propose its
addition. type: keyword example: macos user_agent.os.version Operating
system version as a raw string. type: keyword example: 10.14.1
user_agent.version Version of the user agent. type: keyword example: 12.0
vlan The VLAN fields are used to identify 802.1q tag(s) of a packet, as
well as ingress and egress VLAN associations of an observer in relation to
a specific packet or connection.Network.vlan fields are used to record a
single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for
a packet or connection as observed, typically provided by a network sensor
(e.g. Zeek, Wireshark) passively reporting on traffic.Network.inner VLAN
fields are used to report inner q-in-q 802.1q tags (multiple 802.1q
encapsulations) as observed, typically provided by a network sensor (e.g.
Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields
should only be used in addition to network.vlan fields to indicate q-in-q
tagging.Observer.ingress and observer.egress VLAN values are used to record
observer specific information when observer events contain discrete ingress
and egress VLAN information, typically provided by firewalls, routers, or
load balancers. vlan.id VLAN ID as reported by the observer. type: keyword
example: 10 vlan.name Optional VLAN name as reported by the observer. type:
keyword example: outside vulnerability The vulnerability fields describe
information about a vulnerability that is relevant to an event.
vulnerability.category The type of system or architecture that the
vulnerability affects. These may be platform-specific (for example, Debian
or SUSE) or general (for example, Database or Firewall). For example (
Qualys vulnerability categories )This field must be an array. type: keyword
example: ["Firewall"] vulnerability.classification The classification of
the vulnerability scoring system. For example ( https://www.first.org/cvss/
) type: keyword example: CVSS vulnerability.description The description of
the vulnerability that provides additional context of the vulnerability.
For example ( Common Vulnerabilities and Exposure CVE description ) type:
keyword example: In macOS before 2.12.6, there is a vulnerability in the
RPC… vulnerability.description.text type: match_only_text
vulnerability.enumeration The type of identifier used for this
vulnerability. For example ( https://cve.mitre.org/about/ ) type: keyword
example: CVE vulnerability.id The identification (ID) is the number portion
of a vulnerability entry. It includes a unique identification number for
the vulnerability. For example ( Common Vulnerabilities and Exposure CVE ID
type: keyword example: CVE-2019-00001 vulnerability.reference A resource
that provides additional information, context, and mitigations for the
identified vulnerability. type: keyword example:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111
vulnerability.report_id The report or scan identification number. type:
keyword example: 20191018.0001 vulnerability.scanner.vendor The name of the
vulnerability scanner vendor. type: keyword example: Tenable
vulnerability.score.base Scores can range from 0.0 to 10.0, with 10.0 being
the most severe.Base scores cover an assessment for exploitability metrics
(attack vector, complexity, privileges, and user interaction), impact
metrics (confidentiality, integrity, and availability), and scope. For
example ( https://www.first.org/cvss/specification-document ) type: float
example: 5.5 vulnerability.score.environmental Scores can range from 0.0 to
10.0, with 10.0 being the most severe.Environmental scores cover an
assessment for any modified Base metrics, confidentiality, integrity, and
availability requirements. For example (
https://www.first.org/cvss/specification-document ) type: float example:
5.5 vulnerability.score.temporal Scores can range from 0.0 to 10.0, with
10.0 being the most severe.Temporal scores cover an assessment for code
maturity, remediation level, and confidence. For example (
https://www.first.org/cvss/specification-document ) type: float
vulnerability.score.version The National Vulnerability Database (NVD)
provides qualitative severity rankings of "Low", "Medium", and "High" for
CVSS v2.0 base score ranges in addition to the severity ratings for CVSS
v3.0 as they are defined in the CVSS v3.0 specification.CVSS is owned and
managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization,
whose mission is to help computer security incident response teams across
the world. For example ( https://nvd.nist.gov/vuln-metrics/cvss ) type:
keyword example: 2.0 vulnerability.severity The severity of the
vulnerability can help with metrics and internal prioritization regarding
remediation. For example ( https://nvd.nist.gov/vuln-metrics/cvss ) type:
keyword example: Critical x509 This implements the common core fields for
x509 certificates. This information is likely logged with TLS sessions,
digital signatures found in executable binaries, S/MIME information in
email bodies, or analysis of files on disk.When the certificate relates to
a file, use the fields at file.x509 . When hashes of the DER-encoded
certificate are available, the hash data set should be populated as well
(e.g. file.hash.sha256 ).Events that contain certificate information about
network connections, should use the x509 fields under the relevant TLS
fields: tls.server.x509 and/or tls.client.x509 . x509.alternative_names
List of subject alternative names (SAN). Name types vary by certificate
authority and certificate type but commonly contain IP addresses, DNS names
(and wildcards), and email addresses. type: keyword example: *.elastic.co
x509.issuer.common_name List of common name (CN) of issuing certificate
authority. type: keyword example: Example SHA2 High Assurance Server CA
x509.issuer.country List of country © codes type: keyword example: US
x509.issuer.distinguished_name Distinguished name (DN) of issuing
certificate authority. type: keyword example: C=US, O=Example Inc,
OU=www.example.com, CN=Example SHA2 High Assurance Server CA
x509.issuer.locality List of locality names (L) type: keyword example:
Mountain View x509.issuer.organization List of organizations (O) of issuing
certificate authority. type: keyword example: Example Inc
x509.issuer.organizational_unit List of organizational units (OU) of
issuing certificate authority. type: keyword example: www.example.com
x509.issuer.state_or_province List of state or province names (ST, S, or P)
type: keyword example: California x509.not_after Time at which the
certificate is no longer considered valid. type: date example: 2020-07-16
03:15:39+00:00 x509.not_before Time at which the certificate is first
considered valid. type: date example: 2019-08-16 01:40:25+00:00
x509.public_key_algorithm Algorithm used to generate the public key. type:
keyword example: RSA x509.public_key_curve The curve used by the elliptic
curve public key algorithm. This is algorithm specific. type: keyword
example: nistp521 x509.public_key_exponent Exponent used to derive the
public key. This is algorithm specific. type: long example: 65537 Field is
not indexed. x509.public_key_size The size of the public key space in bits.
type: long example: 2048 x509.serial_number Unique serial number issued by
the certificate authority. For consistency, if this value is alphanumeric,
it should be formatted without colons and uppercase characters. type:
keyword example: 55FBB9C7DEBF09809D12CCAA x509.signature_algorithm
Identifier for certificate signature algorithm. We recommend using names
found in Go Lang Crypto library. See
https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353
. type: keyword example: SHA256-RSA x509.subject.common_name List of common
names (CN) of subject. type: keyword example: shared.global.example.net
x509.subject.country List of country © code type: keyword example: US
x509.subject.distinguished_name Distinguished name (DN) of the certificate
subject entity. type: keyword example: C=US, ST=California, L=San
Francisco, O=Example, Inc., CN=shared.global.example.net
x509.subject.locality List of locality names (L) type: keyword example: San
Francisco x509.subject.organization List of organizations (O) of subject.
type: keyword example: Example, Inc. x509.subject.organizational_unit List
of organizational units (OU) of subject. type: keyword
x509.subject.state_or_province List of state or province names (ST, S, or
P) type: keyword example: California x509.version_number Version of x509
format. type: keyword example: 3
12. MEMCACHE FIELDS
https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-memcache.html
Dokumentation
Memcached-specific event fields memcache.protocol_type The memcache
protocol implementation. The value can be "binary" for binary-based, "text"
for text-based, or "unknown" for an unknown memcache protocol type. type:
keyword memcache.request.line The raw command line for unknown commands
ONLY. type: keyword memcache.request.command The memcache command being
requested in the memcache text protocol. For example "set" or "get". The
binary protocol opcodes are translated into memcache text protocol
commands. type: keyword memcache.response.command Either the text based
protocol response message type or the name of the originating request if
binary protocol is used. type: keyword memcache.request.type The memcache
command classification. This value can be "UNKNOWN", "Load", "Store",
"Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success",
"Fail", or "Auth". type: keyword memcache.response.type The memcache
command classification. This value can be "UNKNOWN", "Load", "Store",
"Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success",
"Fail", or "Auth". The text based protocol will employ any of these,
whereas the binary based protocol will mirror the request commands only
(see memcache.response.status for binary protocol). type: keyword
memcache.response.error_msg The optional error message in the memcache
response (text based protocol only). type: keyword memcache.request.opcode
The binary protocol message opcode name. type: keyword
memcache.response.opcode The binary protocol message opcode name. type:
keyword memcache.request.opcode_value The binary protocol message opcode
value. type: long memcache.response.opcode_value The binary protocol
message opcode value. type: long memcache.request.opaque The binary
protocol opaque header value used for correlating request with response
messages. type: long memcache.response.opaque The binary protocol opaque
header value used for correlating request with response messages. type:
long memcache.request.vbucket The vbucket index sent in the binary message.
type: long memcache.response.status The textual representation of the
response error code (binary protocol only). type: keyword
memcache.response.status_code The status code value returned in the
response (binary protocol only). type: long memcache.request.keys The list
of keys sent in the store or load commands. type: array
memcache.response.keys The list of keys returned for the load command (if
present). type: array memcache.request.count_values The number of values
found in the memcache request message. If the command does not send any
data, this field is missing. type: long memcache.response.count_values The
number of values found in the memcache response message. If the command
does not send any data, this field is missing. type: long
memcache.request.values The list of base64 encoded values sent with the
request (if present). type: array memcache.response.values The list of
base64 encoded values sent with the response (if present). type: array
memcache.request.bytes The byte count of the values being transferred.
type: long format: bytes memcache.response.bytes The byte count of the
values being transferred. type: long format: bytes memcache.request.delta
The counter increment/decrement delta value. type: long
memcache.request.initial The counter increment/decrement initial value
parameter (binary protocol only). type: long memcache.request.verbosity The
value of the memcache "verbosity" command. type: long
memcache.request.raw_args The text protocol raw arguments for the "stats …
" and "lru crawl … " commands. type: keyword memcache.request.source_class
The source class id in slab reassign command. type: long
memcache.request.dest_class The destination class id in slab reassign
command. type: long memcache.request.automove The automove mode in the slab
automove command expressed as a string. This value can be "standby"(=0),
"slow"(=1), "aggressive"(=2), or the raw value if the value is unknown.
type: keyword memcache.request.flags The memcache command flags sent in the
request (if present). type: long memcache.response.flags The memcache
message flags sent in the response (if present). type: long
memcache.request.exptime The data expiry time in seconds sent with the
memcache command (if present). If the value is <30 days, the expiry time is
relative to "now", or else it is an absolute Unix time in seconds (32-bit).
type: long memcache.request.sleep_us The sleep setting in microseconds for
the lru_crawler sleep command. type: long memcache.response.value The
counter value returned by a counter operation. type: long
memcache.request.noreply Set to true if noreply was set in the request. The
memcache.response field will be missing. type: boolean
memcache.request.quiet Set to true if the binary protocol message is to be
treated as a quiet message. type: boolean memcache.request.cas_unique The
CAS (compare-and-swap) identifier if present. type: long
memcache.response.cas_unique The CAS (compare-and-swap) identifier to be
used with CAS-based updates (if present). type: long
memcache.response.stats The list of statistic values returned. Each entry
is a dictionary with the fields "name" and "value". type: array
memcache.response.version The returned memcache version string. type:
keyword
13. PACKETBEAT QUICK START: INSTALLATION AND CONFIGURATION
https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-installation-configuration.html
Dokumentation
The best way to understand the value of a network packet analytics system
likePacketbeat is to try it on your own traffic. This guide describes how
to get started quickly with network packets analytics.You’ll learn how to:
install Packetbeat on each system you want to monitor specify the network
devices and protocols to sniff parse the packet data into fields and send
it to Elasticsearch visualize the packet data in Kibana Before you begin
You need Elasticsearch for storing and searching your data, and Kibana for
visualizingand managing it. Elasticsearch Service Self-managed To get
started quickly, spin up a deployment of our hosted Elasticsearch Service .
The Elasticsearch Service isavailable on AWS, GCP, and Azure. Try it out
for free . To install and run Elasticsearch and Kibana, see Installing the
Elastic Stack . On most platforms, Packetbeat requires the libpcap packet
capturelibrary. Depending on your OS, you might need to install it: DEB RPM
MacOS Linux Windows sudo apt-get install libpcap0.8 sudo yum install
libpcap You probably do not need to install libpcap. You probably do not
need to install libpcap. You probably do not need to install libpcap. The
default distribution ofPacketbeat for Windows comes bundled with the Npcap
library. For the OSS-only distribution, you must download and install a
packetsniffing library, such as Npcap , that implements the libpcap
interfaces. If you use Npcap, make sure you install it in WinPcap
API-compatible mode. Ifyou plan to capture traffic from the loopback device
(127.0.0.1 traffic), alsoselect the option to support loopback traffic.
Step 1: Install Packetbeat You can install Packetbeat on dedicated servers,
getting the traffic frommirror ports or tap devices, or you can install it
on your existing applicationservers. To download and install Packetbeat,
use the commands that work with yoursystem: DEB RPM MacOS Linux Windows
curl -L -O
https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-8.14.3-amd64.debsudo
dpkg -i packetbeat-8.14.3-amd64.deb curl -L -O
https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-8.14.3-x86_64.rpmsudo
rpm -vi packetbeat-8.14.3-x86_64.rpm curl -L -O
https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-8.14.3-darwin-x86_64.tar.gztar
xzvf packetbeat-8.14.3-darwin-x86_64.tar.gz curl -L -O
https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-8.14.3-linux-x86_64.tar.gztar
xzvf packetbeat-8.14.3-linux-x86_64.tar.gz Download the Packetbeat Windows
zip file:
https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-8.14.3-windows-x86_64.zip
Extract the contents of the zip file into C:\Program Files . Rename the
packetbeat-8.14.3-windows-x86_64 directory to Packetbeat . Open a
PowerShell prompt as an Administrator (right-click the PowerShell iconand
select Run As Administrator ). From the PowerShell prompt, run the
following commands to installPacketbeat as a Windows service: PS > cd
'C:\Program Files\Packetbeat'PS C:\Program Files\Packetbeat>
.\install-service-packetbeat.ps1 If script execution is disabled on your
system, you need to set theexecution policy for the current session to
allow the script to run. Forexample: PowerShell.exe -ExecutionPolicy
UnRestricted -File .\install-service-packetbeat.ps1 . The commands shown
are for AMD platforms, but ARM packages are also available.Refer to the
download page for the full list of available packages. Other installation
options APT or YUM Download page Docker Step 2: Connect to the Elastic
Stack Connections to Elasticsearch and Kibana are required to set up
Packetbeat. Set the connection information in packetbeat.yml . To locate
thisconfiguration file, see Directory layout . Elasticsearch Service
Self-managed Specify the cloud.id of your Elasticsearch Service, and set
cloud.auth to a user who is authorized toset up Packetbeat. For example:
cloud.id:
"staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="cloud.auth:
"packetbeat_setup:YOUR_PASSWORD" Set the host and port where Packetbeat can
find the Elasticsearch installation, andset the username and password of a
user who is authorized to set upPacketbeat. For example:
output.elasticsearch: hosts: ["https://myEShost:9200"] username:
"packetbeat_internal" password: "YOUR_PASSWORD" ssl: enabled: true
ca_trusted_fingerprint:
"b9a10bbe64ee9826abeda6546fc988c8bf798b41957c33d05db736716513dc9c" If you
plan to use our pre-built Kibana dashboards, configure the Kibanaendpoint.
Skip this step if Kibana is running on the same host as Elasticsearch.
setup.kibana: host: "mykibanahost:5601" username: "my_kibana_user"
password: "{pwd}" To learn more about required roles and privileges, see
Grant users access to secured resources . You can send data to other
outputs ,such as Logstash,but that requires additional configuration and
setup. Step 3: Configure sniffing In packetbeat.yml , configure the network
devices and protocols tocapture traffic from. Set the sniffer type. By
default, Packetbeat uses pcap , which uses thelibpcap library and works on
most platforms. On Linux, set the sniffer type to af_packet to use
memory-mapped sniffing.This option is faster than libpcap and doesn’t
require a kernel module, butit’s Linux-specific:
packetbeat.interfaces.type: af_packet Specify the network device to capture
traffic from. For example: packetbeat.interfaces.device: eth0 On Linux,
specify packetbeat.interfaces.device: any to capture allmessages sent or
received by the server where Packetbeat is installed.The any setting does
not work on macOS. To see a list of available devices, run: DEB RPM MacOS
Linux Windows packetbeat devices packetbeat devices ./packetbeat devices
./packetbeat devices PS C:\Program Files\Packetbeat> .\packetbeat.exe
devices 0: \Device\NPF_{113535AD-934A-452E-8D5F-3004797DE286} (Intel(R)
PRO/1000 MT Desktop Adapter) In this example, there’s only one network
card, with the index 0, installed onthe system. If there are multiple
network cards, remember the index of thedevice you want to use for
capturing the traffic. Modify the device setting to point to the index of
the device: packetbeat.interfaces.device: 0 For more information about
these settings, see Traffic sniffing . In the protocols section, configure
the ports where Packetbeat can findeach protocol. If you use any
non-standard ports, add them here. Otherwise,use the default values.
packetbeat.protocols: - type: dhcpv4 ports: [67, 68] - type: dns ports:
[53] - type: http ports: [80, 8080, 8081, 5000, 8002] - type: memcache
ports: [11211] - type: mysql ports: [3306,3307] - type: pgsql ports: [5432]
- type: redis ports: [6379] - type: thrift ports: [9090] - type: mongodb
ports: [27017] - type: cassandra ports: [9042] - type: tls ports: [443,
993, 995, 5223, 8443, 8883, 9243] To test your configuration file, change
to the directory where thePacketbeat binary is installed, and run
Packetbeat in the foreground withthe following options specified: sudo
./packetbeat test config -e . Make sureyour config files are in the path
expected by Packetbeat (see Directory layout ), or use the -c flag to
specify the path to the configfile. Depending on your OS, you might run
into file ownership issues when yourun this test. See Config File Ownership
and Permissions for more information. For more information about
configuring Packetbeat, also see: Configure Packetbeat Config file format
packetbeat.reference.yml : This reference configurationfile shows all
non-deprecated options. You’ll find it in the same location as
packetbeat.yml . Step 4: Set up assets Packetbeat comes with predefined
assets for parsing, indexing, andvisualizing your data. To load these
assets: Make sure the user specified in packetbeat.yml is authorized to set
up Packetbeat . From the installation directory, run: DEB RPM MacOS Linux
Windows packetbeat setup -e packetbeat setup -e ./packetbeat setup -e
./packetbeat setup -e PS > .\packetbeat.exe setup -e -e is optional and
sends output to standard error instead of the configured log output. This
step loads the recommended index template for writing to Elasticsearchand
deploys the sample dashboards for visualizing the data in Kibana. A
connection to Elasticsearch (or Elasticsearch Service) is required to set
up the initialenvironment. If you’re using a different output, such as
Logstash, see Load the index template manually and Load Kibana dashboards .
Step 5: Start Packetbeat Before starting Packetbeat, modify the user
credentials in packetbeat.yml and specify a user who is authorized to
publish events . To start Packetbeat, run: DEB RPM MacOS Linux Windows sudo
service packetbeat start If you use an init.d script to start Packetbeat,
you can’t specify commandline flags (see Command reference ). To specify
flags, start Packetbeat inthe foreground. Also see Packetbeat and systemd .
sudo service packetbeat start If you use an init.d script to start
Packetbeat, you can’t specify commandline flags (see Command reference ).
To specify flags, start Packetbeat inthe foreground. Also see Packetbeat
and systemd . sudo chown root packetbeat.yml sudo ./packetbeat -e sudo
chown root packetbeat.yml sudo ./packetbeat -e PS C:\Program
Files\packetbeat> Start-Service packetbeat By default, Windows log files
are stored in C:\ProgramData\packetbeat\Logs . Packetbeat should begin
streaming data to Elasticsearch. Step 6: View your data in Kibana
Packetbeat comes with pre-built Kibana dashboards and UIs for visualizing
logdata. You loaded the dashboards earlier when you ran the setup command.
To open the dashboards: Launch Kibana: Elasticsearch Service Self-managed
Log in to your Elastic Cloud account. Navigate to the Kibana endpoint in
your deployment. Point your browser to http://localhost:5601 , replacing
localhost with the name of the Kibana host. In the side navigation, click
Discover . To see Packetbeat data, makesure the predefined packetbeat-*
index pattern is selected. If you don’t see data in Kibana, try changing
the time filter to a largerrange. By default, Kibana shows the last 15
minutes. In the side navigation, click Dashboard , then select the
dashboard that youwant to open. The dashboards are provided as examples. We
recommend that you customize them to meet your needs. To populate the
client locations map in the overview dashboard, follow thesteps described
in Enrich events with geoIP information . What’s next? Now that you have
your data streaming into Elasticsearch, learn how to unify your
logs,metrics, uptime, and application performance data. Ingest data from
other sources by installing and configuring other ElasticBeats: Use the
Observability apps in Kibana to search across all your data:
14. ORGANIZATIONINVITATIONS
https://www.elastic.co/guide/en/cloud-enterprise/current/OrganizationInvitations.html
Dokumentation
A collection of invitations to an organization invitations ( array[
OrganizationInvitation ] , required) The list of organization invitations {
"invitations" : [ { "accepted_at" : "2019-01-01T00:00:00Z", "created_at" :
"2019-01-01T00:00:00Z", "email" : "string", "expired" : true, "expires_at"
: "2019-01-01T00:00:00Z", "organization" : { "billing_contacts" : [
"string" ], "default_disk_usage_alerts_enabled" : true, "id" : "string",
"name" : "string", "notifications_allowed_email_domains" : [ "string" ],
"operational_contacts" : [ "string" ] }, "token" : "string" } ]}
15. ORGANIZATIONINVITATION
https://www.elastic.co/guide/en/cloud-enterprise/current/OrganizationInvitation.html
Dokumentation
An invitation to an organization accepted_at ( string as date-time ) The
date and time when the invitation was accepted created_at ( string as
date-time , required) The date and time when the invitation was created
email ( string , required) The email address to invite to the organization
expired ( boolean , required) True if the invitation is expired expires_at
( string as date-time , required) The date and time when the invitation
expires organization ( Organization , required) The organization associated
with this invitation token ( string , required) The token used to accept
the invitation { "accepted_at" : "2019-01-01T00:00:00Z", "created_at" :
"2019-01-01T00:00:00Z", "email" : "string", "expired" : true, "expires_at"
: "2019-01-01T00:00:00Z", "organization" : { "billing_contacts" : [
"string" ], "default_disk_usage_alerts_enabled" : true, "id" : "string",
"name" : "string", "notifications_allowed_email_domains" : [ "string" ],
"operational_contacts" : [ "string" ] }, "token" : "string"}
16. ORGANIZATIONINVITATIONREQUEST
https://www.elastic.co/guide/en/cloud-enterprise/current/OrganizationInvitationRequest.html
Dokumentation
A request to create one or more invitations to an organization emails (
array[ string ] , required) The email addresses to invite to the
organization expires_in ( string ) The date and time when the invitation
expires. Defaults to three days from now. { "emails" : [ "string" ],
"expires_in" : "string"}
17. USERLIST
https://www.elastic.co/guide/en/cloud-enterprise/current/UserList.html
Dokumentation
A collection of users users ( array[ User ] , required) A list of users {
"users" : [ { "builtin" : true, "email" : "string", "full_name" : "string",
"metadata" : { "created_at" : "2019-01-01T00:00:00Z", "created_by" :
"string", "first_login_at" : "2019-01-01T00:00:00Z", "last_login_at" :
"2019-01-01T00:00:00Z", "updated_at" : "2019-01-01T00:00:00Z", "updated_by"
: "string" }, "security" : { "elevated_permissions" : { "enabled" : true,
"expires_at" : "2019-01-01T00:00:00Z" }, "enabled" : true, "password" :
"string", "permissions" : [ "string" ], "roles" : [ "string" ],
"security_realm" : { "id" : "string", "type" : "string" } }, "user_name" :
"string" } ]}
18. REMOVALS FOR ECE 3.0
https://www.elastic.co/guide/en/cloud-enterprise/current/ece-3-0-removals.html
Dokumentation
With the release of Elastic Cloud Enterprise version 3.0 a number of
features, API endpoints, and Elastic Stack versions will no longer be
supported. Check the following information for details about what will be
removed, and migration options if appropriate. Check the following sections
for more detail: Features removed in ECE 3.0 API endpoints removed in ECE
3.0 Deployments API replaces clusters API Deprecated Elastic Stack versions
Features removed in ECE 3.0 The following set of features are removed in
Elastic Cloud Enterprise 3.0. Custom deployment templates must support
node_roles and include all components When creating custom deployment
templates , aside from the Hot data and Content tier, platform admins were
previously able to decide whether or not to include other components, such
as Enterprise Search, Kibana, and others. This is in addition to the option
to disable a component by setting its size to 0GB. In ECE version 2.9.0 ,
we introduced a new node_roles field to configure which node roles are
assigned to each Elasticsearch node, and which added support for features
such as autoscaling and the frozen data tier. As part of this change, all
components are now required to be included in custom templates when using
node_roles . When a component is included it is still be possible to
disable it by setting its size to 0GB, excluding the hot data and content
tier which is required and must be enabled. Starting with ECE version 3.0,
all custom deployment templates are required to support node_roles and must
include all components. Existing deployments will be required to migrate to
use node_roles before upgrading to Elastic Stack version 8.0 or above. If
there are deployment templates in your environment that were not updated to
support node_roles or that do not include all components, you must first
update them before you are able to upgrade your environment to ECE version
3.0 or above. You can use this step-by-step guide that describes the
migration process. Removing support for the dedicated App Search component
In ECE version 2.4.0 we introduced support for an Elastic App Search
component with a dedicated App Search deployment template.In ECE version
2.6.0 , we expanded that support to Elastic Enterprise Search that gives
you access both to App Search and Workplace Search. Starting from ECE
version 3.0 we will no longer support the App Search deployment template or
App Search component in custom deployment templates. If there are active
deployments in your ECE environment that are still using the legacy App
Search deployment template or the App Search component in a custom
deployment template, you must first migrate them to use Enterprise Search
before you are able to upgrade your environment to ECE version 3.0 or
above. You can use the following step-by-step guide that will walk you
through the migration process. Removing support for the dedicated
Cross-Cluster-Search (CCS) deployment template Previously, we supported CCS
using a dedicated CCS deployment template. In ECE version 2.9.0 , we
expanded that support to all deployment templates, making CCS (and CCR)
available in all deployments using compatible Elastic Stack versions.
Starting with ECE version 3.0, we no longer support the dedicated CCS
deployment template. If there are active deployments in your environment
created using the CCS template, you must first migrate them to a different
template before you are able to upgrade your environment to ECE version 3.0
or above. You can use this step-by-step guide that describes the migration
process. Removing support for Elastic Stack versions 2.x and 5.x In ECE 2.x
versions, you could upload older 2.x and 5.x Elastic Stack packs and create
new deployments using those versions. As described on our End-of-Life page
, maintenance for those versions ended more than two years ago. Starting
with ECE version 3.0, we no longer support version 2.x or 5.x deployments.
If there are active deployments in your ECE environment using those
versions, you must first upgrade them to Elastic Stack 6.0 or above before
you are able to upgrade your environment to ECE version 3.0 or above. We
highly recommend upgrading to a supported version as described on our
End-of-Life page . Refer to our Upgrade documentation to upgrade your
deployments to a newer Elastic Stack version. Removing support for index
curation Index curation enabled you to easily and automatically move
indices from hot to cold data nodes after a certain time period. In ECE
version 2.2 , we released support for index lifecycle management (ILM) that
offers a much more robust mechanism to move your data across the different
phases as it matures and is less frequently searched. Starting with ECE
version 3.0, we no longer support index curation. If you have active
deployments using index curation, you must first migrate them to use ILM
before you are able to upgrade your environment to ECE version 3.0 or
above. You can use this step-by-step guide that describes the migration
process. Remove logging and metrics index curator Logging and metrics
curator was a process that ran on coordinating nodes that enforced index
retention on system-managed indices in the logging and metrics cluster.
Starting with ECE version 3.0, we no longer use the curator process for
logging and metrics index retention. Instead, we will install default ILM
policies for system-managed logging and metrics indices in the logging and
metrics cluster. If log and metrics retention was customized in previous
versions of ECE, we won’t install the default ILM policies to avoid pruning
logs and metrics that were intended to be retained. The upgrade log will
warn you about this and output the custom retention policy that was
detected. To configure system log and metrics indices retention, see
setting retention period for logging and metrics indices . After a
successful upgrade from ECE version < 3.0 to a version >= 3.0, we suggest
that you remove the backup container of the curator manually by running
docker rm -f frc-curators-curator_bak . Removing support for Elasticsearch
remote clusters “sniff mode” When creating or editing a deployment, the
node_type field was used to configure which Elasticsearch node roles should
be assigned to each node. Starting with Elastic Stack 7.10, Elasticsearch
supports a new method to configure and manage Elasticsearch node roles
using a single node.roles setting. With this change, we introduced a new
node_roles field in our ECE API to take advantage of the new Elasticsearch
setting. Starting with Elastic Stack version 8.0, the legacy node role
configuration is no longer supported in Elasticsearch and, as a result, we
are also removing support for the legacy node_type field. Requests to
create or update deployments using Elastic Stack version 8.0 or above will
be rejected. You can, however, continue and use the node_type field to
create and manage deployments using older stack versions. As a first step,
before you migrate a deployment to use node_roles , the relevant deployment
template associated with that deployment (as configured in the
deployment_template field in the deployment JSON) must be updated to
support node_roles . System-owned templates all support the new node_roles
field. To learn more about how to update custom deployment templates, refer
to Custom deployment templates must support node_roles and include all
components . If you are using the ECE user console to manage your
deployment, this change should be transparent. The deployment will
automatically migrate to use the new node_roles field when you upgrade to a
stack version that supports the new field. If you are using the ECE API to
create and manage deployments, you must edit your payload and replace the
node_type field with the new node_roles field to assign node roles to each
Elasticsearch node. You can use this step-by-step guide that describes the
migration process. Removing the IP filtering API endpoints We introduced
the Traffic Filters API in ECE version 2.6.0 . The IP Filtering API
endpoints were deprecated in the same release. We are removing access to
the IP Filtering endpoints in ECE version 3.0 to consolidate on the newer
set of API endpoints. Change in CORS behavior We implemented CORS behavior
handling in the proxy to match legacy behavior, and since the stack now
fully supports CORS handling on its own, we no longer need to do this for
current versions. Beginning with ECE version 3.0, we now rely on the stack
implementation for all clusters that support it. API endpoints removed in
ECE 3.0 The following set endpoints have removed from the Elastic Cloud
Enterprise RESTful API in version 3.0. Check Deployments API replaces
clusters API for options on how to migrate to a different endpoint before
upgrading ECE. POST /cluster/_search Use POST /deployments/_search instead.
GET /clusters/apm Use GET /deployments instead. POST /clusters/apm Use PUT
/deployments/{deployment_id} instead. POST /clusters/apm/_resync Use POST
/deployments/_resync instead. POST /clusters/apm/_search Use POST
/deployments/_search instead. GET /clusters/apm/{cluster_id} Use GET
/deployments/{deployment_id} instead. DELETE /clusters/apm/{cluster_id} Use
DELETE /deployments/{deployment_id}/{resource_kind}/{ref_id} instead. POST
/clusters/apm/{cluster_id}/_reset-token Use POST
/deployments/{deployment_id}/apm/{ref_id}/_reset-token instead. POST
/clusters/apm/{cluster_id}/_restart Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/_restart instead.
POST /clusters/apm/{cluster_id}/_shutdown Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/_shutdown instead.
POST /clusters/apm/{cluster_id}/_upgrade Use POST
/deployments/{deployment_id}/{stateless_resource_kind}/{ref_id}/_upgrade
instead. POST /clusters/apm/{cluster_id}/instances/_move POST
/clusters/apm/{cluster_id}/instances/_start Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/instances/_start
instead. POST /clusters/apm/{cluster_id}/instances/_stop Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/instances/_stop
instead. POST /clusters/apm/{cluster_id}/instances/maintenance-mode/_start
Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/instances/maintenance-mode/_start
instead. POST /clusters/apm/{cluster_id}/instances/maintenance-mode/_stop
Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/instances/maintenance-mode/_stop
instead. POST /clusters/apm/{cluster_id}/instances/{instance_ids}/_move
POST /clusters/apm/{cluster_id}/instances/{instance_ids}/_start Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/instances/{instance_ids}/_start
instead. POST /clusters/apm/{cluster_id}/instances/{instance_ids}/_stop Use
POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/instances/{instance_ids}/_stop
instead. POST
/clusters/apm/{cluster_id}/instances/{instance_ids}/maintenance-mode/_start
Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/instances/{instance_ids}/maintenance-mode/_start
instead. POST
/clusters/apm/{cluster_id}/instances/{instance_ids}/maintenance-mode/_stop
Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/instances/{instance_ids}/maintenance-mode/_stop
instead. PUT /clusters/apm/{cluster_id}/metadata/name/{new_name} Use PUT
/deployments/{deployment_id} instead. GET
/clusters/apm/{cluster_id}/metadata/raw Use GET
/deployments/{deployment_id}?show_metadata=true instead. POST
/clusters/apm/{cluster_id}/metadata/raw Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/metadata/raw instead.
GET /clusters/apm/{cluster_id}/metadata/settings Use GET
/deployments/{deployment_id} instead. PATCH
/clusters/apm/{cluster_id}/metadata/settings Use PUT
/deployments/{deployment_id} instead. GET /clusters/apm/{cluster_id}/plan
Use GET /deployments/{deployment_id} instead. POST
/clusters/apm/{cluster_id}/plan Use PUT /deployments/{deployment_id}
instead. GET /clusters/apm/{cluster_id}/plan/activity Use GET
/deployments/{deployment_id} instead. GET
/clusters/apm/{cluster_id}/plan/pending Use GET
/deployments/{deployment_id} instead. DELETE
/clusters/apm/{cluster_id}/plan/pending Use DELETE
/deployments/{deployment_id}/{resource_kind}/{ref_id}/plan/pending instead.
GET /clusters/elasticsearch Use GET /deployments instead. POST
/clusters/elasticsearch Use POST /deployments instead. POST
/clusters/elasticsearch/_resync Use POST /deployments/_resync instead. POST
/clusters/elasticsearch/_search Use POST /deployments/_search instead. GET
/clusters/elasticsearch/ccs/eligible_remotes Use POST
/deployments/eligible-remote-clusters instead. GET
/clusters/elasticsearch/{cluster_id} Use GET /deployments/{deployment_id}
instead. DELETE /clusters/elasticsearch/{cluster_id} Use DELETE
/deployments/{deployment_id} instead. POST
/clusters/elasticsearch/{cluster_id}/_restart Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/_restart instead.
POST /clusters/elasticsearch/{cluster_id}/_resync Use POST
/deployments/{deployment_id}/_resync instead. POST
/clusters/elasticsearch/{cluster_id}/_shutdown Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/_shutdown instead.
POST /clusters/elasticsearch/{cluster_id}/_snapshot Use Elasticsearch
snapshot API and snapshot lifecycle management APIs. GET
/clusters/elasticsearch/{cluster_id}/ccs Use Elasticsearch remote info API.
GET /clusters/elasticsearch/{cluster_id}/ccs/settings Use GET
/deployments/{deployment_id}/elasticsearch/{ref_id}/remote-clusters
instead. PUT /clusters/elasticsearch/{cluster_id}/ccs/settings Use PUT
/deployments/{deployment_id}/elasticsearch/{ref_id}/remote-clusters
instead. GET /clusters/elasticsearch/{cluster_id}/curation/settings
Curation no longer available. Use Elasticsearch index lifecycle management
instead. PUT /clusters/elasticsearch/{cluster_id}/curation/settings
Curation no longer available. Use Elasticsearch index lifecycle management
instead. POST /clusters/elasticsearch/{cluster_id}/instances/_move POST
/clusters/elasticsearch/{cluster_id}/instances/_start Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/instances/_start
instead. POST /clusters/elasticsearch/{cluster_id}/instances/_stop Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/instances/_stop
instead. POST
/clusters/elasticsearch/{cluster_id}/instances/maintenance-mode/_start Use
POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/instances/maintenance-mode/_start
instead. POST
/clusters/elasticsearch/{cluster_id}/instances/maintenance-mode/_stop Use
POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/instances/maintenance-mode/_stop
instead. PUT /clusters/elasticsearch/{cluster_id}/instances/settings Use
PUT
/deployments/{deployment_id}/{resource_kind}/{ref_id}/instances/overrides
instead. POST
/clusters/elasticsearch/{cluster_id}/instances/{instance_ids}/_move POST
/clusters/elasticsearch/{cluster_id}/instances/{instance_ids}/_start Use
POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/instances/{instance_ids}/_start
instead. POST
/clusters/elasticsearch/{cluster_id}/instances/{instance_ids}/_stop Use
POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/instances/{instance_ids}/_stop
instead. POST
/clusters/elasticsearch/{cluster_id}/instances/{instance_ids}/maintenance-mode/_start
Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/instances/{instance_ids}/maintenance-mode/_start
instead. POST
/clusters/elasticsearch/{cluster_id}/instances/{instance_ids}/maintenance-mode/_stop
Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/instances/{instance_ids}/maintenance-mode/_stop
instead. PUT
/clusters/elasticsearch/{cluster_id}/instances/{instance_ids}/settings Use
PUT
/deployments/{deployment_id}/{resource_kind}/{ref_id}/instances/{instance_ids}/overrides
instead. GET /clusters/elasticsearch/{cluster_id}/keystore Use GET
/deployments/{deployment_id}/elasticsearch/{ref_id}/keystore instead. PATCH
/clusters/elasticsearch/{cluster_id}/keystore Use PATCH
/deployments/{deployment_id}/elasticsearch/{ref_id}/keystore instead. PUT
/clusters/elasticsearch/{cluster_id}/metadata/name/{new_name} Use PUT
/deployments/{deployment_id} instead. GET
/clusters/elasticsearch/{cluster_id}/metadata/raw Use GET
/deployments/{deployment_id}?show_metadata=true instead. POST
/clusters/elasticsearch/{cluster_id}/metadata/raw Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/metadata/raw instead.
GET /clusters/elasticsearch/{cluster_id}/metadata/settings Use GET
/deployments/{deployment_id} instead. PATCH
/clusters/elasticsearch/{cluster_id}/metadata/settings Use PUT
/deployments/{deployment_id} instead. DELETE
/clusters/elasticsearch/{cluster_id}/monitoring Use PUT
/deployments/{deployment_id} instead. POST
/clusters/elasticsearch/{cluster_id}/monitoring/{dest_cluster_id} Use PUT
/deployments/{deployment_id} instead. GET
/clusters/elasticsearch/{cluster_id}/plan Use GET
/deployments/{deployment_id} instead. POST
/clusters/elasticsearch/{cluster_id}/plan Use PUT
/deployments/{deployment_id} instead. POST
/clusters/elasticsearch/{cluster_id}/plan/_migrate GET
/clusters/elasticsearch/{cluster_id}/plan/activity Use GET
/deployments/{deployment_id}?show_plan_history=true&show_plan_logs=true
instead. GET /clusters/elasticsearch/{cluster_id}/plan/pending Use GET
/deployments/{deployment_id} instead. DELETE
/clusters/elasticsearch/{cluster_id}/plan/pending Use DELETE
/deployments/{deployment_id}/{resource_kind}/{ref_id}/plan/pending instead.
GET /clusters/elasticsearch/{cluster_id}/proxy/{elasticsearch_path} Use GET
/deployments/{deployment_id}/{resource_kind}/{ref_id}/proxy/{proxy_path}
instead. POST
/clusters/elasticsearch/{cluster_id}/proxy/{elasticsearch_path} Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/proxy/{proxy_path}
instead. PUT
/clusters/elasticsearch/{cluster_id}/proxy/{elasticsearch_path} Use PUT
/deployments/{deployment_id}/{resource_kind}/{ref_id}/proxy/{proxy_path}
instead. DELETE
/clusters/elasticsearch/{cluster_id}/proxy/{elasticsearch_path} Use DELETE
/deployments/{deployment_id}/{resource_kind}/{ref_id}/proxy/{proxy_path}
instead. PUT /clusters/elasticsearch/{cluster_id}/settings/security/legacy
Endpoint was used for 2.x versions of Elasticsearch which are EOL and
unsupported in ECE 3.0. GET
/clusters/elasticsearch/{cluster_id}/snapshot/settings Use GET
/deployments/{deployment_id} instead. PATCH
/clusters/elasticsearch/{cluster_id}/snapshot/settings Use PUT
/deployments/{deployment_id} instead. GET
/clusters/elasticsearch/{cluster_id}/support/_generate-diagnostics Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/diagnostics/_capture
instead. GET /clusters/elasticsearch/{cluster_id}/support/_generate-logs
GET /clusters/enterprise_search/{cluster_id}/proxy/{enterprise_search_path}
Use GET
/deployments/{deployment_id}/{resource_kind}/{ref_id}/proxy/{proxy_path}
instead. POST
/clusters/enterprise_search/{cluster_id}/proxy/{enterprise_search_path} Use
POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/proxy/{proxy_path}
instead. PUT
/clusters/enterprise_search/{cluster_id}/proxy/{enterprise_search_path} Use
PUT
/deployments/{deployment_id}/{resource_kind}/{ref_id}/proxy/{proxy_path}
instead. DELETE
/clusters/enterprise_search/{cluster_id}/proxy/{enterprise_search_path} Use
DELETE
/deployments/{deployment_id}/{resource_kind}/{ref_id}/proxy/{proxy_path}
instead. GET /clusters/kibana Use GET /deployments instead. POST
/clusters/kibana Use PUT /deployments/{deployment_id} instead. POST
/clusters/kibana/_resync Use POST /deployments/_resync instead. POST
/clusters/kibana/_search Use POST /deployments/_search instead. GET
/clusters/kibana/{cluster_id} Use GET /deployments/{deployment_id} instead.
DELETE /clusters/kibana/{cluster_id} Use DELETE
/deployments/{deployment_id}/{resource_kind}/{ref_id} instead. POST
/clusters/kibana/{cluster_id}/_restart Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/_restart instead.
POST /clusters/kibana/{cluster_id}/_resync Use POST
/deployments/{deployment_id}/_resync instead. POST
/clusters/kibana/{cluster_id}/_shutdown Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/_shutdown instead.
POST /clusters/kibana/{cluster_id}/_upgrade Use POST
/deployments/{deployment_id}/{stateless_resource_kind}/{ref_id}/_upgrade
instead. POST /clusters/kibana/{cluster_id}/instances/_move POST
/clusters/kibana/{cluster_id}/instances/_start Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/instances/_start
instead. POST /clusters/kibana/{cluster_id}/instances/_stop Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/instances/_stop
instead. POST
/clusters/kibana/{cluster_id}/instances/maintenance-mode/_start Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/instances/maintenance-mode/_start
instead. POST
/clusters/kibana/{cluster_id}/instances/maintenance-mode/_stop Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/instances/maintenance-mode/_stop
instead. POST /clusters/kibana/{cluster_id}/instances/{instance_ids}/_move
POST /clusters/kibana/{cluster_id}/instances/{instance_ids}/_start Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/instances/{instance_ids}/_start
instead. POST /clusters/kibana/{cluster_id}/instances/{instance_ids}/_stop
Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/instances/{instance_ids}/_stop
instead. POST
/clusters/kibana/{cluster_id}/instances/{instance_ids}/maintenance-mode/_start
Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/instances/{instance_ids}/maintenance-mode/_start
instead. POST
/clusters/kibana/{cluster_id}/instances/{instance_ids}/maintenance-mode/_stop
Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/instances/{instance_ids}/maintenance-mode/_stop
instead. PUT /clusters/kibana/{cluster_id}/metadata/name/{new_name} Use PUT
/deployments/{deployment_id} instead. GET
/clusters/kibana/{cluster_id}/metadata/raw Use GET
/deployments/{deployment_id}?show_metadata=true instead. POST
/clusters/kibana/{cluster_id}/metadata/raw Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/metadata/raw instead.
GET /clusters/kibana/{cluster_id}/metadata/settings Use GET
/deployments/{deployment_id} instead. PATCH
/clusters/kibana/{cluster_id}/metadata/settings Use PUT
/deployments/{deployment_id} instead. GET
/clusters/kibana/{cluster_id}/plan Use GET /deployments/{deployment_id}
instead. POST /clusters/kibana/{cluster_id}/plan Use PUT
/deployments/{deployment_id} instead. GET
/clusters/kibana/{cluster_id}/plan/activity Use GET
/deployments/{deployment_id}?show_plan_history=true&show_plan_logs=true
instead. GET /clusters/kibana/{cluster_id}/plan/pending Use GET
/deployments/{deployment_id} instead. DELETE
/clusters/kibana/{cluster_id}/plan/pending Use DELETE
/deployments/{deployment_id}/{resource_kind}/{ref_id}/plan/pending instead.
GET /clusters/kibana/{cluster_id}/proxy/{kibana_path} Use GET
/deployments/{deployment_id}/{resource_kind}/{ref_id}/proxy/{proxy_path}
instead. POST /clusters/kibana/{cluster_id}/proxy/{kibana_path} Use POST
/deployments/{deployment_id}/{resource_kind}/{ref_id}/proxy/{proxy_path}
instead. PUT /clusters/kibana/{cluster_id}/proxy/{kibana_path} Use PUT
/deployments/{deployment_id}/{resource_kind}/{ref_id}/proxy/{proxy_path}
instead. DELETE /clusters/kibana/{cluster_id}/proxy/{kibana_path} Use
DELETE
/deployments/{deployment_id}/{resource_kind}/{ref_id}/proxy/{proxy_path}
instead. GET
/deployments/ip-filtering/associations/{association_type}/{associated_entity_id}/rulesets
Use GET
/deployments/traffic-filter/associations/{association_type}/{associated_entity_id}/rulesets
instead. GET /deployments/ip-filtering/rulesets Use GET
/deployments/traffic-filter/rulesets instead. POST
/deployments/ip-filtering/rulesets Use POST
/deployments/traffic-filter/rulesets instead. GET
/deployments/ip-filtering/rulesets/{ruleset_id} Use GET
/deployments/traffic-filter/rulesets/{ruleset_id} instead. PUT
/deployments/ip-filtering/rulesets/{ruleset_id} Use PUT
/deployments/traffic-filter/rulesets/{ruleset_id} instead. DELETE
/deployments/ip-filtering/rulesets/{ruleset_id} Use DELETE
/deployments/traffic-filter/rulesets/{ruleset_id} instead. GET
/deployments/ip-filtering/rulesets/{ruleset_id}/associations Use GET
/deployments/traffic-filter/rulesets/{ruleset_id}/associations instead.
POST /deployments/ip-filtering/rulesets/{ruleset_id}/associations Use POST
/deployments/traffic-filter/rulesets/{ruleset_id}/associations instead.
DELETE
/deployments/ip-filtering/rulesets/{ruleset_id}/associations/{association_type}/{associated_entity_id}
Use DELETE
/deployments/traffic-filter/rulesets/{ruleset_id}/associations/{association_type}/{associated_entity_id}
instead. POST /platform/configuration/security/deployment/_disable The
security deployment is required in Elastic Cloud Enterprise 3.0, so there
is no longer an API for disabling it. POST
/platform/configuration/security/deployment/_enable The security deployment
is already enabled in Elastic Cloud Enterprise 3.0, so there is no longer
an API for enabling it. GET /platform/configuration/templates/deployments
Use GET /deployments/templates instead. POST
/platform/configuration/templates/deployments Use POST
/deployments/templates instead. DELETE
/platform/configuration/templates/deployments/{template_id} Use DELETE
/deployments/templates/{template_id} instead. GET
/platform/configuration/templates/deployments/{template_id} Use GET
/deployments/templates/{template_id} instead. PUT
/platform/configuration/templates/deployments/{template_id} Use PUT
/deployments/templates/{template_id} instead. POST
/users/auth/reauthenticate Use API keys instead. Deployments API replaces
clusters API Starting in Elastic Cloud Enterprise 3.0, there is no longer a
top-level concept of clusters. Deployments are now the only top level
model, and they represent a collection of resources. A resource is
essentially what used to be called a cluster. It represents a deployable
product with an infrastructure plan and a topology of instances that are
deployed on one or more allocators. A resource has a kind (Elasticsearch,
Kibana, Enterprise Search, and so on) and a reference ID (refid) that
uniquely identifies it within the deployment. The resource kind and refid
are used throughout the API to replace operations that used to be for
operating on individual clusters. You can retrieve the resources and their
corresponding refids for a given deployment by using the Get Deployment
API. As an example, in Elastic Cloud Enterprise 2, you could use the
clusters API like so to create a deployment: POST
/api/v1/clusters/elasticsearch{ "cluster_name": "My deployment", "plan": {
"cluster_topology": [ { "id": "hot_content", "node_type": { "data": true,
"master": true, "ingest": true, "ml": false }, "node_roles": [ "master",
"ingest", "transform", "data_hot", "remote_cluster_client", "data_content"
], "zone_count": 1, "elasticsearch": { "node_attributes": { "data": "hot"
}, "enabled_built_in_plugins": [] }, "instance_configuration_id":
"data.default", "size": { "value": 4096, "resource": "memory" } }, { "id":
"warm", "node_type": { "data": true, "master": false, "ingest": false,
"ml": false }, "node_roles": [ "data_warm", "remote_cluster_client" ],
"zone_count": 1, "elasticsearch": { "node_attributes": { "data": "warm" },
"enabled_built_in_plugins": [] }, "instance_configuration_id":
"data.highstorage", "size": { "value": 0, "resource": "memory" } }, { "id":
"cold", "node_type": { "data": true, "master": false, "ingest": false,
"ml": false }, "node_roles": [ "data_cold", "remote_cluster_client" ],
"zone_count": 1, "elasticsearch": { "node_attributes": { "data": "cold" },
"enabled_built_in_plugins": [] }, "instance_configuration_id":
"data.highstorage", "size": { "value": 0, "resource": "memory" } }, { "id":
"frozen", "node_type": { "data": true, "master": false, "ingest": false,
"ml": false }, "node_roles": [ "data_frozen" ], "zone_count": 1,
"elasticsearch": { "node_attributes": { "data": "frozen" },
"enabled_built_in_plugins": [] }, "instance_configuration_id":
"data.frozen", "size": { "value": 0, "resource": "memory" } }, { "id":
"coordinating", "node_type": { "ingest": true, "master": false, "data":
false, "ml": false }, "node_roles": [ "ingest", "remote_cluster_client" ],
"zone_count": 1, "instance_configuration_id": "coordinating", "size": {
"value": 0, "resource": "memory" }, "elasticsearch": {
"enabled_built_in_plugins": [] } }, { "id": "master", "node_type": {
"master": true, "data": false, "ml": false, "ingest": false },
"node_roles": [ "master", "remote_cluster_client" ], "zone_count": 1,
"instance_configuration_id": "master", "size": { "value": 0, "resource":
"memory" }, "elasticsearch": { "enabled_built_in_plugins": [] } }, { "id":
"ml", "node_type": { "ml": true, "data": false, "master": false, "ingest":
false }, "node_roles": [ "ml", "remote_cluster_client" ], "zone_count": 1,
"instance_configuration_id": "ml", "size": { "value": 0, "resource":
"memory" }, "elasticsearch": { "enabled_built_in_plugins": [] } } ],
"elasticsearch": { "version": "7.15.1" }, "autoscaling_enabled": false,
"deployment_template": { "id": "default" } }} POST /api/v1/clusters/kibana{
"elasticsearch_cluster_id": {elasticsearch_id}, "plan": { "zone_count": 1,
"cluster_topology": [ { "instance_configuration_id": "kibana", "size": {
"value": 1024, "resource": "memory" }, "zone_count": 1 } ], "kibana": {
"version": "7.15.1" } }} With the deployments API, you can create the same
deployment like so: POST /api/v1/deployments{ "resources": {
"elasticsearch": [ { "ref_id": "main-elasticsearch", "region":
"ece-region", "plan": { "cluster_topology": [ { "id": "hot_content",
"node_roles": [ "master", "ingest", "transform", "data_hot",
"remote_cluster_client", "data_content" ], "zone_count": 1,
"elasticsearch": { "node_attributes": { "data": "hot" },
"enabled_built_in_plugins": [] }, "instance_configuration_id":
"data.default", "size": { "value": 4096, "resource": "memory" } }, { "id":
"warm", "node_roles": [ "data_warm", "remote_cluster_client" ],
"zone_count": 1, "elasticsearch": { "node_attributes": { "data": "warm" },
"enabled_built_in_plugins": [] }, "instance_configuration_id":
"data.highstorage", "size": { "value": 0, "resource": "memory" } }, { "id":
"cold", "node_roles": [ "data_cold", "remote_cluster_client" ],
"zone_count": 1, "elasticsearch": { "node_attributes": { "data": "cold" },
"enabled_built_in_plugins": [] }, "instance_configuration_id":
"data.highstorage", "size": { "value": 0, "resource": "memory" } }, { "id":
"frozen", "node_roles": [ "data_frozen" ], "zone_count": 1,
"elasticsearch": { "node_attributes": { "data": "frozen" },
"enabled_built_in_plugins": [] }, "instance_configuration_id":
"data.frozen", "size": { "value": 0, "resource": "memory" } }, { "id":
"coordinating", "node_roles": [ "ingest", "remote_cluster_client" ],
"zone_count": 1, "instance_configuration_id": "coordinating", "size": {
"value": 0, "resource": "memory" }, "elasticsearch": {
"enabled_built_in_plugins": [] } }, { "id": "master", "node_roles": [
"master", "remote_cluster_client" ], "zone_count": 1,
"instance_configuration_id": "master", "size": { "value": 0, "resource":
"memory" }, "elasticsearch": { "enabled_built_in_plugins": [] } }, { "id":
"ml", "node_roles": [ "ml", "remote_cluster_client" ], "zone_count": 1,
"instance_configuration_id": "ml", "size": { "value": 0, "resource":
"memory" }, "elasticsearch": { "enabled_built_in_plugins": [] } } ],
"elasticsearch": { "version": "7.15.1" }, "autoscaling_enabled": false,
"deployment_template": { "id": "default" } }, "settings": {
"dedicated_masters_threshold": 6, "snapshot": { "enabled": false } } } ],
"kibana": [ { "ref_id": "main-kibana", "elasticsearch_cluster_ref_id":
"main-elasticsearch", "region": "ece-region", "plan": { "zone_count": 1,
"cluster_topology": [ { "instance_configuration_id": "kibana", "size": {
"value": 1024, "resource": "memory" }, "zone_count": 1 } ], "kibana": {
"version": "7.15.1" } } } ], "apm": [], "enterprise_search": [] }, "name":
"My deployment", "metadata": { "system_owned": false }} You can find many
more examples in our Elastic Cloud Enterprise API documentation. Deprecated
Elastic Stack versions Elastic Stack verson 5.6.0 is no longer maintained
and will not be supported on ECE 3.0. You must upgrade to Elastic Stack
version 6.0 or above before upgrading to ECE 3.0, and we strongly recommend
upgrading to a maintained version. More information is available on the
Elastic products end-of-life page .
19. INGEST LOGS FROM A PYTHON APPLICATION USING FILEBEAT
https://www.elastic.co/guide/en/cloud-enterprise/current/ece-getting-started-search-use-cases-python-logs.html
Dokumentation
This guide demonstrates how to ingest logs from a Python application and
deliver them securely into an Elastic Cloud Enterprise deployment. You’ll
set up Filebeat to monitor a JSON-structured log file that has standard
Elastic Common Schema (ECS) formatted fields, and you’ll then view
real-time visualizations of the log events in Kibana as they occur. While
Python is used for this example, this approach to monitoring log output is
applicable across many client types. Check the list of available ECS
logging plugins . You are going to learn how to: Create a Python script
with logging Set up Filebeat Send the Python logs to Elasticsearch Create
log visualizations in Kibana Time required: 1 hour Prerequisites To
complete these steps you need to have Python installed on your system as
well as the Elastic Common Schema (ECS) logger for the Python logging
library. To install ecs-logging-python , run: python -m pip install
ecs-logging Create a deployment Log into the Elastic Cloud Enterprise admin
console. Select Create deployment . Give your deployment a name. You can
leave all other settings at their default values. Select Create deployment
and save your Elastic deployment credentials. You need these credentials
later on. When the deployment is ready, click Continue and a page of Setup
guides is displayed. To continue to the deployment homepage click I’d like
to do something else . Connect securely When connecting to Elastic Cloud
Enterprise you can use a Cloud ID to specify the connection details. Find
your Cloud ID by going to the Kibana main menu and selecting Management >
Integrations, and then selecting View deployment details. To connect to,
stream data to, and issue queries with Elastic Cloud Enterprise, you need
to think about authentication. Two authentication mechanisms are supported,
API key and basic authentication . Here, to get you started quickly, we’ll
show you how to use basic authentication, but you can also generate API
keys as shown later on. API keys are safer and preferred for production
environments. Create a Python script with logging In this step, you’ll
create a Python script that generates logs in JSON format, using Python’s
standard logging module. In a local directory, create a new file elvis.py
and save it with these contents: #!/usr/bin/python import loggingimport
ecs_loggingimport timefrom random import randint #logger =
logging.getLogger(__name__)logger =
logging.getLogger("app")logger.setLevel(logging.DEBUG)handler =
logging.FileHandler('elvis.json')handler.setFormatter(ecs_logging.StdlibFormatter())logger.addHandler(handler)
print("Generating log entries...") messages = [ "Elvis has left the
building.",# "Elvis has left the oven on.", "Elvis has two left feet.",
"Elvis was left out in the cold.", "Elvis was left holding the baby.",
"Elvis left the cake out in the rain.", "Elvis came out of left field.",
"Elvis exited stage left.", "Elvis took a left turn.", "Elvis left no stone
unturned.", "Elvis picked up where he left off.", "Elvis's train has left
the station." ] while True: random1 = randint(0,15) random2 = randint(1,10)
if random1 > 11: random1 = 0 if(random1<=4): logger.info(messages[random1],
extra={"http.request.body.content": messages[random1]}) elif(random1>=5 and
random1<=8): logger.warning(messages[random1],
extra={"http.request.body.content": messages[random1]}) elif(random1>=9 and
random1<=10): logger.error(messages[random1],
extra={"http.request.body.content": messages[random1]}) else:
logger.critical(messages[random1], extra={"http.request.body.content":
messages[random1]}) time.sleep(random2) This Python script randomly
generates one of twelve log messages, continuously, at a random interval of
between 1 and 10 seconds. The log messages are written to file elvis.json ,
each with a timestamp, a log level of info , warning , error , or critical
, and other data. Just to add some variance to the log data, the info
message Elvis has left the building is set to be the most probable log
event. For simplicity, there is just one log file and it is written to the
local directory where elvis.py is located. In a production environment you
may have multiple log files, associated with different modules and loggers,
and likely stored in /var/log or similar. To learn more about configuring
logging in Python, check Logging facility for Python . Having your logs
written in a JSON format with ECS fields allows for easy parsing and
analysis, and for standardization with other applications. A standard,
easily parsible format becomes increasingly important as the volume and
type of data captured in your logs expands over time. Together with the
standard fields included for each log entry is an extra
http.request.body.content field. This extra field is there just to give you
some additional, interesting data to work with, and also to demonstrate how
you can add optional fields to your log data. Check the ECS Field Reference
for the full list of available fields. Let’s give the Python script a test
run. Open a terminal instance in the location where you saved elvis.py and
run the following: python elvis.py After the script has run for about 15
seconds, enter CTRL + C to stop it. Have a look at the newly generated
elvis.json . It should contain one or more entries like this one:
{"@timestamp":"2021-06-16T02:19:34.687Z","log.level":"info","message":"Elvis
has left the
building.","ecs":{"version":"1.6.0"},"http":{"request":{"body":{"content":"Elvis
has left the
building."}}},"log":{"logger":"app","origin":{"file":{"line":39,"name":"elvis.py"},"function":"<module>"},"original":"Elvis
has left the
building."},"process":{"name":"MainProcess","pid":3044,"thread":{"id":4444857792,"name":"MainThread"}}}
After confirming that elvis.py runs as expected, you can delete elvis.json
. Set up Filebeat Filebeat offers a straightforward, easy to configure way
to monitor your Python log files and port the log data into Elastic Cloud
Enterprise. Get Filebeat Download Filebeat and unpack it on the local
server from which you want to collect data. Configure Filebeat to access
Elastic Cloud Enterprise In <localpath>/filebeat-<version>/ (where
<localpath> is the directory where Filebeat is installed and <version> is
the Filebeat version number), open the filebeat.yml configuration file for
editing. # =============================== Elastic Cloud
================================ # These settings simplify using Filebeat
with the Elastic Cloud (https://cloud.elastic.co/). # The cloud.id setting
overwrites the `output.elasticsearch.hosts` and# `setup.kibana.host`
options.# You can find the `cloud.id` in the Elastic Cloud web UI.cloud.id:
my-deployment:long-hash # The cloud.auth setting overwrites the
`output.elasticsearch.username` and# `output.elasticsearch.password`
settings. The format is `<user>:<pass>`.cloud.auth: elastic:password
setup.kibana: ssl.certificate_authorities:
["/path/to/your/elastic-ece-ca-cert.pem"] output.elasticsearch:
ssl.certificate_authorities: ["/path/to/your/elastic-ece-ca-cert.pem"] #
Configure Filebeat inputs Filebeat has several ways to collect logs. For
this example, you’ll configure log collection manually. In the
filebeat.inputs section of filebeat.yml , set enabled: to true , and set
paths: to the location of your log file or files. In this example, set the
same directory where you saved elvis.py : filebeat.inputs: # Each - is an
input. Most options can be set at the input level, so# you can use
different inputs for various configurations.# Below are the input specific
configurations. - type: log # Change to true to enable this input
configuration. enabled: true # Paths that should be crawled and fetched.
Glob based paths. paths: - /path/to/log/files/*.json You can specify a
wildcard ( * ) character to indicate that all log files in the specified
directory should be read. You can also use a wildcard to read logs from
multiple directories. For example /var/log/*/*.log . Add the JSON input
options Filebeat’s input configuration options include several settings for
decoding JSON messages. Log files are decoded line by line, so it’s
important that they contain one JSON object per line. For this example,
Filebeat uses the following four decoding options. json.keys_under_root:
true json.overwrite_keys: true json.add_error_key: true json.expand_keys:
true To learn more about these settings, check JSON input configuration
options and Decode JSON fields in the Filebeat Reference. Append the four
JSON decoding options to the Filebeat inputs section of filebeat.yml , so
that the section now looks like this: # ==============================
Filebeat inputs =============================== filebeat.inputs: # Each -
is an input. Most options can be set at the input level, so# you can use
different inputs for various configurations.# Below are the input specific
configurations. - type: log # Change to true to enable this input
configuration. enabled: true # Paths that should be crawled and fetched.
Glob based paths. paths: - /path/to/log/files/*.json json.keys_under_root:
true json.overwrite_keys: true json.add_error_key: true json.expand_keys:
true Finish setting up Filebeat Filebeat comes with predefined assets for
parsing, indexing, and visualizing your data. To load these assets, run the
following from the Filebeat installation directory: ./filebeat setup -e
Depending on variables including the installation location, environment,
and local permissions, you might need to change the ownership of
filebeat.yml. You can also try running the command as root : sudo
./filebeat setup -e or you can disable strict permission checks by running
the command with the --strict.perms=false option. The setup process takes a
couple of minutes. If everything goes successfully you should get a
confirmation message: Loaded Ingest pipelines The Filebeat data view
(formerly index pattern ) is now available in Elasticsearch. To verify:
Beginning with Elastic Stack version 8.0, Kibana index patterns have been
renamed to data views . To learn more, check the Kibana What’s new in 8.0
page. Login to Kibana . Open the Kibana main menu and select Management >
Kibana > Data views . In the search bar, search for filebeat . You should
get filebeat-* in the search results. Optional: Use an API key to
authenticate For additional security, instead of using basic authentication
you can generate an Elasticsearch API key through the Cloud UI, and then
configure Filebeat to use the new key to connect securely to the Elastic
Cloud Enterprise deployment. Log into the Cloud UI . Select the deployment
name and go to ☰ > Management > Dev Tools . Enter the following request:
POST /_security/api_key{ "name": "filebeat-api-key", "role_descriptors": {
"logstash_read_write": { "cluster": ["manage_index_templates", "monitor"],
"index": [ { "names": ["filebeat-*"], "privileges": ["create_index",
"write", "read", "manage"] } ] } }} This creates an API key with the
cluster monitor privilege which gives read-only access for determining the
cluster state, and manage_index_templates which allows all operations on
index templates. Some additional privileges also allow create_index , write
, and manage operations for the specified index. The index manage privilege
is added to enable index refreshes. Click ▶ . The output should be similar
to the following: { "api_key": "tV1dnfF-GHI59ykgv4N0U3", "id":
"2TBR42gBabmINotmvZjv", "name": "filebeat-api-key"} Add your API key
information to the Elasticsearch Output section of filebeat.yml , just
below output.elasticsearch: . Use the format <id>:<api_key> . If your
results are as shown in this example, enter
2TBR42gBabmINotmvZjv:tV1dnfF-GHI59ykgv4N0U3 . Add a pound ( # ) sign to
comment out the cloud.auth: elastic:<password> line, since Filebeat will
use the API key instead of the deployment username and password to
authenticate. # =============================== Elastic Cloud
================================ # These settings simplify using Filebeat
with the Elastic Cloud (https://cloud.elastic.co/). # The cloud.id setting
overwrites the `output.elasticsearch.hosts` and# `setup.kibana.host`
options.# You can find the `cloud.id` in the Elastic Cloud web UI.cloud.id:
my-deployment:yTMtd5VzdKEuP2NwPbNsb3VkLtKzLmldJDcyMzUyNjBhZGP7MjQ4OTZiNTIxZTQyOPY2C2NeOGQwJGQ2YWQ4M5FhNjIyYjQ9ODZhYWNjKDdlX2Yz4ELhRYJ7
# The cloud.auth setting overwrites the `output.elasticsearch.username`
and# `output.elasticsearch.password` settings. The format is
`<user>:<pass>`.#cloud.auth: elastic:591KhtuAgTP46by9C4EmhGuk #
================================== Outputs
=================================== # Configure what output to use when
sending the data collected by the beat. # ----------------------------
Elasticsearch Output ----------------------------output.elasticsearch: #
Array of hosts to connect to. api_key:
"2TBR42gBabmINotmvZjv:tV1dnfF-GHI59ykgv4N0U3" Send the Python logs to
Elasticsearch It’s time to send some log data into EElasticsearch! Launch
Filebeat and elvis.py Launch Filebeat by running the following from the
Filebeat installation directory: ./filebeat -e -c filebeat.yml In this
command: The -e flag sends output to the standard error instead of the
configured log output. The -c flag specifies the path to the Filebeat
config file. Just in case the command doesn’t work as expected, check the
Filebeat quick start for the detailed command syntax for your operating
system. You can also try running the command as root : sudo ./filebeat -e
-c filebeat.yml . Filebeat should now be running and monitoring the
contents of elvis.json , which actually doesn’t exist yet. So, let’s create
it. Open a new terminal instance and run the elvis.py Python script: python
elvis.py Let the script run for a few minutes and maybe brew up a quick
coffee or tea ☕ . After that, make sure that the elvis.json file is
generated as expected and is populated with several log entries. Verify the
log entries in Elastic Cloud Enterprise The next step is to confirm that
the log data has successfully found it’s way into Elastic Cloud Enterprise.
Login to Kibana . Open the Kibana main menu and select Management > Kibana
> Data views . In the search bar, search for *filebeat_. You should get
filebeat-* in the search results. Select filebeat-* . The filebeat data
view shows a list of fields and their details. Create log visualizations in
Kibana Now it’s time to create visualizations based off of the Python
application log data. Open the Kibana main menu and select Dashboard , then
Create dashboard . Select Create visualization . The Lens visualization
editor opens. In the data view dropdown box, select filebeat- , if it isn’t
already selected. In the Visualization type dropdown , select Bar vertical
stacked , if it isn’t already selected. Check that the time filter is set
to Last 15 minutes . From the Available fields list, drag and drop the
@timestamp field onto the visualization builder. Drag and drop the
log.level field onto the visualization builder. In the chart settings area,
under Break down by , select Top values of log.level and set Number of
values to 4 . Since there are four log severity levels, this parameter sets
all of them to appear in the chart legend. Select Refresh . A stacked bar
chart now shows the relative frequency of each of the four log severity
levels over time. Select Save and return to add this visualization to your
dashboard. Let’s create a second visualization. Select Create visualization
. Again, make sure that Visualization type dropdown is set to Bar vertical
stacked . From the Available fields list, drag and drop the @timestamp
field onto the visualization builder. Drag and drop the
http.request.body.content field onto the visualization builder. In the
chart settings area, under Break down by , select Top values of
http.request.body.content and set Number of values to 12 . Since there are
twelve different log messages, this parameter sets all of them to appear in
the chart legend. Select Refresh . A stacked bar chart now shows the
relative frequency of each of the log messages over time. Select Save and
return to add this visualization to your dashboard. And now for the final
visualization. Select Create visualization . In the Visualization type
dropdown dropdown, select Donut . From the list of available fields, drag
and drop the log.level field onto the visualization builder. A donut chart
appears. Select Save and return to add this visualization to your
dashboard. Select Save and add a title to save your new dashboard. You now
have a Kibana dashboard with three visualizations: a stacked bar chart
showing the frequency of each log severity level over time, another stacked
bar chart showing the frequency of various message strings over time (from
the added http.request.body.content parameter), and a donut chart showing
the relative frequency of each log severity type. You can add titles to the
visualizations, resize and position them as you like, and then save your
changes. View log data updates in real time Select Refresh on the Kibana
dashboard. Since elvis.py continues to run and generate log data, your
Kibana visualizations update with each refresh. As your final step,
remember to stop Filebeat and the Python script. Enter CTRL + C in both
your Filebeat terminal and in your elvis.py terminal. You now know how to
monitor log files from a Python application, deliver the log event data
securely into an Elastic Cloud Enterprise deployment, and then visualize
the results in Kibana in real time. Consult the Filebeat documentation to
learn more about the ingestion and processing options available for your
data. You can also explore our documentation to learn all about working in
Elastic Cloud Enterprise.
20. ELASTIC CLOUD ENTERPRISE 2.2.0
https://www.elastic.co/guide/en/cloud-enterprise/current/ece-release-notes-2.2.0.html
Dokumentation
New for Elastic Cloud Enterprise 2.2.0: Role-based access control. Go
beyond the existing predefined admin and readonly users with new
pre-configured roles. To make Elastic Cloud Enterprise even more secure,
you can now also authenticate users against a SAML identity provider or
LDAP server. Check Configure role-based access control . Platform
viewer — Provides view-only permissions to the platform and hosted
deployments, similar to the readonly user in previous Elastic Cloud
Enterprise versions. Deployments manager — Creates and manages platform
deployments, but is unable to access platform-level deployment operations
and resources. Deployments viewer — Provides view-only permissions to
deployments. Cross cluster search (CCS) UI. To connect and enable search
capabilities across all of your Elastic Cloud Enterprise-managed clusters,
you can now leverage the new CCS UI and deployment templates. Check Enable
cross-cluster search and cross-cluster replication . Support for the index
lifecycle management (ILM) feature of the Elastic Stack. If you are using
the Elastic Stack 6.7 or later, ILM provides an integrated and streamlined
way to manage time-based data, making it easier to follow best practices
for managing your indices. For example: You can automate how Elastic Cloud
Enterprise manages indices and apply operations, such as index relocation,
force merging, and index shrinking. Check Configure index management .
Elasticsearch keystore support. Securely store sensitive settings, such as
credentials for blob store repositories access from Elasticsearch. Check
Secure your settings . Ansible playbooks for installation and management.
To easily install and manage Elastic Cloud Enterprise, use our new Ansible
playbook. Check Install ECE with Ansible . Support for 7.0. Add the Elastic
Stack 7.0 pack to your environment and upgrade your clusters to 7.0. If
you’re upgrading from 6.7 to 7.0, you can use the rolling upgrade with zero
downtime. Check Upgrade to Elasticsearch 7.x . Improvements for Elastic
Cloud Enterprise 2.2.0 include: Reduced number of ZooKeeper connections.
Cluster that use 6.7 and later no longer directly connect to ZooKeeper,
helping to make your platform much more scalable. Upgraded system cluster.
To enable the infrastructure monitoring and logging apps in Kibana, you
must upgrade your system clusters to 6.6. This upgrade allows you to
monitor and view logs and metrics for Elastic Cloud Enterprise hosts and
containers. What’s changed Ubuntu 14.04 LTS (Trusty Tahr) end of life. The
official end-of-life (EOL) from Canonical for Ubuntu 14.04 LTS (Trusty
Tahr) is April 2019, and so it’s time to say goodbye to this version of
Ubuntu. After the EOL, Elastic will no longer be able to support you fully,
if your ECE installation runs on Ubuntu 14.04. We strongly recommend that
you upgrade to a fully supported version, such as Ubuntu 16.04 LTS (Xenial
Xerus). You can either perform host maintenance to upgrade your hosts or
prepare new hosts and reinstall ECE on them. Bug fixes Elastic Cloud
Enterprise 2.2.0 includes the following bug fixes: View a list of clusters
that you want to monitor. When you enable monitoring on an Elasticsearch
cluster, the drop-down list of clusters that currently accept monitoring
traffic now appears. Successfully create a snapshot repository. The
regionID value is now sent to the API, which allows you to successfully
create a snapshot repository. RESTful API container searches now work. When
you use the RESTful API, container searches by ID are now compatible with
Elasticsearch version 6.0 admin clusters. Release date: April 10, 2019
* ‹
* 1
* 2
* 3
* 4
* 5
* 6
* 7
* ›
NOTICE
We and selected third parties use cookies or similar technologies for technical
purposes and, with your consent, for other purposes as specified in the cookie
policy.
Use the “Accept” button to consent. Use the “Reject” button to continue without
accepting.
Press again to continue 0/1
Learn more and customize
RejectAccept